diff --git a/Memory_Exploits/README.md b/Memory_Exploits/README.md index 6ebcf47..8df28ab 100644 --- a/Memory_Exploits/README.md +++ b/Memory_Exploits/README.md @@ -99,7 +99,7 @@ mbstowcs(buf1, string1, sizeof(buf1)-1); ---- -## Data Type Bugs +## Data Type Signedness * Primitive data types (32 bit): - signed char/unsigned char @@ -110,7 +110,24 @@ mbstowcs(buf1, string1, sizeof(buf1)-1); - size_t (unsigned) - size_t (signed) -* Integer overflow: Exceeding the amount of data in integer will result in **wrapping**. In the example below, x will be 0: + +* By default all data types are signed unless specifically declared otherwise. +* Many functions which accept size arguments take unsigned values. + + +* char y=-1 has the same bit representation than unsigned char x=255. + +* A large value in the unsigned type (highest bit set) is a negative value in the signed type. + +* Function **read()** takes only unsigned values for lenght. So if this value is negative, from a if comparison, it will overflow. + +* For example, if lenght is **-1** (which is 0xFFFFFFF), when the length check is performed, it is asking if -1 is less than a MAXNUMBER. Then, when the lenght is passed to read, it is converted to unsigned and becomes the unsigned equivalent of -1 (which for 32 bits is 42949672965). + + + +--- +## Integer overflow +* Exceeding the amount of data in integer will result in **wrapping**. In the example below, x will be 0: ``` x = 255; @@ -153,9 +170,38 @@ int getData(int sock) ``` -### Auding Tips +------------------ + +## Metacharacter Injection + +* In shell: quotes and semi-collon are metacharacters. + +* Example, a command to unzip some input file could lead to a second executable command if the input has a **;**: + +``` +void extractUserZip(char *userFile) +{ + char command[1024]; + snprintf(command, 1023, "unzip %s", userFile); + system(command); + return; +} + +``` + + +---- + + +## Auding Tips * grep for malloc() and other memory allocation functions. +* look at the data types for size calculation. +* look at values used for size checks: are they signed? +* what happens if negative values are provided. +* look for eval functions such as **system()**. + + --------------------------- diff --git a/Web_Security/README.md b/Web_Security/README.md index a7aded2..d29d31f 100644 --- a/Web_Security/README.md +++ b/Web_Security/README.md @@ -477,6 +477,7 @@ GIF89a(...binary data...) (... ``` + ### Identifying File Handling Bugs * Fuzz and grep response for file system related messages: @@ -493,6 +494,24 @@ qr / ((could not|cannot|unable to) (open|find|access|read)|(path|file) not found ``` +### Meta-character Injection Bugs + +* File Input/Output is a common place where meta-character injection comes into play. + +* For example if file ="../../../../../etc/passwd" below: + +``` +$file = $_GET['file']; +$fd = fopen("/var/www/$file"); +``` +* Even if it had a txt extension it wouldn't matter. The reason is that PHP strings are indiferent to NLL byte, so all the attacker needs to insert is "../../../../../etc/passwd%00": + +``` +$file = $_GET['file']; +$fd = fopen("/var/www/$file.txt"); +``` +* PHP NULL byte insertion and directory traversal are common. + --- diff --git a/Web_Security/SQLi/README.md b/Web_Security/SQLi/README.md index 306328c..653eba0 100644 --- a/Web_Security/SQLi/README.md +++ b/Web_Security/SQLi/README.md @@ -2,9 +2,18 @@ ![](http://i.imgur.com/AcVJKT2.png) +* SQL works by building query statements, these statements are intended to be readbale and intuitive. + + * A SQL query search can be easily manipulated and assume that a SQL query search is a reliable command. This means that SQL searches are capable of passing, unnoticed, by access control mechanisms. * Using methods of diverting standard authentication and by checking the authorization credentials, you can gain access to important information stored in a database. +* Exploitation: + - Dumping contents from the database. + - Inserting new data. + - Modifying existing data. + - Writing to disk. + ## The Simplest Example A parameter passed for a name of a user: