理解并解决 Web 服务器漏洞

理解并解决 Web 服务器漏洞

最近有人联系我们公司,指出我们面临许多可能利用我们的系统的安全威胁。他们很好心地提供了一份我们正在调查的威胁清单,但由于我们没有专门负责安全的人,所以我正在查看这些威胁,以便更好地了解情况。

虽然他提供了相当多的内容,但下面是其中一个例子。我不明白的是 GET 中的这个 URL 是如何串联起来的?“publicservers.php”相对而言没有任何内容,它只是回显数据(没有数据库连接/等)。如何将“/fonts/game-servers.php/reset.css”等第四个文件附加到此文件以创建漏洞?

Request
GET /publicservers.php/fonts/game-servers.php/reset.css?1=null'%20UNION%20SELECT%208%2C%20table_name%2C%20'vega'%20FROM%20information_schema.tables%20WHERE%20table_name%20like'%25 
Resource Content
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>403 Forbidden</title>
</head><body>
<h1>Forbidden</h1>
<p>You don't have permission to access /publicservers.php/fonts/game-servers.php/reset.css
on this server.</p>
<p>Additionally, a 404 Not Found
error was encountered while trying to use an ErrorDocument to handle the request.</p>
</body></html>


Discussion
I have detected a possible SQL injection vulnerability. These vulnerabilities are present when externally-supplied input is used to construct a SQL query. If precautions are not taken, the externally-supplied input (usually a GET or POST parameter) can modify the query string such that it performs unintented actions. These actions include gaining unauthorized read or write access to the data stored in the database, as well as modifying the logic of the application. 
Impact
Vega has detected a possible SQL injection vulnerability. 
These vulnerabilities can be exploited by remote attackers to gain unauthorized read or write access to the underlying database. 
Exploitation of SQL injection vulnerabilities can also allow for attacks against the logic of the application. 
Attackers may be able to obtain unauthorized access to the server hosting the database. 

Remediation
The developer should review the request and response against the code to manually verify whether or not a vulnerability is present. 
The best defense against SQL injection vulnerabilities is to use parameterized statements. 
Sanitizing input can prevent these vulnerabilities. Variables of string types should be filtered for escape characters, and numeric types should be checked to ensure that they are valid. 
Use of stored procedures can simplify complex queries and allow for tighter access control settings. 
Configuring database access controls can limit the impact of exploited vulnerabilities. This is a mitigating strategy that can be employed in environments where the code is not modifiable. 
Object-relational mapping eliminates the need for SQL.
/de/reset.css?1=null'" 
/de/style-custom.css?1=null'" 
/games/bf4.php/style-custom.css?1=null'" 
/publicservers.php/fonts/game-servers.php/reset.css?1=null'%20UNION%20SELECT%208%2C%20table_name%2C%20'vega'%20FROM%20information_schema.tables%20WHERE%20table_name%20like'%25 \
/publicservers.php/fonts/game-servers.php/style.css?1='%20AND%201=2%20--%20 
/publicservers.php/fonts/images/images/reset.css?1=null'" 
/publicservers.php/fonts/images/images/style.css?1='%20AND%201=2%20--%20 
 /publicservers.php/fonts/images/style.css?1=null"%20UNION%20SELECT%208%2C%20table_name%2C%20'vega'%20FROM%20information_schema.taables%20WHERE%20taable_name%20like'%25 
/publicservers.php/fonts/images/style-custom.css?1='%20AND%201=2%20--%20 
/publicservers.php/fonts/js/images/style.css?1=9-8 
/publicservers.php/fonts/js/style.css?1=9%201%20- 
/publicservers.php/fonts/reset.css?1=null%20AND%201=2%20--%20 
/publicservers.php/fonts/style-custom.css?1=null'" 
/publicservers.php/js/account-logins.php/fonts/style.css?1=null%20AND%201=2%20--%20 
/publicservers.php/js/account-logins.php/fonts/style-custom.css?1=null'" 
/publicservers.php/js/account-logins.php/reset.css?1=null%20AND%201=2%20--%20 
/publicservers.php/js/account-logins.php/style.css?1='%20AND%201=2%20--%20 
Parameter 1 
Method GET 
Risk High 

编辑

根据评论中的要求,这里还有另一个。第一个是他们提到的最高威胁之一,以下是最高威胁。

Request
GET /publicservers.php/reset.css?1=null"`true`" 
Discussion
Command injection vulnerabilities often occur when inadequately sanitized externally supplied data is as part of a system command executed through a command interpreter, or shell. Vulnerabilities such as these can be exploited by using shell metacharacters to run additional commands that were not intended to be executed by the application developer. The system() function, and derivatives, are often responsible, as these functions are very simple to use. These vulnerabilities can grant remote access to attackers, if exploited successfully. 
Impact
I have detected a possible command injection vulnerability. 
Attackers may be able to run commands on the server. 
Exploitation may lead to unauthorized remote access. 

Remediation
Developers should examine the code corresponding to the page in detail to determine if the vulnerability exists. 
Execution of system commands through a command interpreter, such as with system(), should be avoided. 
If absolutely necessary, the developer should take extra care with validating the input before it is passed to the interpreter.
 /publicservers.php/reset.css?1=null'true' 
 /de/images/"`true`" 
/publicservers.php/js/services/style-custom.css?1=null`true` 
/publicservers.php/js/account-logins.php/reset.css?1=null`true` 
/publicservers.php/js/js/fonts/reset.css?1=null`true` 
/publicservers.php/js/js/fonts/reset.css?1=null"`true`" 
/publicservers.php/js/services/js/style-custom.css?1=null"`true`" 
/games/terraria-old.php/images/banners/"`true`" 
/publicservers.php/js/services/services/style.css?1=null`true` 

相关内容