Назад | Перейти на главную страницу

Понимание и устранение эксплойтов веб-сервера

Недавно кто-то связался с нашей компанией и сообщил, что у нас есть множество угроз безопасности, которые можно использовать для взлома наших систем. Они были достаточно любезны, чтобы предоставить список из них, которые мы сейчас изучаем, однако, поскольку у нас нет никого, специально предназначенного для обеспечения безопасности, я просматриваю их, пытаясь лучше понять.

Хотя он предоставил довольно много, ниже приводится один из примеров. Я не понимаю, как этот URL-адрес в GET объединяется? "Publicservers.php" не имеет относительно ничего разумного по содержанию, где он просто отображает данные (без подключения к базе данных и т. Д.). Как "/fonts/game-servers.php/reset.css" и т. Д. Добавляются к этому файлу для создания эксплойта?

Request
GET /publicservers.php/fonts/game-servers.php/reset.css?1=null'%20UNION%20SELECT%208%2C%20table_name%2C%20'vega'%20FROM%20information_schema.tables%20WHERE%20table_name%20like'%25 
Resource Content
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>403 Forbidden</title>
</head><body>
<h1>Forbidden</h1>
<p>You don't have permission to access /publicservers.php/fonts/game-servers.php/reset.css
on this server.</p>
<p>Additionally, a 404 Not Found
error was encountered while trying to use an ErrorDocument to handle the request.</p>
</body></html>


Discussion
I have detected a possible SQL injection vulnerability. These vulnerabilities are present when externally-supplied input is used to construct a SQL query. If precautions are not taken, the externally-supplied input (usually a GET or POST parameter) can modify the query string such that it performs unintented actions. These actions include gaining unauthorized read or write access to the data stored in the database, as well as modifying the logic of the application. 
Impact
Vega has detected a possible SQL injection vulnerability. 
These vulnerabilities can be exploited by remote attackers to gain unauthorized read or write access to the underlying database. 
Exploitation of SQL injection vulnerabilities can also allow for attacks against the logic of the application. 
Attackers may be able to obtain unauthorized access to the server hosting the database. 

Remediation
The developer should review the request and response against the code to manually verify whether or not a vulnerability is present. 
The best defense against SQL injection vulnerabilities is to use parameterized statements. 
Sanitizing input can prevent these vulnerabilities. Variables of string types should be filtered for escape characters, and numeric types should be checked to ensure that they are valid. 
Use of stored procedures can simplify complex queries and allow for tighter access control settings. 
Configuring database access controls can limit the impact of exploited vulnerabilities. This is a mitigating strategy that can be employed in environments where the code is not modifiable. 
Object-relational mapping eliminates the need for SQL.
/de/reset.css?1=null'" 
/de/style-custom.css?1=null'" 
/games/bf4.php/style-custom.css?1=null'" 
/publicservers.php/fonts/game-servers.php/reset.css?1=null'%20UNION%20SELECT%208%2C%20table_name%2C%20'vega'%20FROM%20information_schema.tables%20WHERE%20table_name%20like'%25 \
/publicservers.php/fonts/game-servers.php/style.css?1='%20AND%201=2%20--%20 
/publicservers.php/fonts/images/images/reset.css?1=null'" 
/publicservers.php/fonts/images/images/style.css?1='%20AND%201=2%20--%20 
 /publicservers.php/fonts/images/style.css?1=null"%20UNION%20SELECT%208%2C%20table_name%2C%20'vega'%20FROM%20information_schema.taables%20WHERE%20taable_name%20like'%25 
/publicservers.php/fonts/images/style-custom.css?1='%20AND%201=2%20--%20 
/publicservers.php/fonts/js/images/style.css?1=9-8 
/publicservers.php/fonts/js/style.css?1=9%201%20- 
/publicservers.php/fonts/reset.css?1=null%20AND%201=2%20--%20 
/publicservers.php/fonts/style-custom.css?1=null'" 
/publicservers.php/js/account-logins.php/fonts/style.css?1=null%20AND%201=2%20--%20 
/publicservers.php/js/account-logins.php/fonts/style-custom.css?1=null'" 
/publicservers.php/js/account-logins.php/reset.css?1=null%20AND%201=2%20--%20 
/publicservers.php/js/account-logins.php/style.css?1='%20AND%201=2%20--%20 
Parameter 1 
Method GET 
Risk High 

РЕДАКТИРОВАТЬ

Как просили в комментариях, вот еще один. Первая была одной из самых серьезных угроз, о которых они говорили, а следующая - самой серьезной.

Request
GET /publicservers.php/reset.css?1=null"`true`" 
Discussion
Command injection vulnerabilities often occur when inadequately sanitized externally supplied data is as part of a system command executed through a command interpreter, or shell. Vulnerabilities such as these can be exploited by using shell metacharacters to run additional commands that were not intended to be executed by the application developer. The system() function, and derivatives, are often responsible, as these functions are very simple to use. These vulnerabilities can grant remote access to attackers, if exploited successfully. 
Impact
I have detected a possible command injection vulnerability. 
Attackers may be able to run commands on the server. 
Exploitation may lead to unauthorized remote access. 

Remediation
Developers should examine the code corresponding to the page in detail to determine if the vulnerability exists. 
Execution of system commands through a command interpreter, such as with system(), should be avoided. 
If absolutely necessary, the developer should take extra care with validating the input before it is passed to the interpreter.
 /publicservers.php/reset.css?1=null'true' 
 /de/images/"`true`" 
/publicservers.php/js/services/style-custom.css?1=null`true` 
/publicservers.php/js/account-logins.php/reset.css?1=null`true` 
/publicservers.php/js/js/fonts/reset.css?1=null`true` 
/publicservers.php/js/js/fonts/reset.css?1=null"`true`" 
/publicservers.php/js/services/js/style-custom.css?1=null"`true`" 
/games/terraria-old.php/images/banners/"`true`" 
/publicservers.php/js/services/services/style.css?1=null`true`