输入验证与表示问题是由元字符、交替编码和数字表示引起的。安全问题源于信任输入。这些问题包括:“Buffer Overflows”、“Cross-Site Scripting”攻击、“SQL Injection”等其他问题。
...
DirectorySearcher src =
new DirectorySearcher("(manager=" + managerName.Text + ")");
src.SearchRoot = de;
src.SearchScope = SearchScope.Subtree;
foreach(SearchResult res in src.FindAll()) {
...
}
(manager=Smith, John)
managerName 不包含任何 LDAP 元字符时才能正常运行。如果攻击者为 managerName 输入字符串 Hacker, Wiley)(|(objectclass=*),则该查询会变成:
(manager=Hacker, Wiley)(|(objectclass=*))
|(objectclass=*) 条件会导致筛选器与目录中的所有输入都匹配,而且会使攻击者检索到有关用户输入池的信息。根据执行 LDAP 查询的权限大小,此次攻击的影响范围可能会有所差异,但是如果攻击者可以控制查询的命令结构,那么这样的攻击至少会影响执行 LDAP 查询的用户可以访问的所有记录。
fgets(manager, sizeof(manager), socket);
snprintf(filter, sizeof(filter, "(manager=%s)", manager);
if ( ( rc = ldap_search_ext_s( ld, FIND_DN, LDAP_SCOPE_BASE,
filter, NULL, 0, NULL, NULL, LDAP_NO_LIMIT,
LDAP_NO_LIMIT, &result ) ) == LDAP_SUCCESS ) {
...
}
(manager=Smith, John)
manager 不包含任何 LDAP 元字符时才能正常运行。如果攻击者为 manager 输入字符串 Hacker, Wiley)(|(objectclass=*),则该查询会变成:
(manager=Hacker, Wiley)(|(objectclass=*))
|(objectclass=*) 条件会导致筛选器与目录中的所有输入都匹配,而且会使攻击者检索到有关用户输入池的信息。根据执行 LDAP 查询的权限大小,此次攻击的影响范围可能会有所差异,但是如果攻击者可以控制查询的命令结构,那么这样的攻击至少会影响执行 LDAP 查询的用户可以访问的所有记录。
...
DirContext ctx = new InitialDirContext(env);
String managerName = request.getParameter("managerName");
//retrieve all of the employees who report to a manager
String filter = "(manager=" + managerName + ")";
NamingEnumeration employees = ctx.search("ou=People,dc=example,dc=com",
filter);
...
(manager=Smith, John)
managerName 不包含任何 LDAP 元字符时才能正常运行。如果攻击者为 managerName 输入字符串 Hacker, Wiley)(|(objectclass=*),则该查询会变成:
(manager=Hacker, Wiley)(|(objectclass=*))
|(objectclass=*) 条件会导致筛选器与目录中的所有输入都匹配,而且会使攻击者检索到有关用户输入池的信息。根据执行 LDAP 查询的权限大小,此次攻击的影响范围可能会有所差异,但是如果攻击者可以控制查询的命令结构,那么这样的攻击至少会影响执行 LDAP 查询的用户可以访问的所有记录。
...
$managerName = $_POST["managerName"]];
//retrieve all of the employees who report to a manager
$filter = "(manager=" . $managerName . ")";
$result = ldap_search($ds, "ou=People,dc=example,dc=com", $filter);
...
(manager=Smith, John)
managerName 不包含任何 LDAP 元字符时才能正常运行。如果攻击者为 managerName 输入字符串 Hacker, Wiley)(|(objectclass=*),则该查询会变成:
(manager=Hacker, Wiley)(|(objectclass=*))
|(objectclass=*) 条件会导致筛选器与目录中的所有输入都匹配,而且会使攻击者检索到有关用户输入池的信息。根据执行 LDAP 查询的权限大小,此次攻击的影响范围可能会有所差异,但是如果攻击者可以控制查询的命令结构,那么这样的攻击至少会影响执行 LDAP 查询的用户可以访问的所有记录。ou 字符串,并使用该字符串创建一个新的 DirectoryEntry。
...
de = new DirectoryEntry("LDAP://ad.example.com:389/ou="
+ hiddenOU.Text + ",dc=example,dc=com");
...
ou 值来篡改查询结果。问题在于开发人员没能充分利用适当的访问控制机制来限制随后的查询,使其只能读取那些允许当前用户读取的雇员记录。dn 字符串,然后使用该字符串来执行 LDAP 查询。
...
rc = ldap_simple_bind_s( ld, NULL, NULL );
if ( rc != LDAP_SUCCESS ) {
...
