[題目]

The purpose of this challenge is to demonstrate the following MITRE Top 25 programming flaw: 'Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')'.

 

After so many unauthorized access events the admin has finally changed their password. They have made it extra difficult so it can't be cracked.

The developers of the site, store the user names and passwords in a database. Here is the application code that executes during login. See if you can spot the problem. Thre's some blacklisting involved so the payload above won't work. You will have to find another way.

 

usr = usr.replace("-","");
pwd = pwd.replace("-","");
Connection conn = db.getConn();
int count=0;
try{
  Statement stmt = conn.createStatement();
  String query = String.format("select * from users where usr='%s' and pwd='%s'",usr,pwd);
  ResultSet rs = stmt.executeQuery(query);
    while (rs.next()) {
        count++;
    }
}
catch(SQLException ex){
  exMessage = String.format("<pre>%s</pre>",ex);
}
alertVisibility="";
if(count==1){
  session.setAttribute("cwe89loggedin",true)

 

[題目說明]

  這一題是程式中提供的Password輸入欄位是用來作為SQL語法執行用的參數內容,如果你可以查覺程式漏洞,利用input欄位的值便可以用SQL Injection繞過密碼驗證直接進入管理者頁面。

[弱點提示]

 

    The software constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component.

From MITRE CWE89

 

  意思是程式沒有handle好適當的輸入處理,造成hacker可以用特定的符號bypass 程式指令去執行他要的SQL 語句而繞過或執行可怕的SQL操作造成嚴重損害,以下是本題目補充的SQL Injection說明:

 

 

About SQL Injection

SQL Injection is listed as the most dangerous Software flaw on both SANS 25 and OWASP Top 10 list. It is the reason for most large user data breaches of this century: the Rock You breach, the Heartland Payment Systems data breach to name a few.

SQL injection is possible when database statements are constructed dynamically, through concatenation of SQL Commands and user input. The following Java EE code demonstrates SQL injection through concatenation.

    String usr = req.getParameter("usr");
    String pwd = req.getParameter("pwd");
    String query = "SELECT * FROM users WHERE usr ='"+ usr + "'" + " AND pwd='" + pwd + "'";
    Statement stmt = connection.createStatement();
    ResultSet rs = stmt.executeQuery(query);

 

This code is vulnerable to SQL Injection because an attacker can bypass authentication by simply entering admin'-- in the user name. The -- are SQL comments. The actual statement now becomes:

SELECT * FROM users WHERE usr='admin'

Another common method of attack is tautology. This involves manipulating the WHERE clause to make it become true.

[解答]

  1. 進入網頁: https://insecureinctm.us-east-1.elasticbeanstalk.com/cwe89.jsp  
  2. 在Password 欄位輸入 ‘ or ‘1’=’1 再按下submit鈕便可以成功進入admin 管理頁面。

[安全原理]

  從程式面看,該程式有作部份SQL Injection的阻擋,即如果hacker在輸入的密碼參數中有 ‘ - ‘ 減號就會被濾掉,這是防止用SQL 注解造成的攻擊。但hacker可不止會這些,他還會一種叫 ’tautology ’ 的 SQL Injection攻擊,該攻擊原理是利用輸入值讓Where 敘述 always 為 true ,以本題要使用的SQL語法來說"select * from users where usr='%s' and pwd='%s'",只要讓條件1 usr 為真且 條件2 pwd 亦為真就可以繞過pwd check成功登入。

 

  那要如何讓條件1&2都為真呢?usr=’admin’這個為真沒問題,那pwd要如何在不知密碼的情況下為真呢?答案很簡單,那就是多加一個 or ‘1’=’1’ 的條件使得 pwd=’anything’ or ‘1’=’1’ 永遠因為1=1 而為真,在此我們要產生的目標SQL如下:"select * from users where usr=’admin’ and pwd=’’ or ‘1’=‘1’ ",故我在Password輸入:"’ or ‘1’=’1 ",然後過關。

2019223日星期六

相关文章