0
Brief Intro To Injection!
07 July 2010
In this entry i will talk about injection flaws in the 3 major forms:
1) Sql injection - Occurs when sanitaion is not performed with user validation from a website that uses SQL databases; can occur in ASP, PHP, and JSP applications.
2) Ldap Injection - Occurs when user input is not validated from a website or app that uses a vulnerable string of code to check the LDAP server for users; can occur in ASP, PHP, and other OOP based applications that use LDAP for authentication.
3) OS Injection - Occurs when fields from a web app are not validated properly, including text boxs, radio buttons, hidden form fields, check boxs, cookies, http header response / post, even the subit and reset buttons. Any part of the site that uses an api to communicate with the OS; can occur in JAVA, PHP, and ASP that uses an api to communicate with the operating system.
Lets move on, here are a few very basic examples to get you started....
Sql Basics:
first we test all fields, and the browser with the following strings to see if we get errors, or possibly a password bypass that logs us in as the first user in the table (admin).
'or 1=1--
1' OR '1'='1
1' AND 1=(SELECT * FROM tablenames); --
Ldap Basics:
First we would test the string in the address bar for example:
http://www.vuln-site.com?user=*
Sometimes this will list all users in the database. Once we have a valid username we can move on to test for a password:
“Gh0$7) (| (password = * ) )”
Now for the password bypass:
(& (USER = Gh0$7)(&))"pass field":(PASSWORD=Pwd))
From here you will have to do further research, im not going to do all of the work for you :laughing:
Os Basics:
Basically what we are looking for is a web application that does not validate user data and uses an executable on the server to retrieve data. This executable will use ARGV to grab additional input from the web app at execution time. So basically if we enter data as follows:
Gh0$7&netstat -a
This would get passed to the application then the command would be executed on the OS, and returned to the user.
Gh0$7
1) Sql injection - Occurs when sanitaion is not performed with user validation from a website that uses SQL databases; can occur in ASP, PHP, and JSP applications.
2) Ldap Injection - Occurs when user input is not validated from a website or app that uses a vulnerable string of code to check the LDAP server for users; can occur in ASP, PHP, and other OOP based applications that use LDAP for authentication.
3) OS Injection - Occurs when fields from a web app are not validated properly, including text boxs, radio buttons, hidden form fields, check boxs, cookies, http header response / post, even the subit and reset buttons. Any part of the site that uses an api to communicate with the OS; can occur in JAVA, PHP, and ASP that uses an api to communicate with the operating system.
Lets move on, here are a few very basic examples to get you started....
Sql Basics:
first we test all fields, and the browser with the following strings to see if we get errors, or possibly a password bypass that logs us in as the first user in the table (admin).
'or 1=1--
1' OR '1'='1
1' AND 1=(SELECT * FROM tablenames); --
Ldap Basics:
First we would test the string in the address bar for example:
http://www.vuln-site.com?user=*
Sometimes this will list all users in the database. Once we have a valid username we can move on to test for a password:
“Gh0$7) (| (password = * ) )”
Now for the password bypass:
(& (USER = Gh0$7)(&))"pass field":(PASSWORD=Pwd))
From here you will have to do further research, im not going to do all of the work for you :laughing:
Os Basics:
Basically what we are looking for is a web application that does not validate user data and uses an executable on the server to retrieve data. This executable will use ARGV to grab additional input from the web app at execution time. So basically if we enter data as follows:
Gh0$7&netstat -a
This would get passed to the application then the command would be executed on the OS, and returned to the user.
Gh0$7
