Webapps Vulnerability Report

Transcription

1 Tuesday, May 1, 2012 Webapps Vulnerability Report Introduction This report provides detailed information of every vulnerability that was found and successfully exploited by CORE Impact Professional during this test. This information provides a practical approach to determine the key vulnerable points in the tested scenarios, and to assess the risk associated with such vulnerabilities. This report consists of a list of vulnerabilities found divided by vulnerability type. Each section is preceded by a vulnerability description. Vulnerabilities background Code injection is a technique to introduce (or "inject") code into a computer program or system by taking advantage of the unenforced and unchecked assumptions the system makes about its inputs. The purpose of the injected code is typically to bypass or modify the originally intended functionality of the program. When the functionality bypassed is system security, the results can be disastrous. SQL Injection Vulnerabilities SQL injection vulnerabilities occur whenever input is used in the construction of an SQL query without being adequately constrained or sanitized. The use of dynamic SQL (the construction of SQL queries by string concatenation) opens the door to these vulnerabilities. SQL injection allows an attacker to access the SQL servers. It allows for the execution of SQL code under the privileges of the user used to connect to the database. There are two types of SQL injection vulnerabilities: error-based and blind. In error-based SQL injections the error message reported by the database, under an invalid query, is displayed to the user, allowing him to leverage information based on this output. However, in the case of blind SQL injections no error information is displayed to the user, increasing the difficulty of detection and exploitation of the vulnerability. One option is to only allow alphanumeric characters. There are other characters that can be allowed (e.g. _ ), but try to specifically avoid the following characters: (double quote), (single quote), ; (semicolon),, (colon), - (dash). Please remember that best practice is always restricting the allowed characters rather than ing out specific bad ones (e.g.: only allow alphanumeric characters and discard everything else, rather than just ing out single quotes). A word on fixing SQL Injection vulnerabilities Most SQL injection vulnerabilities can be easily fixed by avoiding the use of dynamically constructed SQL queries and using parameterized queries instead. If it s not possible to use parameterized queries because the string appended is not a data type (e.g.: the name of the table in a CREATE SQL statement), it is possible to /sanitize the string to ensure that it cannot be used to trigger SQL injection vulnerabilities. General Conclusions and Recommendations Use parameterized queries at the time of using user input in database queries. Recommendation: Never construct database queries by appending user input; rely on parameterized queries instead, which guarantee that the user input will not be treated as part of the SQL query, but merely as data CORE Impact Professional - Webapps Vulnerability Report Page 1

2 PHP Remote File Inclusion Vulnerabilities Remote file inclusion (RFI) is a technique used to attack internet websites from a computer. Remote File Inclusion attacks allow malicious users to run their own PHP code on a vulnerable website. The attacker is allowed to include his own malicious code in the space provided for PHP programs on a web page. For instance, a piece of vulnerable PHP code would look like this: include($page. '.php'); This line of PHP code, is then used in URLs like the following example: Because the $page variable is not specifically defined, an attacker can insert the location of a malicious file into the URL and execute it on the target server as in this example: The include() function above instructs the server to retrieve C99.php from the remote server and run its code. This is possible because PHP allows the user to load both remote and local content with the same functions. The code sample above does not perform any checks on the content of the $page variable, it blindly passes it to the function. Because the original piece of code appended.php to the file it would try to fetch the following URL As the attackers can not know what the original code might append, they put a question mark at the end of the URLs. This makes the script fetch the intended file, with the appended string as a parameter (which is ignored by the attackers script): This allows the attacker to include any remote file of his choice simply by editing the URL. Attackers commonly include a malicious PHP script called a webshell, also known as a PHP shell. A webshell can display the files and folders on the server and can edit, add or delete files, among other tasks. Scripts that send Spam are also very common. Potentially, the attacker could even use the webshell to gain administrator-level, or root, access on the server. RFI attacks are possible because of several PHP configuration flags: * One is called register_globals. register_globals automatically defines variables in the script that are entered in the page URL. In this example, the $page variable will automatically be filled with before the script is executed. Because of this security vulnerability, register_globals is set to OFF by default on newer servers. * Another one, even more relevant to this attack, is allow_url_fopen. This defines if PHP should be able to fetch remote content in almost any function that takes a filename as a parameter. In PHP5 this setting was separated for the include () family of functions and called allow_url_include. This specifically addresses the fact that the attack described here makes up the majority of security holes in current PHP software. CORE Impact Professional - Webapps Vulnerability Report Page 2

3 Cross-Site Scripting Vulnerabilities Cross-Site Scripting (commonly referred to as XSS) attacks are the result of improper ing of input obtained from untrusted sources. Basically, they consist in the attacker injecting malicious tags and/or script code that is executed by the user's web browser when accessing the vulnerable web site. The injected code then takes advantage of the trust given by the user to the vulnerable site. These attacks are usually targeted to all users of a web application instead of the application itself (although one could say that the users are affected because of a vulnerability of the web application). The term cross -site scripting' is also sometimes used in a broader sense referring to different types of attacks involving script injection into the client. Cross-site Scripting (XSS): How To Prevent Cross-Site Scripting Security Issues: The Cross-Site Scripting FAQ (XSS): Workspace Summary Name: Started: Finished: Exact Time: Running Time: Reports 4/30/2012 4:05:09PM 5/1/ :57:22AM 19 hours 52 minutes 13 seconds 1 hour 28 minutes 32 seconds SQL Injection Vulnerabilities SQL Injection Vulnerability State confirmed Agent Configured The parameter is being used without sanitization inside a SQL statement as a string, where it can be used to execute arbitrary SELECT statements and extract data using blind SQL injection techniques. The parameter is being used as a value for ing in the WHERE or HAVING clause of a SELECT statement without sanitization. The query being performed should look like SELECT... WHERE [column]='< parameter>' Basic Information URL Parameter Name Parameter Type Triggers _error_rewrite.aspx?= GET "'" Backend Information CORE Impact Professional - Webapps Vulnerability Report Page 3

4 Database Engine Database Version Operating System Architecture Microsoft SQL Server Capabilities Data Read Add Modify Delete Files Read Write Execute Other Stored Procedures Admin Privileges Process Advanced Information Error Method Heuristic SqlErrorStringPage Attack Information Blind Using this vulnerability an attacker can extract arbitrary information from the database backend one bit at a time, crafting special input for the vulnerable field in the following way: <prefix>(case WHEN <arbitrary condition> THEN <true value> ELSE (SELECT <true value> UNION SELECT <true value>) END)<postfix> Where the page should provide a valid response if the condition is true, or an error if the condition is false. NOTE: For Oracle databases the (SELECT <true value> UNION SELECT <true value>) should be (SELECT <true value> FROM DUAL UNION SELECT <true value> FROM DUAL) instead, because the engine does not support SELECT statements without a FROM clause. Postfix True value '+ +' '' Union Select Using this vulnerability an attacker can extract arbitrary information from the database backend crafting special input for the vulnerable field in the following way: <prefix><arbitrary select statement><postfix> The <arbitrary select statement> must have the same number of columns and matching types as those described in 'query information'. The response page will include the results for those columns described as visible in 'query information'. ' AND 1=0 UNION ALL CORE Impact Professional - Webapps Vulnerability Report Page 4

5 Postfix -- Query Information Field Id Type Visible 0 varchar Yes 1 int Yes Request Information get Name Value %27 SQL Injection Vulnerability State confirmed Agent Configured The parameter is being used without sanitization inside a SQL statement as a number, where it can be used to execute arbitrary SELECT statements and extract data using blind SQL injection techniques. The parameter is being used as a value for ing in the WHERE or HAVING clause of a SELECT statement without sanitization. The query being performed should look like SELECT... WHERE [column]=< parameter> Basic Information URL Parameter Name Parameter Type Triggers ger.aspx?= GET "@", "a", "--", "'", "A" Backend Information Database Engine Database Version Operating System Architecture Microsoft SQL Server Capabilities Data Read Add Modify Delete Files Read Write Execute Other Stored Procedures Admin Privileges Process CORE Impact Professional - Webapps Vulnerability Report Page 5

