|
Ihr Spezialist fĂĽr komplexe IT-Systeme
|
|
Ihr Spezialist fĂĽr komplexe IT-Systeme
|
The chain of input-processing-output is one of the old fundamentals of computer sciences. But sometimes it becomes a problem, this happens for instance when a computer program tries to process some invalid input data. Invalid means that the input data does not follow the rules the software developer thought about. As an example the input data could include some SQL fragments that may now become executed in your database - unexpected! Or the input data is much longer that expected during development, some internal data structures get out of sync and some parts of the input data get executed by the CPU, ups...
SpikeProxy [SPIKE] is working similar to a normal HTTP Proxy Server. SpikeProxy captures all requests for web pages and stores them. You can browse these stored requests afterwards using a special web front-end. Well you cannot only browse them, it is your job to modify the request parameters and try to get some SQL-Injections working or other funny stuff :-).
SpikeProxy is written in Python and to fire it up, just go into the directory where you extracted it before and start it:
[frank@w0001 spkproxy]$ python2.1 spkproxy.py
Running SPIKE Proxy v 1.4.8
SPIKE Proxy is copyright Dave Aitel 2002
License: GPL v 2.0
Please visit www.immunitysec.com for updates and other useful tools!
*** To use the GUI, browse to http://spike/ ***
Let dave@immunitysec.com know if you like this project. :>
You might want to upgrade to a more current version: 1.4.8
is available!
[Wed Nov 5 16:45:09 2003] : SPIKE UI version 1.4.8 Started
We will try to reproduce one of the SQL-Injection vulnerabilities mentioned in Oracles Security Alert 61. To make it a little bit easier, you may want to enable logging for the mod_plsql module. To do that you have to modify the plsql.conf file on your OCS midtier.
bash-2.05$pwd/opt/oracle/ocs904_midtier/Apache/modplsql/conf bash-2.05$cat plsql.conf... # Load in mod_plsql directives only if mod_plsql is loaded ############################################################################### # Global Settings Section : Directives that apply to all DADs ############################################################################### PlsqlLogEnable On PlsqlLogDirectory /opt/oracle/ocs904_midtier/Apache/modplsql/logs # PlsqlIdleSessionCleanupInterval 15 (default) # PlsqlDMSEnable On (default) ... bash-2.05$
The picture shows the user-friendly web front-end of SpikeProxy. So it is time to configure your favorite web-browser to use SpikeProxy as proxy-server. Afterwards just point your web-browser to http://s0002.berger.com:7779/pls/portal/PORTAL_DEMO.ORG_CHART.SHOW and you should receive some kind of organization chart. That is the normal demo page. To capture the vulnerable page click once on one of the Manager links. You are done!
Now open up the SpikeProxy web-front-end by pointing your browser to http://spike/. You have to "Delve into Dir" four times. Here you should see one GET request and one POST request. Click on "rewrite request" for the POST request.
Sometimes it is also funny to play with the header fields, because many developers just forget to filter them at all. But they are used sometimes to adopt to your language or display the web-page with some specific features of your web-browser. For our little example we stay with the default values.
Ok, that's our target section. Just familiarize yourself with the parameter value pairs display in that section.
The interesting parameter we are going to work with is BodyArg1 (_start_with_field), with value
PEOPLE_INFO%24.EMPNO
now change that value to
PEOPLE_INFO%24.EMPNO;
and click "Submit Query". Huhu, do you get a nice error message? Can you see the SELECT-statement?
You already have a working SQL Injection example! To give you another example, change the parameter value to
PEOPLE_INFO%24.EMPNO in (select empno from scott.emp) and PEOPLE_INFO%24.EMPNO
You don't get an error message? This time it is a good sign! :-). Login to your Oracle database as DBA and check out v$sqlarea:
select sql_text from v$sqlarea where where sql_text like '%scott%';
can you find the statement? :-D
This section gives you an overview on how to fuzz other servers (FTP, POP3 etc.). Initially I tried to use Spike to fuzz the SMTP server, but the current Spike version is block-based (you send an block and receive one, and that is it). For SMTP you need more something like an line mode (it is like a chat, send a line, receive a line, send one...). This feature of Spike is under development right now and I hope it will be included in the next version. To fuzz the SMTP Server included in OCS I used my own perl script (which also uses the fuzzing patterns from Spike). using different protocols. You can download the perl script from my homepage if you want to fuzz your local SMTP server.
Before we start fuzzing, have a look to the following telnet session:
[frank@w0001 frank]$telnet s0002.berger.com 25Trying 192.168.74.10... Connected to s0002.berger.com. Escape character is '^]'. 220 s0002.berger.com ESMTP Oracle Email Server SMTP Inbound Server 9.0.4.0.0 ReadyHELO w0001.berger.com250 s0002.berger.com Hello w0001.berger.de, pleased to meet youMAIL FROM:<foo@example.com>250 2.1.0 Sender OKRCPT TO:<frank@berger.com>250 2.1.5 Recipient okDATA354 Enter mail, end with "." on a line by itselfsometext .250 2.6.0 Message accepted for deliveryQUIT221 2.0.0 s0002.berger.com Closing connection Connection closed by foreign host. [frank@w0001 frank]$
This session demonstrates nicely the typical chat involved with an SMTP connection. I also marked some parts of my input in red, we will assume these as variable. They will be subject to getting fuzzed :-).
Ok, some final remarks, I changed the following parameters for the SMTP inbound server (Native Anti-Spamming=False, Relay Allowed = True). You may also want to increase the debug level. Please note, fuzzing is about finding new bugs in software, so it is ok to change these parameters (which may be a security hole itself). Warning! please make sure that you do not forward mails to other mail servers during fuzzing! You may want to stop the SMTP outbound server. And please clean up the mail queue before starting it again.
Now sit back and watch the script:
[frank@w0001 myfuzzer]$ perl smtpfuzz2.pl s0002.berger.com 25
-------------->
alert('XSS'),foo,example.com,frank,berger.com,sometext,
[Connected to s0002.berger.com:25]
OK: 220 s0002.berger.com ESMTP Oracle Email Server SMTP Inbound Server 9.0.4.0.0 Ready
SMTP error
-------------->
Bob's%20Foot,foo,example.com,frank,berger.com,sometext,
[Connected to s0002.berger.com:25]
OK: 220 s0002.berger.com ESMTP Oracle Email Server SMTP Inbound Server 9.0.4.0.0 Ready
SMTP error
...
-268435455,foo,example.com,frank,berger.com,sometext,
[Connected to s0002.berger.com:25]
OK: 220 s0002.berger.com ESMTP Oracle Email Server SMTP Inbound Server 9.0.4.0.0 Ready
OK: 250 s0002.berger.com Hello w0001.berger.de, pleased to meet you
OK: 250 2.1.0 Sender OK
OK: 250 2.1.5 Recipient ok
OK: 354 Enter mail, end with "." on a line by itself
OK: 250 2.6.0 Message accepted for delivery
-------------->
Ok... so nothing special happened :-), the rest is up to you. Check the logfile of your SMTP inbound process and see if you find some interesting entries.