Unexpected inputs: the danger of data and code injection
Who are we? Cesena Security and Network Applications We like computer security and we want to share our knowledge. Founded by Marco Ramilli in 2005. Rebuilt by Luca Mella in 2009. Now it s an active group, managed by Alessandro Molari, Luca Molari and Giacomo Mantani. Why join CeSeNA? To learn useful, cool stuff. To improve mental and social skills. To have (a lot of) fun! Daniele Bellavista [CeSeNA] Code and Data Injection What s CeSeNA?
Contact us! Requirement to apply CeSeNA Burning desire for knowledge. Passion for computer security. Be a geeky, techky person. Where to find us IRC: #cesena at irc.freenode.net Website: https://cesena.ing2.unibo.it/ (trust the certificate) Facebook: https://www.facebook.com/groups/105136176187559/ G+: https://plus.google.com/communities/101402441314003721224 Daniele Bellavista [CeSeNA] Code and Data Injection What s CeSeNA?
INJECTION VULNERABILITY
Injection: same old story SQL injection Introduced by sloppy (PHP) programmers. One of the main vulnerability in 2000s. Still present and exploited! Shellshock vulnerability Discovered in 2014. Present since September 1989! In some scenarios, it permits remote code execution. Daniele Bellavista [CeSeNA] Code and Data Injection Injection Vulnerability
SQLi example Scenario: system containing secret stuff on the database, which can be accessed only by knowing their secret identifier. Objective: obtain all the secrets! SQL Query: exec ( SELECT FROM S e c r e t s WHERE S e c I d = + s e c r e t I d ) Daniele Bellavista [CeSeNA] Code and Data Injection Injection Vulnerability
SQLi example Scenario: system containing secret stuff on the database, which can be accessed only by knowing their secret identifier. Objective: obtain all the secrets! SQL Query: exec ( SELECT FROM S e c r e t s WHERE S e c I d = + s e c r e t I d ) If secretid is 1234567 exec ( SELECT FROM S e c r e t s WHERE S e c I d = 1234567 ) Daniele Bellavista [CeSeNA] Code and Data Injection Injection Vulnerability
SQLi example Query: exec ( SELECT FROM S e c r e t s WHERE ID = + s e c r e t I d ) Daniele Bellavista [CeSeNA] Code and Data Injection Injection Vulnerability
SQLi example Query: exec ( SELECT FROM S e c r e t s WHERE ID = + s e c r e t I d ) Injection if secretid is 0 OR 1=1: exec ( SELECT FROM S e c r e t s WHERE ID = 0 OR 1=1 ) Daniele Bellavista [CeSeNA] Code and Data Injection Injection Vulnerability
A shellshock example Request to a CGI page: GET / v u l n e r a b l e. c g i User Agent : M o z i l l a F i r e f o x Daniele Bellavista [CeSeNA] Code and Data Injection Injection Vulnerability
A shellshock example Request to a CGI page: GET / v u l n e r a b l e. c g i User Agent : M o z i l l a F i r e f o x Response: 200 OK Hi, I m not v u l n e r a b l e! Daniele Bellavista [CeSeNA] Code and Data Injection Injection Vulnerability
A shellshock example Request: GET / v u l n e r a b l e. c g i User Agent : ( ) { i g n o r e d ; } ; echo The f o l l o w i n g s e n t e n c e i s f a l s e Daniele Bellavista [CeSeNA] Code and Data Injection Injection Vulnerability
A shellshock example Request: GET / v u l n e r a b l e. c g i User Agent : ( ) { i g n o r e d ; } ; echo The f o l l o w i n g s e n t e n c e i s f a l s e Response: 200 OK The f o l l o w i n g s e n t e n c e i s f a l s e Hi, I m not v u l n e r a b l e! Daniele Bellavista [CeSeNA] Code and Data Injection Injection Vulnerability
Data and code are confused Untrusted user-supplied inputs Web form fields (yes, even hidden tags). HTTP fields. Shell parameters. No difference between data and code No data type. Semantic checks are performed only on the result. Daniele Bellavista [CeSeNA] Code and Data Injection Injection Vulnerability
