Recentemente, alguém entrou em contato com nossa empresa, indicando que várias ameaças de segurança podem ser usadas para explorar nossos sistemas. Eles foram gentis o suficiente para fornecer uma lista destes para os quais estamos analisando agora, no entanto, como não temos ninguém especificamente designado para a segurança, estou procurando por eles tentando obter um melhor entendimento.
Enquanto ele forneceu bastante, um dos exemplos está abaixo. O que eu não entendo é como esse URL no GET está sendo amarrado? O "publicservers.php" tem relativamente nada conteúdo sábio onde apenas echos dados (sem conexão com o banco de dados / etc). Como é "/fonts/game-servers.php/reset.css" e assim sendo o quarto anexo a este arquivo para criar uma exploração?
Request
GET /publicservers.php/fonts/game-servers.php/reset.css?1=null'%20UNION%20SELECT%208%2C%20table_name%2C%20'vega'%20FROM%20information_schema.tables%20WHERE%20table_name%20like'%25
Resource Content
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>403 Forbidden</title>
</head><body>
<h1>Forbidden</h1>
<p>You don't have permission to access /publicservers.php/fonts/game-servers.php/reset.css
on this server.</p>
<p>Additionally, a 404 Not Found
error was encountered while trying to use an ErrorDocument to handle the request.</p>
</body></html>
Discussion
I have detected a possible SQL injection vulnerability. These vulnerabilities are present when externally-supplied input is used to construct a SQL query. If precautions are not taken, the externally-supplied input (usually a GET or POST parameter) can modify the query string such that it performs unintented actions. These actions include gaining unauthorized read or write access to the data stored in the database, as well as modifying the logic of the application.
Impact
Vega has detected a possible SQL injection vulnerability.
These vulnerabilities can be exploited by remote attackers to gain unauthorized read or write access to the underlying database.
Exploitation of SQL injection vulnerabilities can also allow for attacks against the logic of the application.
Attackers may be able to obtain unauthorized access to the server hosting the database.
Remediation
The developer should review the request and response against the code to manually verify whether or not a vulnerability is present.
The best defense against SQL injection vulnerabilities is to use parameterized statements.
Sanitizing input can prevent these vulnerabilities. Variables of string types should be filtered for escape characters, and numeric types should be checked to ensure that they are valid.
Use of stored procedures can simplify complex queries and allow for tighter access control settings.
Configuring database access controls can limit the impact of exploited vulnerabilities. This is a mitigating strategy that can be employed in environments where the code is not modifiable.
Object-relational mapping eliminates the need for SQL.
/de/reset.css?1=null'"
/de/style-custom.css?1=null'"
/games/bf4.php/style-custom.css?1=null'"
/publicservers.php/fonts/game-servers.php/reset.css?1=null'%20UNION%20SELECT%208%2C%20table_name%2C%20'vega'%20FROM%20information_schema.tables%20WHERE%20table_name%20like'%25 \
/publicservers.php/fonts/game-servers.php/style.css?1='%20AND%201=2%20--%20
/publicservers.php/fonts/images/images/reset.css?1=null'"
/publicservers.php/fonts/images/images/style.css?1='%20AND%201=2%20--%20
/publicservers.php/fonts/images/style.css?1=null"%20UNION%20SELECT%208%2C%20table_name%2C%20'vega'%20FROM%20information_schema.taables%20WHERE%20taable_name%20like'%25
/publicservers.php/fonts/images/style-custom.css?1='%20AND%201=2%20--%20
/publicservers.php/fonts/js/images/style.css?1=9-8
/publicservers.php/fonts/js/style.css?1=9%201%20-
/publicservers.php/fonts/reset.css?1=null%20AND%201=2%20--%20
/publicservers.php/fonts/style-custom.css?1=null'"
/publicservers.php/js/account-logins.php/fonts/style.css?1=null%20AND%201=2%20--%20
/publicservers.php/js/account-logins.php/fonts/style-custom.css?1=null'"
/publicservers.php/js/account-logins.php/reset.css?1=null%20AND%201=2%20--%20
/publicservers.php/js/account-logins.php/style.css?1='%20AND%201=2%20--%20
Parameter 1
Method GET
Risk High
EDITAR
Como solicitado nos comentários, aqui está outro. A primeira foi uma das maiores ameaças mencionadas e a seguinte foi a mais alta.
Request
GET /publicservers.php/reset.css?1=null"'true'"
Discussion
Command injection vulnerabilities often occur when inadequately sanitized externally supplied data is as part of a system command executed through a command interpreter, or shell. Vulnerabilities such as these can be exploited by using shell metacharacters to run additional commands that were not intended to be executed by the application developer. The system() function, and derivatives, are often responsible, as these functions are very simple to use. These vulnerabilities can grant remote access to attackers, if exploited successfully.
Impact
I have detected a possible command injection vulnerability.
Attackers may be able to run commands on the server.
Exploitation may lead to unauthorized remote access.
Remediation
Developers should examine the code corresponding to the page in detail to determine if the vulnerability exists.
Execution of system commands through a command interpreter, such as with system(), should be avoided.
If absolutely necessary, the developer should take extra care with validating the input before it is passed to the interpreter.
/publicservers.php/reset.css?1=null'true'
/de/images/"'true'"
/publicservers.php/js/services/style-custom.css?1=null'true'
/publicservers.php/js/account-logins.php/reset.css?1=null'true'
/publicservers.php/js/js/fonts/reset.css?1=null'true'
/publicservers.php/js/js/fonts/reset.css?1=null"'true'"
/publicservers.php/js/services/js/style-custom.css?1=null"'true'"
/games/terraria-old.php/images/banners/"'true'"
/publicservers.php/js/services/services/style.css?1=null'true'
Tags security php sql exploit vulnerabilities