Attacking Back-End Components

Injecting OS Commands

• Perl example
  • Script for returning directory information and disk usage
    • Exploit: use Shell metacharacters like "|"
      • "| cat /etc/passwd"
• ASP Example
  • Script for viewing directory contents
    • Exploit: Use another Shell metacharacter like "&"
      • "&& ipconfig"

Injecting Through Dynamic Execution

• Many applications dynamically generate executable code
• PHP may use eval() to dynamically execute code
• In this case, use a semicolon for a line delimiter and pass code like before
  • e.g. <source code> + ";%20system('cat%20/etc/passwd')"
• Perl also has an eval() function
• One may need to use %3b instead of a semicolon
• ASP uses Execute()

Finding OS Injecting Flaws

• Any web server or web application platform may call a shell interpreter
• there are two types of metacharacters to inject a separate command
  • ; | & newline
    • Multiple, batch commands
    • && is used in windows calls, running a command if the first command worked
    • || causes the second command to always run
  • `````
    • used for encapsulating a separate command as a data item for the original command
• Can't get output? Use a time delay inference!!
  • || ping -i 30 127.0.0.1 ;x
  • || ping -n 30 127.0.0.1 &
  • If it seems to work, then try using TFTP tools to copy up to a server, using telnet or netcat for reverse shell, and mail to send output

Finding Dynamic Execution Vulnerabilities

• Common in PHP and Perl
  • try ";echo%20111111", "echo%20111111", "response.write%20111111", and ":response.write%20111111"
  • If 111111 is returned, injection vulnerabilities exist
  • If nothing is returned, try looking for an error message
  • If PHP, try using phpinfo()
  • Looks like its a vulnerability? Use a time delay!
    • system('ping%20127.0.0.1')

Preventing Script Injection Vulnerabilities

• Don't pass user input or derived data into dynamic execution, otherwise just strictly validate input using something like whitelisting

Manipulating File Paths

Path Traversal Vulnerabilities

• Cause: passing user derived data --> access of files or directories
• e.g. <url>/GetFile.ashx?filename=pid.jpg
  • If you instead request ..\windows\win.ini
    • Returns configuration file

Finding and Exploiting Path Traversal Vulnerabilities

Locating Targets for Attack

• When mapping, look for "include=", "template=", "filename=" or "file=" in the URL and corresponding errors with these or similar parameters.

Detecting Path Traversal Vulnerabilities

• If "file=" and a file path works, try using "../" to request files in the parent directory
• If there are different responses, then it might be blocked, stripped, or sanitized
• If parent traversal works, try MANY calls to parents and attempt to access "/etc/passwd" or "/windows/win.ini"

Circumventing Obstacles to Traversal Attacks

• If no tricks seem to be working, try
  • URL-encoding
  • 16-bit encoding
  • Double URL encoding
  • UTF-8 encoding
  • null bytes
  • nested input
  • different starting directories

Coping with Custom Encoding

• Obfuscation is no substitute for security
• e.g. Book Example
  • One application allowed users to enter a filename as a parameter
  • It supplies a URL to download a file
  • If the file already exists, it refuses as it prevents overwrites.
  • URLs generated using some proprietary obfuscation scheme
  • Found what /etc/passwd is obfuscated as
  • Then input a valid input like ../../../etc/passwd../../tmp/test.txt
  • Lastly, once this is encoded, all is cut off after /passwd

Exploiting Traversal Vulnerabilities

• Even read access can be detrimental to an application
• Targets:
  • Password files
  • Server/application configuration files
  • database credentials
  • data sources
  • source code
  • log files
• If there is write access, some new targets exist:
  • Creating scripts in user startup folders
  • modifying in.ftpd to execute commands on next connection
  • Writing scripts to a web directory and calling them in browser.

Preventing Path Traversal Vulnerabilities

• Avoid passing user input to a filesystem
• Check for path traversal sequences or null bytes
• Use a hard-coded list of allowed file types

File Inclusion Vulnerabilities

Remote File Inclusion

• PHP is commonly vulnerable to this.
• If a file includes source code based upon a user's demographics, it may do so using a passed parameter.
• For instance, if a page uses a country code appended with .php, it can be vulnerable to remote file inclusion.
• Just pass the filename and path of a script on the internet.

Local File Inclusion

• Sometimes can't specify a URL.
• Try including an admin.php script
• Or try to dynamically include some static server resources.

Finding File Inclusion Vulnerabilities

• Process: (remote)
  1. Submit at each URL a resource on a web server controlled by you
  2. If it fails, try using a nonexistent IP address
  3. If the vulnerability exists, create a malicious script using available APIs
• Process: (local)
  • Submit name of a known executable resource on the server
  • Submit name of a known static resource on the server
  • If vulnerable, try to access sensitive functionalities

Injecting into XML interpreters

Injecting XML External Entities (XXE)

• XML is used to submit data from a client to a server.
• May use it in a POST request, formatting for something like a search
• Standard XML parsing libraries support using entity references
  • < = <
  • > = >
• Example:
  • Using a proper DOCTYPE element to the XML:
    • `<!DOCTYPE foo [ <!ENTITY xxe SYSTEM “file:///windows/win.ini” > ]> ` <Search><SearchTerm>&xxe;</SearchTerm></Search>
    • SYSTEM is used for an external entity reference
      • It is defined by a URL that may use the file: protocol
    • If the entity references explained before work, then one can use this exploit.
  • If no returned output, can still perform denial of service by reading an indefinite file stream:
    • <!DOCTYPE foo [ <!ENTITY xxe SYSTEM “ file:///dev/random”> ]>

