We recently had someone contact our company pointing out that we had numerous security threats that could be used to exploit our systems. They were nice enough to provide a list of these to which we are looking into now, however as we do not have anyone specifically designated to security, I am looking over these trying to get a better understanding.
While he provided quite a lot, one of the examples is below. What I don't understand is how this URL in the GET is being strung together? The "publicservers.php" has relatively nothing content wise where it just echos data (no database connection/etc). How is "/fonts/game-servers.php/reset.css" and so fourth being appended to this file to create an exploit?
Request
GET /publicservers.php/fonts/game-servers.php/reset.css?1=null'%20UNION%20SELECT%208%2C%20table_name%2C%20'vega'%20FROM%20information_schema.tables%20WHERE%20table_name%20like'%25
Resource Content
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>403 Forbidden</title>
</head><body>
<h1>Forbidden</h1>
<p>You don't have permission to access /publicservers.php/fonts/game-servers.php/reset.css
on this server.</p>
<p>Additionally, a 404 Not Found
error was encountered while trying to use an ErrorDocument to handle the request.</p>
</body></html>
Discussion
I have detected a possible SQL injection vulnerability. These vulnerabilities are present when externally-supplied input is used to construct a SQL query. If precautions are not taken, the externally-supplied input (usually a GET or POST parameter) can modify the query string such that it performs unintented actions. These actions include gaining unauthorized read or write access to the data stored in the database, as well as modifying the logic of the application.
Impact
Vega has detected a possible SQL injection vulnerability.
These vulnerabilities can be exploited by remote attackers to gain unauthorized read or write access to the underlying database.
Exploitation of SQL injection vulnerabilities can also allow for attacks against the logic of the application.
Attackers may be able to obtain unauthorized access to the server hosting the database.
Remediation
The developer should review the request and response against the code to manually verify whether or not a vulnerability is present.
The best defense against SQL injection vulnerabilities is to use parameterized statements.
Sanitizing input can prevent these vulnerabilities. Variables of string types should be filtered for escape characters, and numeric types should be checked to ensure that they are valid.
Use of stored procedures can simplify complex queries and allow for tighter access control settings.
Configuring database access controls can limit the impact of exploited vulnerabilities. This is a mitigating strategy that can be employed in environments where the code is not modifiable.
Object-relational mapping eliminates the need for SQL.
/de/reset.css?1=null'"
/de/style-custom.css?1=null'"
/games/bf4.php/style-custom.css?1=null'"
/publicservers.php/fonts/game-servers.php/reset.css?1=null'%20UNION%20SELECT%208%2C%20table_name%2C%20'vega'%20FROM%20information_schema.tables%20WHERE%20table_name%20like'%25 \
/publicservers.php/fonts/game-servers.php/style.css?1='%20AND%201=2%20--%20
/publicservers.php/fonts/images/images/reset.css?1=null'"
/publicservers.php/fonts/images/images/style.css?1='%20AND%201=2%20--%20
/publicservers.php/fonts/images/style.css?1=null"%20UNION%20SELECT%208%2C%20table_name%2C%20'vega'%20FROM%20information_schema.taables%20WHERE%20taable_name%20like'%25
/publicservers.php/fonts/images/style-custom.css?1='%20AND%201=2%20--%20
/publicservers.php/fonts/js/images/style.css?1=9-8
/publicservers.php/fonts/js/style.css?1=9%201%20-
/publicservers.php/fonts/reset.css?1=null%20AND%201=2%20--%20
/publicservers.php/fonts/style-custom.css?1=null'"
/publicservers.php/js/account-logins.php/fonts/style.css?1=null%20AND%201=2%20--%20
/publicservers.php/js/account-logins.php/fonts/style-custom.css?1=null'"
/publicservers.php/js/account-logins.php/reset.css?1=null%20AND%201=2%20--%20
/publicservers.php/js/account-logins.php/style.css?1='%20AND%201=2%20--%20
Parameter 1
Method GET
Risk High
EDIT
As requested in comments, here is another. The first was one of the highest threats they mentioned and the following was the highest.
Request
GET /publicservers.php/reset.css?1=null"`true`"
Discussion
Command injection vulnerabilities often occur when inadequately sanitized externally supplied data is as part of a system command executed through a command interpreter, or shell. Vulnerabilities such as these can be exploited by using shell metacharacters to run additional commands that were not intended to be executed by the application developer. The system() function, and derivatives, are often responsible, as these functions are very simple to use. These vulnerabilities can grant remote access to attackers, if exploited successfully.
Impact
I have detected a possible command injection vulnerability.
Attackers may be able to run commands on the server.
Exploitation may lead to unauthorized remote access.
Remediation
Developers should examine the code corresponding to the page in detail to determine if the vulnerability exists.
Execution of system commands through a command interpreter, such as with system(), should be avoided.
If absolutely necessary, the developer should take extra care with validating the input before it is passed to the interpreter.
/publicservers.php/reset.css?1=null'true'
/de/images/"`true`"
/publicservers.php/js/services/style-custom.css?1=null`true`
/publicservers.php/js/account-logins.php/reset.css?1=null`true`
/publicservers.php/js/js/fonts/reset.css?1=null`true`
/publicservers.php/js/js/fonts/reset.css?1=null"`true`"
/publicservers.php/js/services/js/style-custom.css?1=null"`true`"
/games/terraria-old.php/images/banners/"`true`"
/publicservers.php/js/services/services/style.css?1=null`true`
0 Answers