Difference between revisions of "Direct Static Code Injection"

From OWASP
Jump to: navigation, search
(Related Threat Agents)
Line 39: Line 39:
 
==Related [[Threat Agents]]==
 
==Related [[Threat Agents]]==
  
* [[:Category:Insider]]
+
* [[:Internal software developer]]
 
+
* [[:Category:Staff]]
+
  
 
==Related [[Attacks]]==
 
==Related [[Attacks]]==

Revision as of 07:44, 11 September 2008

This is an Attack. To view all attacks, please see the Attack Category page.



ASDR Table of Contents

Contents

Last revision: 09/11/2008

Description

Direct Static Code Injection attack consists on injecting code directly onto the resource used by application while processing a user request. This is normally performed by tampering libraries and template files which are created based on user input without proper data sanitization. Upon a user request to the modified resource, the actions defined on it will be executed at server side in the context of web server process.

Server Side Includes is considered a type of direct static code injection. It should not be confused with other types of code injection, like XSS (“Cross-site scripting” or “HTML injection”) where the code is executed on client side.

Risk Factors

TBD

Examples

Example 1

This is a simple example of exploitation of CGISCRIPT.NET csSearch 2.3 vulnerability, published on Bugtraq ID: 4368. By requesting the following URL to the server, it’s possible to execute commands defined on ‘’’’setup’’’ variable.

csSearch.cgi?command=savesetup&setup=PERL_CODE_HERE


For the classical example, it can be used the following command to remove all files from “/” folder: csSearch.cgi?command=savesetup&setup=`rm%20-rf%20/`

Note that the above command must be encoded in order to be accepted.

Example 2

This example exploits a vulnerability on Ultimate PHP Board (UPB) 1.9 (CVE-2003-0395), which allows an attacker to execute random php code. This happens because some user variables, like IP address and User-Agent, are stored in a file that is used by admin_iplog.php page to show user statistics. When an administrator browses this page, the previously injected code by a malicious request is executed. The following example stores a malicious PHP code that will deface index.html page when administrator browses admin_iplog.php.

GET /board/index.php HTTP/1.0
User-Agent: <? system( "echo \'hacked\' > ../index.html" ); ?>


Related Threat Agents

Related Attacks


Related Vulnerabilities

Related Controls

References