6 Advanced Information Error Method Heuristic HttpErrorCode Attack Information Blind Using this vulnerability an attacker can extract arbitrary information from the database backend one bit at a time, crafting special input for the vulnerable field in the following way: <prefix>(case WHEN <arbitrary condition> THEN <true value> ELSE (SELECT <true value> UNION SELECT <true value>) END)<postfix> Where the page should provide a valid response if the condition is true, or an error if the condition is false. NOTE: For Oracle databases the (SELECT <true value> UNION SELECT <true value>) should be (SELECT <true value> FROM DUAL UNION SELECT <true value> FROM DUAL) instead, because the engine does not support SELECT statements without a FROM clause. (1- Postfix ) True value 0 Union Select Using this vulnerability an attacker can extract arbitrary information from the database backend crafting special input for the vulnerable field in the following way: <prefix><arbitrary select statement><postfix> The <arbitrary select statement> must have the same number of columns and matching types as those described in 'query information'. The response page will include the results for those columns described as visible in 'query information'. Postfix -- 0 AND 1=0 UNION ALL Query Information Field Id Type Visible 0 varchar Yes 1 int Yes Request Information get Name Value A SQL Injection Vulnerability State confirmed Agent Configured CORE Impact Professional - Webapps Vulnerability Report Page 6

7 The parameter is being used without sanitization inside a SQL statement as a string, where it can be used to execute arbitrary SELECT statements and extract data using blind SQL injection techniques. The parameter is being used as a value for ing in the WHERE or HAVING clause of a SELECT statement without sanitization. The query being performed should look like SELECT... WHERE [column]='< parameter>' Basic Information URL Parameter Name Parameter Type Triggers tion_string.aspx?= GET "'" Backend Information Database Engine Database Version Operating System Architecture Microsoft SQL Server Capabilities Data Read Add Modify Delete Files Read Write Execute Other Stored Procedures Admin Privileges Process Advanced Information Error Method Heuristic RedirectErrorDecoder Attack Information Blind Using this vulnerability an attacker can extract arbitrary information from the database backend one bit at a time, crafting special input for the vulnerable field in the following way: <prefix>(case WHEN <arbitrary condition> THEN <true value> ELSE (SELECT <true value> UNION SELECT <true value>) END)<postfix> Where the page should provide a valid response if the condition is true, or an error if the condition is false. NOTE: For Oracle databases the (SELECT <true value> UNION SELECT <true value>) should be (SELECT <true CORE Impact Professional - Webapps Vulnerability Report Page 7

8 value> FROM DUAL UNION SELECT <true value> FROM DUAL) instead, because the engine does not support SELECT statements without a FROM clause. Postfix True value '+ +' '' Union Select Using this vulnerability an attacker can extract arbitrary information from the database backend crafting special input for the vulnerable field in the following way: <prefix><arbitrary select statement><postfix> The <arbitrary select statement> must have the same number of columns and matching types as those described in 'query information'. The response page will include the results for those columns described as visible in 'query information'. Postfix -- ' AND 1=0 UNION ALL Query Information Field Id Type Visible 0 varchar Yes 1 int Yes Request Information get Name Value %27 SQL Injection Vulnerability State confirmed Agent Configured The parameter is being used without sanitization inside a SQL statement as a date/time, where it can be used to execute arbitrary SELECT statements and extract data using blind SQL injection techniques. The parameter is being used as a value for ing in the WHERE or HAVING clause of a SELECT statement without sanitization. The query being performed should look like SELECT... WHERE [column]='< parameter>' Basic Information URL Parameter Name Parameter Type Triggers _example_orderby_1.aspx?=&order=lastname GET "-1.0", "1.0", "-1", "1", "@", "a", "--", "'", "0", "A" Backend Information CORE Impact Professional - Webapps Vulnerability Report Page 8

9 Database Engine Microsoft SQL Server Database Version Operating System windows Architecture i386 Capabilities Data Read Add Modify Delete Files Read Write Execute Other Stored Procedures Admin Privileges Process Advanced Information Error Method Heuristic HttpErrorCode Attack Information Blind Using this vulnerability an attacker can extract arbitrary information from the database backend one bit at a time, crafting special input for the vulnerable field in the following way: <prefix>(case WHEN <arbitrary condition> THEN <true value> ELSE (SELECT <true value> UNION SELECT <true value>) END)<postfix> Where the page should provide a valid response if the condition is true, or an error if the condition is false. NOTE: For Oracle databases the (SELECT <true value> UNION SELECT <true value>) should be (SELECT <true value> FROM DUAL UNION SELECT <true value> FROM DUAL) instead, because the engine does not support SELECT statements without a FROM clause. Postfix True value '+UPPER( )+' '01-jun-01' Union Select Using this vulnerability an attacker can extract arbitrary information from the database backend crafting special input for the vulnerable field in the following way: <prefix><arbitrary select statement><postfix> The <arbitrary select statement> must have the same number of columns and matching types as those described in 'query information'. The response page will include the results for those columns described as visible in 'query information'. 01-jun-01' AND 1=0 UNION ALL CORE Impact Professional - Webapps Vulnerability Report Page 9

