[题目]

The purpose of this challenge is to demonstrate the following MITRE Top 25 programming flaw: 'Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')'.

 

After so many unauthorized access events the admin has finally changed their password. They have made it extra difficult so it can't be cracked.

The developers of the site, store the user names and passwords in a database. Here is the application code that executes during login. See if you can spot the problem. Thre's some blacklisting involved so the payload above won't work. You will have to find another way.

 

usr = usr.replace("-","");
pwd = pwd.replace("-","");
Connection conn = db.getConn();
int count=0;
try{
  Statement stmt = conn.createStatement();
  String query = String.format("select * from users where usr='%s' and pwd='%s'",usr,pwd);
  ResultSet rs = stmt.executeQuery(query);
    while (rs.next()) {
        count++;
    }
}
catch(SQLException ex){
  exMessage = String.format("<pre>%s</pre>",ex);
}
alertVisibility="";
if(count==1){
  session.setAttribute("cwe89loggedin",true)

 

[题目说明]

  这一题是程式中提供的Password输入栏位是用来作为SQL语法执行用的参数内容,如果你可以查觉程式漏洞,利用input栏位的值便可以用SQL Injection绕过密码验证直接进入管理者页面。

[弱点提示]

 

    The software constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component.

From MITRE CWE89

 

  意思是程式没有handle好适当的输入处理,造成hacker可以用特定的符号bypass 程式指令去执行他要的SQL 语句而绕过或执行可怕的SQL操作造成严重损害,以下是本题目补充的SQL Injection说明:

 

 

About SQL Injection

SQL Injection is listed as the most dangerous Software flaw on both SANS 25 and OWASP Top 10 list. It is the reason for most large user data breaches of this century: the Rock You breach, the Heartland Payment Systems data breach to name a few.

SQL injection is possible when database statements are constructed dynamically, through concatenation of SQL Commands and user input. The following Java EE code demonstrates SQL injection through concatenation.

    String usr = req.getParameter("usr");
    String pwd = req.getParameter("pwd");
    String query = "SELECT * FROM users WHERE usr ='"+ usr + "'" + " AND pwd='" + pwd + "'";
    Statement stmt = connection.createStatement();
    ResultSet rs = stmt.executeQuery(query);

 

This code is vulnerable to SQL Injection because an attacker can bypass authentication by simply entering admin'-- in the user name. The -- are SQL comments. The actual statement now becomes:

SELECT * FROM users WHERE usr='admin'

Another common method of attack is tautology. This involves manipulating the WHERE clause to make it become true.

[解答]

  1. 进入网页: https://insecureinctm.us-east-1.elasticbeanstalk.com/cwe89.jsp  
  2. 在Password 栏位输入 ‘ or ‘1’=’1 再按下submit钮便可以成功进入admin 管理页面。

[安全原理]

  从程式面看,该程式有作部份SQL Injection的阻挡,即如果hacker在输入的密码参数中有 ‘ - ‘ 减号就会被滤掉,这是防止用SQL 注解造成的攻击。但hacker可不止会这些,他还会一种叫 ’tautology ’ 的 SQL Injection攻击,该攻击原理是利用输入值让Where 叙述 always 为 true ,以本题要使用的SQL语法来说"select * from users where usr='%s' and pwd='%s'",只要让条件1 usr 为真且 条件2 pwd 亦为真就可以绕过pwd check成功登入。

 

  那要如何让条件1&2都为真呢?usr=’admin’这个为真没问题,那pwd要如何在不知密码的情况下为真呢?答案很简单,那就是多加一个 or ‘1’=’1’ 的条件使得 pwd=’anything’ or ‘1’=’1’ 永远因为1=1 而为真,在此我们要产生的目标SQL如下:"select * from users where usr=’admin’ and pwd=’’ or ‘1’=‘1’ ",故我在Password输入:"’ or ‘1’=’1 ",然后过关。

2019223日星期六

相关文章