}
...
fgets(dn, sizeof(dn), socket);
if ( ( rc = ldap_search_ext_s( ld, dn, LDAP_SCOPE_BASE,
filter, NULL, 0, NULL, NULL, LDAP_NO_LIMIT,
LDAP_NO_LIMIT, &result ) ) != LDAP_SUCCESS ) {
...
dn 字符串来篡改查询结果。问题在于开发人员没能充分利用适当的访问控制机制来限制随后的查询,使其只能读取那些允许当前用户读取的雇员记录。
env.put(Context.SECURITY_AUTHENTICATION, "none");
DirContext ctx = new InitialDirContext(env);
String empID = request.getParameter("empID");
try
{
BasicAttribute attr = new BasicAttribute("empID", empID);
NamingEnumeration employee =
ctx.search("ou=People,dc=example,dc=com",attr);
...
dn 字符串,然后使用该字符串来执行 LDAP 查询。
$dn = $_POST['dn'];
if (ldap_bind($ds)) {
...
try {
$rs = ldap_search($ds, $dn, "ou=People,dc=example,dc=com", $attr);
...
dn 来源于用户输入,且在匿名绑定的情况下执行查询,因此攻击者可能会通过指定一个意外的 DN 字符串来篡改查询结果。问题在于开发人员没能充分利用适当的访问控制机制来限制随后的查询,使其只能读取那些允许当前用户读取的雇员记录。webview 中,但未实现任何控制措施来防止在访问恶意站点时发生自动拨号攻击。webview 加载可能包含不可信链接的站点,但未指定能够对此 webview 中启动的请求进行验证的代理:
...
NSURL *webUrl = [[NSURL alloc] initWithString:@"https://some.site.com/"];
NSURLRequest *webRequest = [[NSURLRequest alloc] initWithURL:webUrl];
[_webView loadRequest:webRequest];
...
webview 中,但未实现任何控制措施来防止在访问恶意站点时发生自动拨号攻击。webview 加载可能包含不可信链接的站点,但未指定能够对此 webview 中启动的请求进行验证的代理:
...
let webUrl : NSURL = NSURL(string: "https://some.site.com/")!
let webRequest : NSURLRequest = NSURLRequest(URL: webUrl)
webView.loadRequest(webRequest)
...
webview 中,但未实现任何控制措施来验证供用户单击的链接。webview 加载可能包含不可信链接的站点,但未指定能够对此 webview 中启动的请求进行验证的代理:
...
NSURL *webUrl = [[NSURL alloc] initWithString:@"https://some.site.com/"];
NSURLRequest *webRequest = [[NSURLRequest alloc] initWithURL:webUrl];
[webView loadRequest: webRequest];
webview 中,但未实现任何控制措施来验证供用户单击的链接。webview 加载可能包含不可信链接的站点,但未指定能够对此 webview 中启动的请求进行验证的代理:
...
let webUrl = URL(string: "https://some.site.com/")!
let urlRequest = URLRequest(url: webUrl)
webView.load(webRequest)
...
...
DATA log_msg TYPE bal_s_msg.
val = request->get_form_field( 'val' ).
log_msg-msgid = 'XY'.
log_msg-msgty = 'E'.
log_msg-msgno = '123'.
log_msg-msgv1 = 'VAL: '.
log_msg-msgv2 = val.
CALL FUNCTION 'BAL_LOG_MSG_ADD'
EXPORTING
I_S_MSG = log_msg
EXCEPTIONS
LOG_NOT_FOUND = 1
MSG_INCONSISTENT = 2
LOG_IS_FULL = 3
OTHERS = 4.
...
val”提交字符串“FOO”,则日志中会记录以下条目:
XY E 123 VAL: FOO
FOO XY E 124 VAL: BAR”,则日志中会记录以下条目:
XY E 123 VAL: FOO XY E 124 VAL: BAR
var params:Object = LoaderInfo(this.root.loaderInfo).parameters;
var val:String = String(params["username"]);
var value:Number = parseInt(val);
if (value == Number.NaN) {
trace("Failed to parse val = " + val);
}
val" 提交字符串 "twenty-one",则日志中会记录以下条目:
Failed to parse val=twenty-one
twenty-one%0a%0aINFO:+User+logged+out%3dbadguy",则日志中会记录以下条目:
Failed to parse val=twenty-one
User logged out=badguy
...
string val = (string)Session["val"];
try {
int value = Int32.Parse(val);
}
catch (FormatException fe) {
log.Info("Failed to parse val= " + val);
}
...
val”提交字符串“twenty-one”,则日志中会记录以下条目:
INFO: Failed to parse val=twenty-one
twenty-one%0a%0aINFO:+User+logged+out%3dbadguy”,则日志中会记录以下条目:
INFO: Failed to parse val=twenty-one
INFO: User logged out=badguy
long value = strtol(val, &endPtr, 10);
if (*endPtr != '\0')
syslog(LOG_INFO,"Illegal value = %s",val);
...
val" 提交字符串 "twenty-one",则日志中会记录以下条目:
Illegal value=twenty-one
twenty-one\n\nINFO: User logged out=evil",则日志中会记录以下条目:
INFO: Illegal value=twenty-one
INFO: User logged out=evil
...
01 LOGAREA.
05 VALHEADER PIC X(50) VALUE 'VAL: '.
05 VAL PIC X(50).
...
EXEC CICS
WEB READ
FORMFIELD(NAME)
VALUE(VAL)
...
END-EXEC.
EXEC DLI
LOG
FROM(LOGAREA)
LENGTH(50)
END-EXEC.
...
VAL" 提交字符串 "FOO",则日志中会记录以下条目:
VAL: FOO
FOO VAL: BAR",则日志中会记录以下条目:
VAL: FOO VAL: BAR
<cflog file="app_log" application="No" Thread="No"
text="Failed to parse val="#Form.val#">
val" 提交字符串 "twenty-one",则日志中会记录以下条目:
"Information",,"02/28/01","14:50:37",,"Failed to parse val=twenty-one"
twenty-one%0a%0a%22Information%22%2C%2C%2202/28/01%22%2C%2214:53:40%22%2C%2C%22User%20logged%20out:%20badguy%22",则日志中会记录以下条目:
"Information",,"02/28/01","14:50:37",,"Failed to parse val=twenty-one"
"Information",,"02/28/01","14:53:40",,"User logged out: badguy"
func someHandler(w http.ResponseWriter, r *http.Request){
r.parseForm()
name := r.FormValue("name")
logout := r.FormValue("logout")
...
if (logout){
...
} else {
log.Printf("Attempt to log out: name: %s logout: %s", name, logout)
}
}
logout 提交字符串“twenty-one”,而且他可以创建一个名为“admin”的用户,则日志中会记录以下条目:
Attempt to log out: name: admin logout: twenty-one
admin+logout:+1+++++++++++++++++++++++",则日志中将记录以下条目:
Attempt to log out: name: admin logout: 1 logout: twenty-one
...
String val = request.getParameter("val");
try {
int value = Integer.parseInt(val);
}
catch (NumberFormatException nfe) {
log.info("Failed to parse val = " + val);
}
...
val”提交字符串“twenty-one”,则日志中会记录以下条目:
INFO: Failed to parse val=twenty-one
twenty-one%0a%0aINFO:+User+logged+out%3dbadguy”,则日志中会记录以下条目:
INFO: Failed to parse val=twenty-one
INFO: User logged out=badguy
Example 1 以适应 Android 平台。
...
String val = this.getIntent().getExtras().getString("val");
try {
int value = Integer.parseInt();
}
catch (NumberFormatException nfe) {
Log.e(TAG, "Failed to parse val = " + val);
}
...
var cp = require('child_process');
var http = require('http');
var url = require('url');
function listener(request, response){
var val = url.parse(request.url, true)['query']['val'];
if (isNaN(val)){
console.log("INFO: Failed to parse val = " + val);
}
...
}
...
http.createServer(listener).listen(8080);
...
val”提交字符串“twenty-one”,则日志中会记录以下条目:
INFO: Failed to parse val = twenty-one
twenty-one%0a%0aINFO:+User+logged+out%3dbadguy”,则日志中会记录以下条目:
INFO: Failed to parse val=twenty-one
INFO: User logged out=badguy
long value = strtol(val, &endPtr, 10);
if (*endPtr != '\0')
NSLog("Illegal value = %s",val);
...
val" 提交字符串 "twenty-one",则日志中会记录以下条目:
INFO: Illegal value=twenty-one
twenty-one\n\nINFO: User logged out=evil",则日志中会记录以下条目:
INFO: Illegal value=twenty-one
INFO: User logged out=evil
<?php
$name =$_GET['name'];
...