10 Postfix -- Query Information Field Id Type Visible 0 int Yes 1 varchar Yes 2 varchar Yes 3 varchar Yes 4 varchar Yes 5 datetime No 6 datetime No 7 varchar Yes 8 varchar Yes 9 varchar Yes 10 varchar Yes 11 varchar Yes 12 varchar Yes 13 varchar Yes 14 varchar No 15 int Yes 16 varchar Yes Request Information get Name Value order A LastName SQL Injection Vulnerability State confirmed Agent Configured The parameter is being used without sanitization inside a SQL statement as a number, where it can be used to execute arbitrary SELECT statements and extract data using blind SQL injection techniques. The parameter is being used as a column name in the ORDER BY clause of a SELECT statement without verifying the value is valid. The query being performed should look like SELECT... ORDER BY [column1, column2], <order parameter>[, column3, column4]... Basic Information URL _example_orderby_1.aspx?=&order=lastname CORE Impact Professional - Webapps Vulnerability Report Page 10

11 Parameter Name Parameter Type Triggers order GET "-1", "a", "--", "'", "0", "A" Backend Information Database Engine Database Version Operating System Architecture Microsoft SQL Server Capabilities Data Read Add Modify Delete û û û Files Read û Write û Execute Other Stored Procedures û Admin Privileges Process û Advanced Information Error Method Heuristic HttpErrorCode Attack Information Blind Using this vulnerability an attacker can extract arbitrary information from the database backend one bit at a time, crafting special input for the vulnerable field in the following way: <prefix>(case WHEN <arbitrary condition> THEN <true value> ELSE (SELECT <true value> UNION SELECT <true value>) END)<postfix> Where the page should provide a valid response if the condition is true, or an error if the condition is false. NOTE: For Oracle databases the (SELECT <true value> UNION SELECT <true value>) should be (SELECT <true value> FROM DUAL UNION SELECT <true value> FROM DUAL) instead, because the engine does not support SELECT statements without a FROM clause. (1- Postfix ) True value 0 CORE Impact Professional - Webapps Vulnerability Report Page 11

12 Query Information Field Id Type Visible Request Information get Name Value order A PHP Remote File Inclusion Vulnerabilities PHP Remote File Inclusion Vulnerability State confirmed Agent Configured The 'module' parameter is being used as a parameter in a call to the PHP include() function, where it can be an URL controlled by the attacker having arbitrary PHP which will be executed in the vulnerable page. Basic Information URL Parameters module Backend Information PHP Version Operating System Architecture linux i386 Advanced Information Request Information Name module Value IMPACT_AGENT XSS Vulnerabilities HTML Cross-site scripting Vulnerability State confirmed Agent Configured There is a parameter that gets reflected to the user without proper sanitization. This leads to parameter Cross-Site scripting attacks. We use a vector that includes a remote malicious file to exploit this vulnerability. CORE Impact Professional - Webapps Vulnerability Report Page 12

13 Basic Information URL Where Parameter Name Parameter Type Persistent _error_rewrite.aspx?= Parameter GET no Advanced Information Attack Information Template Postfix Type File Type <SCRIPT SRC=XSS></SCRIPT> < /><body> Remote JavaScript (js) Request Information get Name Value / %3E%3Cbody%3E%3CSCRIPT%20SRC%3Dhttp%3A//w ww.example.com/test%3frnd%3d %3e%3c/s CRIPT%3E%3C Browsers Internet Explorer 6, Internet Explorer 7, Internet Explorer 8, Internet Explorer 9, Firefox 2, Firefox 3, Firefox 4, Netscape 8.1 (IE Mode), Netscape 8.1, Opera 9.02, Opera 11.01, Google Chrome 10.0, Safari CORE Impact Professional - Webapps Vulnerability Report Page 13

14 Index Introduction Vulnerabilities Background Workspace Summary (Reports) SQL Injection Vulnerabilities PHP Remote File Inclusion Vulnerabilities XSS Vulnerabilities Page CORE Impact Professional - Webapps Vulnerability Report Page 14