Correction time 2006-06-04
--------------------- 1, "Toxic" NULL characters --------------------- If I said: "root" == "root", I believe that there is no objection. But at the same time, I also said: "root"! = "Root"! How many people will think that I am a "normal person"? :) But in a variety of different programming languages, this does have this situation. One of the most commonly used methods for each security expert or hacker who wants to find CGI vulnerabilities is by passing a special character (string), bypass the CGI restrictions to perform system-level calls or programs. If you pay attention to, maybe it will find that NULL characters do have its "wonderful". :) Read the following example: # Parse $ user_INPUT $ database = "$ user_INPUT.DB"; Open (file "<$ database"); this example is used to open the database file specified by the client. For example, the client enters "backend", the system will open "backend.db" file test only way read mode). (Note: We don't discuss the security issues of "../" here.) This processing is very common in the Internet. Now let's enter "backend% 00" on the client, $ dataBase = "backend.db" in this Perl program, and then call the Open function to open the file. But what is the result? The system will open the "backend" file (if the file exists)! This happens because Perl allows the NULL null character to be used in a string variable, and the string is not allowed to include empty characters in the C language. Therefore, there is also "root"! = "Root" and "root" = "root" (in the C language). Since the system kernel / call, etc. is written in the C language, so when the "backend.db" string is passed to the (C language) Link Library / program, the character will be ignored? (Maybe there is a value? I haven't found it yet. :)) This programming defect can be much smaller. Imagine if you use the above programming principle to modify the system other administrator to modify other user passwords except root: $ user = $ argv [1] # User the Jr admin Wants to change if ($ user ne "root ") {# do wherever needs to be done for this user} So, smart, you should know how to bypass this limit to modify the root user password? Yes, as long as $ user = "root", Perl executes the statement within the top of the program. Unless all processing processes use Perl, once the variable is passed to the system, security issues will be caused. Modify the root user password, etc.
Maybe you think it is difficult to encounter this situation that will cause serious safety issues, then can we make it a indirect means for finding the website source program vulnerability? ;-) I don't know if you have this type of CGI program that you often encounter this type, which is used to open the page required by the client (submitted form)? Such as: page.cgi? Page = 1 Then the website returns to the page "1.html"? ;-) Good, now change it to: page.cgi? Page = page.cgi% 00 (% 00 == 'Escaped) This, we can get the content we are interested in! This method can also bypass the "-e" parameters of Perl: $ file = "/ etc / passwd.txt.whatever.we.want"; Die ("Hahaha! Caught you!) IF ($ file eq" / "ETC / passwd"); if (-e $ file) {Open (file, "> $ file");} The consequences of bypassing this program You should be able to get it? :) Solution? The simplest, filter null Empty character. In Perl program, $ INSECURE_DATA = ~ s ///g; ---------------------- 2, the fish - anti-anti Slant () ------------------------ For each person who cares about CGI, maybe I have seen W3C's WWW Security FAQ about CGI security Programming section. Among them, it is recommended to filter the characters: &; `'" *? ~ <> ^ () [] {} $ Nr But I have found a backslash () often forgotten many times. The following is the correct filtration expression: s / ([&; `'/" *? ~ <> ^ () [] {} $ Nr]) // $ 1 / g; but in many commercial CGI programs The barrel is not included in it, which may be a confusion when the programmer is written by these filters. So, will it cause safety problems without filtering the anti-slanting? Imagine if you are in your program Sending the following line: User Data `RM -RF /` In most cases, the programmapped program is filtered to: user data `rm -rf /` thus protecting the system. But if the Perl program is forgotten The backslash, when the client is submitted to the program as follows: User data `rm -rf /` After the matching expression is: User Data / `rm -rf / /`, is it dangerous? Since the two backslapped bars are explained by the system "" ", but` characters are therefore not filtered, `rm -rf /` will be executed by the system! However, because there is a backslash character, execution When the system will make an error. You find a way to bypass this limit? ;-) Another application using a backslash - bypass the system catalog to enter the limit. Please see the following expression: s /..//g; this Matching expressions are very simple, it is ".." in the filter string.
