This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

Direct Static Code Injection

From OWASP
Revision as of 20:11, 25 May 2008 by Edualves (talk | contribs)

Jump to: navigation, search
This is an Attack. To view all attacks, please see the Attack Category page.


Last revision (mm/dd/yy): 05/25/2008

Description

Direct Static Code Injection attack consists on injecting code directly onto the resource used by application while processing a user request. This is normally performed by tampering libraries and template files which are created based on user input without proper data sanitization. Upon a user request to the modified resource, the actions defined on it will be executed at server side in the context of web server process.

Server Side Includes is considered a type of direct static code injection. It should not be confused with other types of code injection, like XSS (“Cross Site Scripting” or “HTML injection”) where the code is executed on client side.


Risk Factors

  • Talk about the factors that make this attack likely or unlikely to actually happen
  • You can mention the likely technical impact of an attack
  • The [business impact] of an attack is probably conjecture, leave it out unless you're sure


Examples

Example 1

This is a simple example of exploitation of CGISCRIPT.NET csSearch 2.3 vulnerability, published on Bugtraq ID: 4368. By requesting the following URL to the server, it’s possible to execute commands defined on ‘’’’setup’’’ variable.

csSearch.cgi?command=savesetup&setup=PERL_CODE_HERE


For the classical example, it can be used the following command to remove all files from “/” folder: csSearch.cgi?command=savesetup&setup=`rm%20-rf%20/`

Note that the above command must be encoded in order to be accepted.

Example 2

This example exploits a vulnerability on Ultimate PHP Board (UPB) 1.9 (CVE-2003-0395), which allows an attacker to execute random php code. This happens because some user variables, like IP address and User-Agent, are stored in a file that is used by admin_iplog.php page to show user statistics. When an administrator browses this page, the previously injected code by a malicious request is executed. The following example stores a malicious PHP code that will deface index.html page when administrator browses admin_iplog.php.

GET /board/index.php HTTP/1.0
User-Agent: <? system( "echo \'hacked\' > ../index.html" ); ?>


Related Threat Agents

Category:Command Execution


Related Attacks


Related Vulnerabilities

Category:Input Validation Vulnerability


Related Controls

Category:Input Validation


References

http://www.seclab.tuwien.ac.at/advisories/TUVSA-0510-001.txt http://cve.mitre.org/docs/plover/SECTION.9.21.html#CODE.STAT http://marc.info/?l=bugtraq&m=105379741528925&w=2 http://archives.neohapsis.com/archives/bugtraq/2005-06/0002.html

Note2:One should classify Attacks subcategories by adding eg. [Category:Data Structure Attacks]] based on the following: