• Nenhum resultado encontrado

Teste de Invasão de Rede

N/A
N/A
Protected

Academic year: 2021

Share "Teste de Invasão de Rede"

Copied!
30
0
0

Texto

(1)

10/04/12 UNISINOS 2012-1 1

Teste de Invasão de Rede

Fernando José Karl, AMBCI, CISSP, CISM fernando.karl@gmail.com

(2)

10/04/12 UNISINOS 2012-1 2

Vulnerability Scanning

Arquivos Desprotegidos

É possível pesquisar arquivos desprotegidos no sistema operacional Linux, encontrando assim arquivos com permissão de escrita/leitura para qualquer pessoa. # find / -perm -2 –type f –print

(3)

10/04/12 UNISINOS 2012-1 3

Unidade

UNIDADE IV

(4)

10/04/12 UNISINOS 2012-1 4

Web application

Aplicações web funcionam através de um sistema cliente/servidor, onde o cliente é o navegador do usuário e o servidor é o servidor de aplicação web.

(5)

10/04/12 UNISINOS 2012-1 5

Web application

Vídeo

(6)

10/04/12 UNISINOS 2012-1 6

Application Vulnerability

Informação e Exploits

•  Secunia – http://www.secunia.com

•  Exploit DB – http://www.exploit-db.com

(7)

10/04/12 UNISINOS 2012-1 7

Web application

Ferramentas

•  Nikto – http://www.cirt.net/nikto

•  Paros Proxy – http://www.parosproxy.org

•  Webscarab – http://www.owasp.org

•  Watchfire Appscan – http://www.watchfire.com

•  Webinspect – http://www.spidynamics.com

•  XSS Cheat Sheet - http://ha.ckers.org/xss.html

(8)

10/04/12 UNISINOS 2012-1 8

Web application

OWASP

É um guia para testes de aplicações web para

desenvolvedores e testadores. A responsabilidade inicial pela segurança é dos desenvolvedores.

Utiliza um wiki para que a comunidade se envolva e dissemine a informação de uma forma rápida.

(9)

10/04/12 UNISINOS 2012-1 9

OWASP v3

 Information Gathering

 Config. Management Testing

 Business Logic Testing

 Authentication Testing

 Authorization Testing

 Session Management Testing

 Data Validation Testing

 Denial of Service Testing  Web Services Testing  Ajax Testing

 Encoded Appendix

•  V2à 8 sub-categories (de um total de 48 controles)

•  V3 à10 sub-categories (de um total de 66 controles)

•  36 novos artigos!

 Information Gathering  Business Logic Testing  Authentication Testing

 Session Management Testing  Data Validation Testing

 Denial of Service Testing  Web Services Testing  Ajax Testing

(10)

10/04/12 UNISINOS 2012-1 10

Aplication Vulnerabilities

•  MITRE descobriu que as

ferramentas identificam apenas 45% das vulnerabilidades

conhecidas(695)

•  Se todos encontram todas estas vulnerabilidades, então assume-se que temos 45% do que você precisa

(11)

Copyright © The OWASP Foundation

Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License.

The OWASP Foundation

OWASP

http://www.owasp.org

Advanced SQL Injection

Victor Chapela Sm4rt Security Services victor@sm4rt.com 4/11/2005

(12)

OWASP 12

What is SQL?

 SQL stands for Structured Query Language  Allows us to access a database

 ANSI and ISO standard computer language  The most current standard is SQL99

 SQL can:

 execute queries against a database  retrieve data from a database

 insert new records in a database  delete records from a database  update records in a database

(13)

OWASP 13

SQL is a Standard - but...

 There are many different versions of the SQL

language

 They support the same major keywords in a

similar manner (such as SELECT, UPDATE,

DELETE, INSERT, WHERE, and others).

 Most of the SQL database programs also have

their own proprietary extensions in addition

to the SQL standard!

(14)

OWASP 14

SQL Database Tables

 A relational database contains one or more tables identified each by a name

 Tables contain records (rows) with data

 For example, the following table is called "users" and contains data distributed in rows and columns:

userID Name LastName Login Password

1 John Smith jsmith hello

2 Adam Taylor adamt qwerty

(15)

OWASP 15

SQL Queries

 With SQL, we can query a database and have a

result set returned

 Using the previous table, a query like this:

SELECT LastName FROM users

WHERE UserID = 1;

 Gives a result set like this:

LastName --- Smith

(16)

OWASP 16

SQL Data Manipulation Language (DML)

 SQL includes a syntax to update, insert, and

delete records:

 SELECT - extracts data  UPDATE - updates data

 INSERT INTO - inserts new data  DELETE - deletes data

(17)

OWASP 17

SQL Data Definition Language (DDL)

 The Data Definition Language (DDL) part of SQL permits:

 Database tables to be created or deleted  Define indexes (keys)

 Specify links between tables

 Impose constraints between database tables

 Some of the most commonly used DDL statements in SQL are:

 CREATE TABLE - creates a new database table  ALTER TABLE - alters (changes) a database table  DROP TABLE - deletes a database table

(18)

OWASP 18

Metadata

  Almost all SQL databases are based on the

RDBM (Relational Database Model)

  One important fact for SQL Injection

  Amongst Codd's 12 rules for a Truly Relational Database System:

4.  Metadata (data about the database) must be stored in the database just as regular data is

  Therefore, database structure can also be read and altered with SQL queries

(19)

OWASP 19

What is SQL Injection?