Sanitization Whitelist allowed character. Drop or escape the rest. Type awareness: parse integers, encode strings, etc.. Use framework or library functions considered secure. Remember: security isn t just a fix. Daniele Bellavista [CeSeNA] Code and Data Injection Injection Vulnerability
EXPLOITATION
Bad sanitization: quoting Quoted SQL statement: SELECT FROM S e c r e t s WHERE S e c I d = + s e c r e t I d + Daniele Bellavista [CeSeNA] Code and Data Injection Exploiting Injection
Bad sanitization: quoting Quoted SQL statement: SELECT FROM S e c r e t s WHERE S e c I d = + s e c r e t I d + Previous secretid = 0 OR 1=1 won t work! SELECT FROM S e c r e t s WHERE S e c I d = 0 OR 1=1 Daniele Bellavista [CeSeNA] Code and Data Injection Exploiting Injection
Bad sanitization: quoting Quoted SQL statement: SELECT FROM S e c r e t s WHERE S e c I d = + s e c r e t I d + Previous secretid = 0 OR 1=1 won t work! SELECT FROM S e c r e t s WHERE S e c I d = 0 OR 1=1 So, just send secretid = 0 OR 1 = 1 SELECT FROM S e c r e t s WHERE S e c I d = 0 OR 1 = 1 Celebrate Daniele Bellavista [CeSeNA] Code and Data Injection Exploiting Injection
Bad sanitization: blind escaping Quoted SQL statement: SELECT FROM S e c r e t s WHERE S e c I d = + escapequotes ( s e c r e t I d ) + Daniele Bellavista [CeSeNA] Code and Data Injection Exploiting Injection
Bad sanitization: blind escaping Quoted SQL statement: SELECT FROM S e c r e t s WHERE S e c I d = + escapequotes ( s e c r e t I d ) + The previous trick won t work: secretid = 0 OR 1 = 1 SELECT FROM S e c r e t s WHERE S e c I d = 0\ OR \ 1\ =\ 1 Daniele Bellavista [CeSeNA] Code and Data Injection Exploiting Injection
Bad sanitization: blind escaping Quoted SQL statement: SELECT FROM S e c r e t s WHERE S e c I d = + escapequotes ( s e c r e t I d ) + The previous trick won t work: secretid = 0 OR 1 = 1 SELECT FROM S e c r e t s WHERE S e c I d = 0\ OR \ 1\ =\ 1 However, a similar query without quotes won t be protected! SELECT FROM S e c r e t s WHERE S e c I d = + escapequotes ( s e c r e t I d ) Daniele Bellavista [CeSeNA] Code and Data Injection Exploiting Injection
Bad sanitization: blind escaping Quoted SQL statement: SELECT FROM S e c r e t s WHERE S e c I d = + escapequotes ( s e c r e t I d ) + The previous trick won t work: secretid = 0 OR 1 = 1 SELECT FROM S e c r e t s WHERE S e c I d = 0\ OR \ 1\ =\ 1 However, a similar query without quotes won t be protected! SELECT FROM S e c r e t s WHERE S e c I d = + escapequotes ( s e c r e t I d ) Just try 0 OR 1=1 SELECT FROM S e c r e t s WHERE S e c I d = 0 OR 1 = 1 Daniele Bellavista [CeSeNA] Code and Data Injection Exploiting Injection
Bad sanitization: string replace Smartest fix ever: SELECT FROM S e c r e t s WHERE S e c I d = + r e p l a c e ( s e c r e t I d, OR, ) Daniele Bellavista [CeSeNA] Code and Data Injection Exploiting Injection
Bad sanitization: string replace Smartest fix ever: SELECT FROM S e c r e t s WHERE S e c I d = + r e p l a c e ( s e c r e t I d, OR, ) If secretid = 0 OR 1=1 SELECT FROM S e c r e t s WHERE S e c I d = 0 1 = 1 Daniele Bellavista [CeSeNA] Code and Data Injection Exploiting Injection
Bad sanitization: string replace Smartest fix ever: SELECT FROM S e c r e t s WHERE S e c I d = + r e p l a c e ( s e c r e t I d, OR, ) If secretid = 0 OR 1=1 SELECT FROM S e c r e t s WHERE S e c I d = 0 1 = 1 What if, secretid = 0 OORR 1=1 SELECT FROM S e c r e t s WHERE S e c I d = 0 OR 1 = 1 Daniele Bellavista [CeSeNA] Code and Data Injection Exploiting Injection
IT S YOUR TURN
Let s get our hands dirty Go to: http://cesena.ing2.unibo.it:8081/injection/ Daniele Bellavista [CeSeNA] Code and Data Injection Exercise