Injecting into Web Scripting Languages
The core logic of most web applications is written in interpreted scripting languages like PHP, VBScript, and Perl. In addition to the possibilities for injecting into languages used by other back-end components, a key area of vulnerability concerns injection into the core application code itself. Exposure to this type of attack arises from two main sources:
■ Dynamic execution of code that incorporates user-supplied data.
■ Dynamic inclusion of code files specified on the basis of user-supplied data.
We will look at each of these vulnerabilities in turn.
Dynamic Execution Vulnerabilities
Many web scripting languages support the dynamic execution of code that is generated at runtime. This feature enables developers to create applications that dynamically modify their own code in response to various data and conditions. If user input is incorporated into code that is dynamically executed, then an attacker may be able to supply crafted input that breaks out of the intended data context and specifies commands that are executed on the server in the same way as if they had been written by the original developer. Because most scripting languages contain powerful APIs that may be used to access the underlying operating system, code injection into the web application often leads to a compromise of the entire server.
Dynamic Execution in PHP
The PHP function eval is used to dynamically execute code that is passed to the function at runtime. Consider a search function that enables users to create stored searches that are then dynamically generated as links within their user interface. When users access the search function, they use a URL like the following:
https://wahh-app.com/search.php?storedsearch=\$mysearch%3dwahh
The server-side application implements this functionality by dynamically generating variables containing the name/value pairs specified in the storedsearch parameter, in this case creating a mysearch variable with the value wahh :
$storedsearch = $_GET[‘storedsearch’];
eval(“$storedsearch;”);
In this situation, you can submit crafted input that is dynamically executed by the eval function, resulting in injection of arbitrary PHP commands into the server-side application. The semicolon character can be used to batch commands together in a single parameter. For example, to retrieve the contents of the file /etc/password , you could use either the file_get_contents or the system command:
https://wahh-app.com/search.php?storedsearch=\$mysearch%3dwahh;
%20echo%20file_get_contents(‘/etc/passwd’)
https://wahh-app.com/search.php?storedsearch=\$mysearch%3dwahh;
%20system(‘cat%20/etc/passwd’)
Dynamic Execution in ASP
The ASP function Execute works in the same way as the PHP eval function and can be used to dynamically execute code that is passed to the function at runtime.
The functionality described for the PHP application above could be implemented in ASP as follows:
dim storedsearch
storedsearch = Request(“storedsearch”)
Execute(storedsearch)
In this situation, an attacker can submit crafted input which results in injection of arbitrary ASP commands. In ASP, commands are normally delimited using newline characters, but multiple commands can be batched when passed to the Execute function using the colon character. For example, response.write can be used to print arbitrary data into the server’s response:
https://wahh-app.com/search.asp?storedsearch=mysearch%3dwahh:
response.write%20111111111
The Wscript.Shell object can be used to access the operating system command shell. For example, the following ASP will perform a directory listing and store the results in a file within the web root:
Dim oScript
Set oScript = Server.CreateObject(“WSCRIPT.SHELL”)
Call oScript.Run (“cmd.exe /c dir > c:\inetpub\wwwroot\dir.txt”,0,True)
This code can be passed to the vulnerable call to Execute by batching all of the commands as follows:
https://wahh-app.com/search.asp?storedsearch=mysearch%3dwahh:+
Dim +oScript:+Set+oScript+=+Server.CreateObject(“WSCRIPT.SHELL”):+
Call+oScript.Run+(“cmd.exe+/c+dir+>+c:\inetpub\wwwroot\dir.txt”,0,True)
Finding Dynamic Execution Vulnerabilities
Most web scripting languages support dynamic execution, and the functions involved all work in a similar way. Therefore, dynamic execution vulnerabilities can in general be detected using a relatively small set of attack strings that work on multiple languages and platforms. However, in some cases it may be necessary to research the syntax and behavior of the particular implementation you are dealing with. For example, although Java does not itself support dynamic execution, some custom implementations of the JSP platform may do so. You should use the information gathered during your application mapping exercises to investigate any unusual execution environments you encounter.
NEXT is..File Inclusion Vulnerabilities…,,,,,,,,,,,,,,,