$logout =$_GET['logout'];
if(is_numeric($logout))
{
...
}
else
{
trigger_error("Attempt to log out: name: $name logout: $val");
}
?>
logout 提交字符串“twenty-one”,而且他可以创建一个名为“admin”的用户,则日志中会记录以下条目:
PHP Notice: Attempt to log out: name: admin logout: twenty-one
admin+logout:+1+++++++++++++++++++++++",则日志中将记录以下条目:
PHP Notice: Attempt to log out: name: admin logout: 1 logout: twenty-one
name = req.field('name')
...
logout = req.field('logout')
if (logout):
...
else:
logger.error("Attempt to log out: name: %s logout: %s" % (name,logout))
logout 提交字符串“twenty-one”,而且他可以创建一个名为“admin”的用户,则日志中会记录以下条目:
Attempt to log out: name: admin logout: twenty-one
admin+logout:+1+++++++++++++++++++++++",则日志中将记录以下条目:
Attempt to log out: name: admin logout: 1 logout: twenty-one
...
val = req['val']
unless val.respond_to?(:to_int)
logger.info("Failed to parse val")
logger.info(val)
end
...
val”提交字符串“twenty-one”,则日志中会记录以下条目:
INFO: Failed to parse val
INFO: twenty-one
twenty-one%0a%0aINFO:+User+logged+out%3dbadguy”,则日志中会记录以下条目:
INFO: Failed to parse val
INFO: twenty-one
INFO: User logged out=badguy
...
let num = Int(param)
if num == nil {
NSLog("Illegal value = %@", param)
}
...
val”提交字符串“twenty-one”,则日志中会记录以下条目:
INFO: Illegal value = twenty-one
twenty-one\n\nINFO: User logged out=evil”,则日志中会记录以下条目:
INFO: Illegal value=twenty-one
INFO: User logged out=evil
...
Dim Val As Variant
Dim Value As Integer
Set Val = Request.Form("val")
If IsNumeric(Val) Then
Set Value = Val
Else
App.EventLog "Failed to parse val=" & Val, 1
End If
...
val”提交字符串“twenty-one”,则日志中会记录以下条目:
Failed to parse val=twenty-one
twenty-one%0a%0a+User+logged+out%3dbadguy”,则日志中会记录以下条目:
Failed to parse val=twenty-one
User logged out=badguy
@HttpGet
global static void doGet() {
RestRequest req = RestContext.request;
String val = req.params.get('val');
try {
Integer i = Integer.valueOf(val);
...
} catch (TypeException e) {
System.Debug(LoggingLevel.INFO, 'Failed to parse val: '+val);
}
}
val 提交字符串“twenty-one”,则日志中会记录以下条目:
Failed to parse val: twenty-one
twenty-one%0a%0aUser+logged+out%3dbadguy”,则日志中会记录以下条目:
Failed to parse val: twenty-one
User logged out=badguy
...
String val = request.Params["val"];
try {
int value = Int.Parse(val);
}
catch (FormatException fe) {
log.Info("Failed to parse val = " + val);
}
...
val 提交字符串“twenty-one”,则日志中会记录以下条目:
INFO: Failed to parse val=twenty-one
twenty-one%0a%0aINFO:+User+logged+out%3dbadguy”,则日志中会记录以下条目:
INFO: Failed to parse val=twenty-one
INFO: User logged out=badguy
Example 1 以适应 Android 平台。
...
String val = this.Intent.Extras.GetString("val");
try {
int value = Int.Parse(val);
}
catch (FormatException fe) {
Log.E(TAG, "Failed to parse val = " + val);
}
...
...
var idValue string
idValue = req.URL.Query().Get("id")
num, err := strconv.Atoi(idValue)
if err != nil {
sysLog.Debug("Failed to parse value: " + idValue)
}
...
val 提交字符串“twenty-one”,则日志中会记录以下条目:
INFO: Failed to parse val=twenty-one
twenty-one%0a%0aINFO:+User+logged+out%3dbadguy”,则日志中会记录以下条目:
INFO: Failed to parse val=twenty-one
INFO: User logged out=badguy
...
