|
|
| (15 intermediate revisions by one other user not shown) |
| Line 1: |
Line 1: |
| | {{Template:Attack}} | | {{Template:Attack}} |
| | + | <br> |
| | + | [[Category:OWASP ASDR Project]] |
| | | | |
| | Last revision: '''{{REVISIONMONTH}}/{{REVISIONDAY}}/{{REVISIONYEAR}}''' | | Last revision: '''{{REVISIONMONTH}}/{{REVISIONDAY}}/{{REVISIONYEAR}}''' |
| Line 5: |
Line 7: |
| | ==Description== | | ==Description== |
| | | | |
| − | Direct Static Code Injection attack consists on injecting code directly onto the resource used by application while processing a user request. This is normally performed by tampering libraries and template files which are created based on user input without proper data sanitization.
| + | See [[Code Injection]] |
| − | Upon a user request to the modified resource, the actions defined on it will be executed at server side in the context of web server process.
| |
| − | | |
| − | [[Server-Side Includes (SSI) Injection | Server Side Includes]] is considered a type of direct static code injection. It should not be confused with other types of code injection, like [[Cross Site Scripting | XSS]] (“Cross Site Scripting” or “HTML injection”) where the code is executed on client side. | |
| − | | |
| − | | |
| − | | |
| − | | |
| − | ==Examples==
| |
| − | | |
| − | ===Example 1===
| |
| − | This is a simple example of exploitation of CGISCRIPT.NET csSearch 2.3 vulnerability, published on Bugtraq ID: 4368.
| |
| − | By requesting the following URL to the server, it’s possible to execute commands defined on ‘’’’setup’’’ variable.
| |
| − | <br>
| |
| − | csSearch.cgi?command=savesetup&setup=''PERL_CODE_HERE''
| |
| − | <br>
| |
| − | For the classical example, it can be used the following command to remove all files from “/” folder:
| |
| − | csSearch.cgi?command=savesetup&setup=`rm%20-rf%20/`
| |
| − | | |
| − | Note that the above command must be encoded in order to be accepted.
| |
| − | | |
| − | ===Example 2===
| |
| − | This example exploits a vulnerability on Ultimate PHP Board (UPB) 1.9 (CVE-2003-0395), which allows an attacker to execute random php code. This happens because some user variables, like IP address and User-Agent, are stored in a file that is used by admin_iplog.php page to show user statistics. When an administrator browses this page, the previously injected code by a malicious request is executed.
| |
| − | The following example stores a malicious PHP code that will deface index.html page when administrator browses admin_iplog.php.
| |
| − | GET /board/index.php HTTP/1.0
| |
| − | User-Agent: <? system( "echo \'hacked\' > ../index.html" ); ?>
| |
| − | | |
| − | | |
| − | | |
| − | ==Related [[Threat Agents]]==
| |
| − | | |
| − | * [[:Category:Insider]]
| |
| − | | |
| − | * [[:Category:Staff]]
| |
| − | | |
| − | ==Related [[Attacks]]==
| |
| − | | |
| − | *[[Server-Side Includes (SSI) Injection | Server Side Includes]]
| |
| − | *[[ Direct Dynamic Code Evaluation ('Eval Injection')]]
| |
| − | | |
| − | | |
| − | ==Related [[Vulnerabilities]]==
| |
| − | | |
| − | * [[:Category:Input Validation Vulnerability]]
| |
| − | | |
| − | ==Related [[Controls]]==
| |
| − | | |
| − | * [[:Category:Input Validation]]
| |
| − | | |
| − | [[Category:Injection]]
| |
| − | [[Category:Attack]]
| |
| − | | |
| − | ==References==
| |
| − | | |
| − | * http://www.seclab.tuwien.ac.at/advisories/TUVSA-0510-001.txt
| |
| − | | |
| − | * http://marc.info/?l=bugtraq&m=105379741528925&w=2
| |
| − | | |
| − | * http://archives.neohapsis.com/archives/bugtraq/2005-06/0002.html
| |
| − | | |
| − | | |
| − | [[Category:Injection]]
| |
| − | [[Category:Attack]]
| |
| − | __NOTOC__
| |
