*** test back-end components *
a *: injection operating system commands
most Web server platforms developed rapidly, and now they have been able to use the built-in operating system and server API will be almost any necessary interaction. Such as the proper use of these API can help developers access the file system, connected to other processes, network communication security. However, in many cases, developers use more advanced technology to send commands directly to the server operating system. However, if the application submitted by the user input transmitted to the operating system, then it may be subject to command injection attacks, whereby an attacker can submit a specially designed input, developers modify the command you want to execute.
Function is used to issue a command execution system, such as in php and the ASP wscript.shell exec function, does not generally limit command executable range.
eg1:
injected by Perl
EG2:
by ASP injection
eg3:
injected through dynamic execution
support dynamic execution at runtime code generated many Web scripting language. This feature allows developers to create applications dynamically modify its code and data according to various conditions.
eg4:
Find OS
Find OS command injection vulnerability
0x02
Find dynamic execution vulnerability
dynamic execution vulnerability is most common in PHP, Perl and other languages. But basically, any platform applications are likely to transmit the user submits (sometimes located in other back-end server) based script interpreter input.
Prevent OS command injection:
best way to prevent OS command injection vulnerability is to completely avoid direct calls to the operating system commands.
Each task almost all Web applications need to perform can use the built-in API to complete, but the attacker can not control the API, so other than the command expected.
Prevent script injection vulnerability
preferred: Avoid submitted by the user or the input from the user data transmitted to or comprising any dynamic execution functions.
If possible, use the "white list" of known a reliable value of the composition, and does not appear to reject any input on this list, if not, to be harmless according to a set of known characters such as letters [ numeric characters (blank symbols) check character used in the input]
0x03
Path Traversal Vulnerabilities
receiving windows platform slash (/) and backslash () as the directory separator, but only accepts UNIX platform slash as a delimiter. In addition, some Web application filtering one of the two. Even fully convinced that the Web server is running a UNIX operating system, but the application may still be called windows back-end components. For this reason, when the probe traversal vulnerability, it is best both for testing.
Penetration Testing:
must be shaded for each point in the input encoding: 16-bit Unicode, double URL encoding, encoding long UTF-8unicode
2: If an application attempts to purification by deleting a user input traversal sequence, but no recursively apply this filter, it can be replaced with a sequence to another sequence avoid filtration.
.... //
.... /
.... / //// \
0x04
Use path traversal vulnerability
1: get useful file
operating system password file with the application
server and application configuration file to find other loopholes or optimizing another attack.
It may contain a database file that contains the certificate.
Applications that use data sources, such as the mysql database or XML file.
Server executable source code page to perform code audit.
It may include a user name and a session token-based application log files.
2: If you find a path traversal vulnerability allows write access, the main goal of penetration testing is that it should be used to execute arbitrary commands on the server. The method exploits to achieve this goal include the following:
1: Create the script in the user's startup folder
2: When a user is connected, modify in.ftpd and other documents to execute arbitrary commands.
Write a script to a Web directory has execute permission to call them from the browser.
0x05 prevent path traversal vulnerability
Avoid transferring data submitted by the user to any file system API is the most effective way to prevent path traversal vulnerability.
The following composition is preferably used together in
1: After the file name is submitted by the user to decode and standardization, the application should check whether the file name contains the path traversal sequence (slash or backslash) or a null byte. Stop request, reject purification.
2: After the file name submitted by the user to decode and standardization, the use of a hard-coded, allowing to allow access to the list of file types
3: after the file name submitted by the user all filtration applications should use the appropriate file system API confirmation whether if everything is normal, and the file accessed using the file name specified in the application's home directory =.