The ability to inject SQL commands into

the database engine

(20)

OWASP 20

How common is it?

 It is probably the most common Website vulnerability today!

 It is a flaw in "web application" development, it is not a DB or web server problem

 Most programmers are still not aware of this problem  A lot of the tutorials & demo “templates” are vulnerable

 Even worse, a lot of solutions posted on the Internet are not good enough

 In our pen tests over 60% of our clients turn out to be vulnerable to SQL Injection

(21)

OWASP 21

Vulnerable Applications

  Almost all SQL databases and programming languages are potentially vulnerable

  MS SQL Server, Oracle, MySQL, Postgres, DB2, MS Access, Sybase, Informix, etc

  Accessed through applications developed using:

  Perl and CGI scripts that access databases   ASP, JSP, PHP

  XML, XSL and XSQL   Javascript

  VB, MFC, and other ODBC-based tools and APIs   DB specific Web-based applications and API’s   Reports and DB Applications

  3 and 4GL-based languages (C, OCI, Pro*C, and COBOL)   many more

(22)

OWASP 22

How does SQL Injection work?

Common vulnerable login query

SELECT * FROM users WHERE login = 'victor' AND password = '123'

(If it returns something then login!)

ASP/MS SQL Server login syntax

var sql = "SELECT * FROM users WHERE login = '" + formusr +

(23)

OWASP 23

Injecting through Strings

formusr

= ' or 1=1 – –

formpwd

= anything

Final query would look like this:

SELECT * FROM users

WHERE username = ' ' or 1=1

(24)

OWASP 24

The power of '

 It closes the string parameter

 Everything after is considered part of the SQL

command

 Misleading Internet suggestions include:

 Escape it! : replace ' with ' '

 String fields are very common but there are

other types of fields:

 Numeric  Dates

(25)

OWASP 25

If it were numeric?

SELECT * FROM clients

WHERE account =

12345678

AND pin =

1111

PHP/MySQL login syntax

$sql = "SELECT * FROM clients WHERE " .

"account =

$formacct

AND " .

(26)

OWASP 26

Injecting Numeric Fields

$formacct

= 1 or 1=1 #

$formpin

= 1111

Final query would look like this:

SELECT * FROM clients

WHERE account = 1 or 1=1

(27)

OWASP 27

SQL Injection Characters

 ' or " character String Indicators

 -- or # single-line comment

 /*…*/ multiple-line comment

 + addition, concatenate (or space in url)

 || (double pipe) concatenate

 % wildcard attribute indicator

 ?Param1=foo&Param2=bar URL Parameters

 PRINT useful as non transactional command

 @variable local variable

 @@variable global variable

(28)

10/04/12 UNISINOS 2012-1 28

Vulnerability Scanning

Trabalho Final

•  Desenvolver um exploit para o Metasploit das

aplicações Joomla ou Wordpress

•  Cada grupo deverá escolher uma vulnerabilidade e

encaminhar, não poderá ter vulnerabilidade repetida

•  Entrega no dia 19/06

•  Grupo de até 4 pessoas

•  Aula do dia 08/05 para discutir questões de

(29)

10/04/12 UNISINOS 2012-1 29

Web application

Atividade

Com o tutorial sobre SQL Injection de Oracle, realizar os exercícios propostos.

(30)

10/04/12 UNISINOS 2012-1 30

Web application

SQLNINJA (http://sqlninja.sourceforge.net)

É uma ferramenta que busca explorar vulnerabilidades de SQL Injection em aplicações web que usam

Microsoft SQL Server como base de dados.

Sua principal característica é prover um shell remoto em servidores de banco de dados, mesmo em ambientes hostis.

Referências

Documentos relacionados

MARCIA, UMA METODOLOGIA PARA O MANEJO DE REGISTRO CLÍNICO COM USO DE ARQUÉTIPOS PARA INTEROPERABILIDADE ENTRE SISTEMAS DE SAÚDE.. Mestrando: Fábio José Gomes

Isto decorre em parte porque as TEC do MERCOSUL são elevadas em relação às tarifas de outros países membros da ALCA, para vários cenários e produtos, além do que a redução

Adenor Vicente Wendling Prefeito Municipal ANEXO I CONTEÚDO PROGRAMÁTICO NÍVEL SUPERIOR CARGO: MÉDICO  

CREATE DATABASE – cria um novo banco de dados ALTER DATABASE – modifica um banco de dados CREATE TABLE – cria uma nova tabela.. ALTER TABLE – altera uma tabela DROP TABLE

Cidades Anfitriãs Evento Projectos Escolares Organização Transportes Programa Chegadas e Partidas Competição Alojamento Refeições 19 Municipal de Fafe Pavilhões - FAFE..

The assays to be performed in the validation of analytical method should be selected depending on the goal, i.e., identification tests, quantitative tests and limit tests for

adultériu adultériu Adventu Adventu advérbiu advérbiu advogadu advogadu aéreu aéreu aeroportu aeroportu afiadór  afiadór  afian afian afinál afinál afisionadu afisionadu

3) Il exploitera les vocabulaires (très important pour faciliter la compréhension). Exemple : «Petit vol va, petit vol vient, l’amitié reste». Une fois expliqués les