String val = request.getParameter("val");
try {
int value = Integer.parseInt(val);
}
catch (NumberFormatException nfe) {
log.info("Failed to parse val = " + val);
}
...
val”提交字符串“twenty-one”,则日志中会记录以下条目:
INFO: Failed to parse val=twenty-one
twenty-one%0a%0aINFO:+User+logged+out%3dbadguy”,则日志中会记录以下条目:
INFO: Failed to parse val=twenty-one
INFO: User logged out=badguy
Example 1 以适应 Android 平台。
...
String val = this.getIntent().getExtras().getString("val");
try {
int value = Integer.parseInt();
}
catch (NumberFormatException nfe) {
Log.e(TAG, "Failed to parse val = " + val);
}
...
var cp = require('child_process');
var http = require('http');
var url = require('url');
function listener(request, response){
var val = url.parse(request.url, true)['query']['val'];
if (isNaN(val)){
console.error("INFO: Failed to parse val = " + val);
}
...
}
...
http.createServer(listener).listen(8080);
...
val”提交字符串“twenty-one”,则日志中会记录以下条目:
INFO: Failed to parse val=twenty-one
twenty-one%0a%0aINFO:+User+logged+out%3dbadguy”,则日志中会记录以下条目:
INFO: Failed to parse val=twenty-one
INFO: User logged out=badguy
...
val = request.GET["val"]
try:
int_value = int(val)
except:
logger.debug("Failed to parse val = " + val)
...
val”提交字符串“twenty-one”,则日志中会记录以下条目:
INFO: Failed to parse val=twenty-one
twenty-one%0a%0aINFO:+User+logged+out%3dbadguy”,则日志中会记录以下条目:
INFO: Failed to parse val=twenty-one
INFO: User logged out=badguy
...
val = req['val']
unless val.respond_to?(:to_int)
logger.debug("Failed to parse val")
logger.debug(val)
end
...
val”提交字符串“twenty-one”,则日志中会记录以下条目:
DEBUG: Failed to parse val
DEBUG: twenty-one
twenty-one%0a%DEBUG:+User+logged+out%3dbadguy”,则日志中会记录以下条目:
DEBUG: Failed to parse val
DEBUG: twenty-one
DEBUG: User logged out=badguy
CREATE 命令。攻击者可以利用此参数修改发送到服务器的命令,并使用 CRLF 字符注入新命令。
...
final String foldername = request.getParameter("folder");
IMAPFolder folder = (IMAPFolder) store.getFolder("INBOX");
...
folder.doCommand(new IMAPFolder.ProtocolCommand() {
@Override
public Object doCommand(IMAPProtocol imapProtocol) throws ProtocolException {
try {
imapProtocol.simpleCommand("CREATE " + foldername, null);
} catch (Exception e) {
// Handle Exception
}
return null;
}
});
...
USER 和 PASS 命令。攻击者可以利用此参数修改发送到服务器的命令,并使用 CRLF 字符注入新命令。
...
String username = request.getParameter("username");
String password = request.getParameter("password");
...
POP3SClient pop3 = new POP3SClient(proto, false);
pop3.login(username, password)
...
VRFY 命令。攻击者可能会使用此参数修改发送到服务器的命令并使用 CRLF 字符注入新命令。
...
c, err := smtp.Dial(x)
if err != nil {
log.Fatal(err)
}
user := request.FormValue("USER")
c.Verify(user)
...
VRFY 命令。攻击者可以利用此参数修改发送到服务器的命令,并使用 CRLF 字符注入新命令。
...
String user = request.getParameter("user");
SMTPSSLTransport transport = new SMTPSSLTransport(session,new URLName(Utilities.getProperty("smtp.server")));
transport.connect(Utilities.getProperty("smtp.server"), username, password);
transport.simpleCommand("VRFY " + user);
...
VRFY 命令。攻击者可以利用此参数修改发送到服务器的命令,并使用 CRLF 字符注入新命令。
...
user = request.GET['user']
session = smtplib.SMTP(smtp_server, smtp_tls_port)
session.ehlo()
session.starttls()
session.login(username, password)
session.docmd("VRFY", user)
...
...