Injecting into SOAP Services

• SOAP (simple object access protocol): message based communication technology that uses XML to encapsulate data
• Most common in back-end components
• If an application back-end is responsive to processed and later added XML tags, one can simple add additional tags that will be processed first and instead of the other, later inserted ones.
• Can comment out on element
• Or comment out the rest of an XML document

Finding and Exploiting SOAP Injection

• Process:
  1. Submit a random closing xml tag.
     • If no errors, then input is not being inserted into a SOAP message or is sanitized
     • If error, then try using a valid open and closing tag
  2. If data is returned in XML form, try using a closing tag and then try using a valid open and closing tag.
     • If returned without these, or one as the other, then its being inserted into an XML-based message
  3. Try inserting the comment character and closing comment character in another parameter, then try only the comment character.

Preventing SOAP Injection

• Perform boundary validation filters
  • HTML encode all XML metacharacters
  • < for lesser than
  • > for greater than
  • &#47; for backslash

Injecting into Back-end HTTP Requests

Server-side HTTP Redirection

• Allows an attacker to specify an arbitrary resource or URL requests by the front-end application server
• Happens when an app uses user input in a URL used on the backend
• If an application requests static content using a parameter, changing the value to an IP or URL may work.
  • Process:
    • • Identify request parameters with hostnames, IP addresses, and URLs
      • Try altering each parameter, specifying an alternative resource
      • Try specifying a URL targeting a server on the internet under your control
        • No incoming connection? Monitor time taken for the response
          • Delay? Then there are network restrictions.

HTTP Parameter Injection (HPI)

• Allows an attacker to inject arbitrary parameters into a back-end HTTP request made by the application server.
• If an attacker is aware of back-end behavior, they can attempt an HPI attack by injecting a later-to-be-added parameter.
  • If input is not validated, the unsanitized input is passed right to the back-end request, possibly bypassing later checks.

HTTP Parameter Pollution (HPP)

• Often happens in the context of HPI attacks.
• HTTP protocol does not specify how multiple of the same parameters should be handled.
  • Options:
    • Use first parameter
    • Use last parameter
    • Concatenate parameter values, maybe adding delimeter
    • Construct array of all values
• By adding a new parameter, values may be overridden by the injected parameter.

Attacks Against URL Translation

• Some servers rewrite requested URLs to map them onto relevant back-end functions in the application.
• Some apps place parameter values in the file path of the URL instead of the query string.
  • May use regex, then grab each value and add it to their corresponding parameters in a new request.
    • Can change the parameters in this new request.
    • Depends on how the application handles multiple duplicate parameters
• Process:
  • Target each request parameter, appending new injected parameters with differing encodings
  • Find entered values that act as if the original value is unmodified
    • If ones are found, these may signify a possible HPI vulnerability
  • Attempt injecting known parameters
  • If new parameter values override older ones, try to bypass any front-end validation by injecting values read by a back-end server

Injecting into Mail Services

E-mail Header Manipulation

• May be able to append known SMTP header parameters and their values.
• mail() in PHP uses an additional_headers parameter to set the from address and other headers like Cc and Bcc.
• SMTP Command Injection:<email address>%0aBCC:[email protected]
• If an application uses multiple parameters, such as From and Subject, one might be able to inject additional ones in such a way to inject additional SMTP commands.
• B ook example:
  • [email protected]&Subject=Site+feedback%0d%0afoo%0d%0a%2e%0d %0aMAIL+FROM:[email protected]%0d%0aRCPT+TO:+john@wahh-mail .com%0d%0aDATA%0d%0aFrom:[email protected]%0d%0aTo:+john@wahh-mail .com%0d%0aSubject:+Cheap+V1AGR4%0d%0aBlah%0d%0a%2e%0d%0a&Message=foo
  • Sends two emails, one from [email protected] and another from [email protected]

Finding SMTP Injection Flaws

• Process:
  • Submit the following:
    • <youremail>%0aCc:<youremail>
    • <youremail>%0d%0aCc:<youremail>
    • <youremail>%0aBcc:<youremail>
    • <youremail>%0d%0aBcc:<youremail>
    • %0aDATA%0afoo%0a%2e%0aMAIL+FROM:+<youremail>%0aRCPT+TO:+<y ouremail>%0aDATA%0aFrom:+<youremail>%0aTo:+<youremail>%0aS ubject:+test%0afoo%0a%2e%0a
    • %0d%0aDATA%0d%0afoo%0d%0a%2e%0d%0aMAIL+FROM:+<youremail>%0 d%0aRCPT+TO:+<youremail>%0d%0aDATA%0d%0aFrom:+<youremail>% 0d%0aTo:+<youremail>%0d%0aSubject:+test%0d%0 afoo%0d%0a%2e%0d%0a
  • Record all error messages.
  • Monitor the email address for any mail.
  • Review the HTML form that generates the request.

Preventing SMTP Injection

• Check email addresses to assure they fit a certain regular expression
  • No newline characters or other special metacharacters
• Prevent the message subject from using new lines and limit the length
• Prevent single dot lines in the message body if directly used in an SMTP conversation.