When the input is: /usr/tmp/../../etc/passwd will be filtered to: / usr / tmp /// tc / passwd This will not be able to access the / etc / passwd file. (Note: * NIX system Allow ///, try the 'ls -l / etcpasswd' command will know.) Now, let our "good partner" backslash to help. Change the input to: /usr/tMP/../../etc/passwd, due to the existence of the backslash, does not meet the filtration expression. When there is a block in Perl, $ file = "/ usr / tmp /./././ etc / passwd"; $ file = s /..// g; system ("ls -l $ file "); When running to the execution system call, the executed command will be" ls -l /usr/tmp/../../etc/ passwd ". Want to know what to get? Try it yourself. ;-) However, the above method only applies to system calls or `` commands. Unable to bypass '-e' commands and Open functions in Perl (non-pipeline). As follows: $ file = "/ usr / tmp /././. / Etc / passwd"; Open (file, "<$ file") or Die ("No Such file"); will be displayed when executed No Such file "and exit. I have not yet to find ways to bypass this restriction. : (Solution: As long as you don't forget to filter backlabeled rib characters (), it is enough. ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---- 3, unimpeded "pipe" - characters "------------------------------ In the Open function of Perl, if you add "" in the file name, Perl will execute this file instead of opening it. That is: Open (file, "/ bin / ls") will open and get / bin / ls Binary code, but Open (file, "/ bin / ls") will execute / bin / ls command! The following filter expressions S / () // $ 1 / g can limit this method. Unexpected end of file ". If you find the way to bypass this restriction, please tell me. :-) Comprehensive application Now let us integrate several programmed security vulnerabilities to use. For example, $ form is a variable that needs to be submitted to the CGI program. In the CGI program, there is a statement: Open (file, "$ form") then we can pass "LS" to the $ FORM variable to get the current directory list. Let us now consider the following block: $ filename = "/ safe / dir / to / read / $ form" open (file, $ filename how to execute the "LS" command? As long as you can make $ form = "../../../../ bin / ls" can be. If the system is configured to add ".." filtering, it can be bypassed by a loose hole. In this program, we can also add parameters in the command. Such as "Touch / Backend" will create / backend files. (But I won't use this file name because it is my name.
:-)) Now let us join more security restrictions in the block: $ filename = "Safe / Dir / to / read / $ form" if (! ((- e $ filename)) DIE ("i don" t thisk so! ") Open (file, $ filename), which we also need to bypass" -e ". Since we use "" characters in the $ FORM variable, when the "-e" operator checks "LS" file, the program is exited because there is no such file. How to remove the duct when "-e" checks, and the Open function is called? Recalling the use of NULL characters talked earlier, we know how to do it. Just make $ form = "ls" (Note: "LS% 00" in the form submitted by the client). The principle will review the content mentioned earlier. It should be noted that in the above block, we cannot perform commands with parameters as appropriate, because the "-e" operator restriction is caused. For example: $ filename = "/ bin / ls / etc" Open (file, $ filename) will display the list of files in the / etc directory. $ filename = "/ bin / ls / etc" IF (! (- E $ filename)) exit; Open (file, $ filename) will result in exiting due to no files. $ filename = "/ bin / ls / etc" if (! ((- e $ filename)) exit; Open (file, $ filename) will only display a list of files in the current directory. 4 Precautions when using others CGI scripts About CGI, you can get information from many places - from the Internet, from the school library, from the books like this book, in the USENET group and friends and colleagues. From these places, not only information, but also get practical procedures and libraries. Some programs and libraries have already done why they have to do it again from the beginning? But just like can't blindly listen to other people's opinions, regarding how to wealth management, how to drive or life, you can't blindly run another code on your own server. The script obtained from NET may also be truly a good script. But maybe not. It takes some time to examine the source of the script and the reliability of getting its site is worth it. 4.1 Chasing Source Some Web Owners. If you can't see and study source code, they don't even run a public, free or commercial script. This may be a bit biased. If a reputable company sells a detailed and wide-use script, the script should be more secure than the script written by yourself. There are two reasons. First of all, professionals know and avoid some common security vulnerabilities; secondly, the company is doing business for disappointment, if they are bothering or selling those malicious products, they can not make business. On the other hand, if you see a compiled executable from a USENET group comes from a person who has never heard of it, there is no document you can see, and the user can do if the program can communicate, then it is Be careful before putting your own server. It is also possible that this is from a completely legal contribution to another CGI programmer like himself, the purpose is to let the world share his programming results. But it may also come from a malicious, with metamorphosis, just want to see people who can make how many people clear.