TextClient tc = (TextClient)Client.GetInstance("127.0.0.1", 11211, MemcachedFlags.TextProtocol);
tc.Open();
string id = txtID.Text;
var result = get_page_from_somewhere();
var response = Http_Response(result);
tc.Set("req-" + id, response, TimeSpan.FromSeconds(1000));
tc.Close();
tc = null;
...
set req-1233 0 1000 n
<serialized_response_instance>
n 是响应的长度。ignore 0 0 1\r\n1\r\nset injected 0 3600 10\r\n0123456789\r\nset req-,然后操作如下所示:
set req-ignore 0 0 1
1
set injected 0 3600 10
0123456789
set req-1233 0 0 n
<serialized_response_instance>
injected=0123456789 中成功添加一个新的键/值对,因此攻击者将能够破坏该缓存。
...
def store(request):
id = request.GET['id']
result = get_page_from_somewhere()
response = HttpResponse(result)
cache_time = 1800
cache.set("req-" % id, response, cache_time)
return response
...
set req-1233 0 0 n
<serialized_response_instance>
ignore 0 0 1\r\n1\r\nset injected 0 3600 10\r\n0123456789\r\nset req-,然后操作如下所示:
set req-ignore 0 0 1
1
set injected 0 3600 10
0123456789
set req-1233 0 0 n
<serialized_response_instance>
injected=0123456789 中成功添加新的键/值对。根据有效负载的不同,攻击者将能够通过注入要在反序列化时执行任意代码的 Pickle 序列化有效负载来破坏缓存或执行任意代码。
def form = Form(
mapping(
"name" -> text,
"age" -> number
)(UserData.apply)(UserData.unapply)
)
FormAction 无法根据预期要求验证数据:示例 2:以下代码定义的 Spring WebFlow 操作状态无法根据预期要求验证数据:
<bean id="customerCriteriaAction" class="org.springframework.webflow.action.FormAction">
<property name="formObjectClass"
value="com.acme.domain.CustomerCriteria" />
<property name="propertyEditorRegistrar">
<bean
class="com.acme.web.PropertyEditors" />
</property>
</bean>
<action-state>
<action bean="transferMoneyAction" method="bind" />
</action-state>
def form = Form(
mapping(
"name" -> text,
"age" -> number
)(UserData.apply)(UserData.unapply)
)
...
String userName = User.Identity.Name;
String emailId = request["emailId"];
var client = account.CreateCloudTableClient();
var table = client.GetTableReference("Employee");
var query = table.CreateQuery<EmployeeEntity>().Where("user == '" + userName + "' AND emailId == '" + emailId "'");
var results = table.ExecuteQuery(query);
...
user == "<userName>" && emailId == "<emailId>"
emailId 不包含单引号字符时,该查询才能正常运行。如果一个用户名为 wiley 的攻击者为 emailId 输入字符串“123' || '4' != '5”,则该查询会变成:
user == 'wiley' && emailId == '123' || '4' != '5'
|| '4' != '5',where 子句的值将始终为 true,这样无论电子邮件的所有者是谁,该查询都会返回 emails 集合中存储的所有条目。
...
// "type" parameter expected to be either: "Email" or "Username"
string type = request["type"];
string value = request["value"];
string password = request["password"];
var ddb = new AmazonDynamoDBClient();
var attrValues = new Dictionary<string,AttributeValue>();
attrValues[":value"] = new AttributeValue(value);
attrValues[":password"] = new AttributeValue(password);
var scanRequest = new ScanRequest();
scanRequest.FilterExpression = type + " = :value AND Password = :password";
scanRequest.TableName = "users";
scanRequest.ExpressionAttributeValues = attrValues;
var scanResponse = await ddb.ScanAsync(scanRequest);
...
Email = :value AND Password = :password
Username = :value AND Password = :password
type 仅包含任何预期值时,该查询才能正常运行。如果攻击者提供 :value = :value OR :value 等类型值,则该查询会变成::value = :value OR :value = :value AND Password = :password
:value = :value,where 子句的值将始终为 true,这样无论电子邮件的所有者是谁,该查询都会返回 users 集合中存储的所有条目。
...
// "type" parameter expected to be either: "Email" or "Username"
String type = request.getParameter("type")
String value = request.getParameter("value")
String password = request.getParameter("password")
DynamoDbClient ddb = DynamoDbClient.create();
HashMap<String, AttributeValue> attrValues = new HashMap<String,AttributeValue>();
attrValues.put(":value", AttributeValue.builder().s(value).build());
attrValues.put(":password", AttributeValue.builder().s(password).build());
ScanRequest queryReq = ScanRequest.builder()
.filterExpression(type + " = :value AND Password = :password")
.tableName("users")
.expressionAttributeValues(attrValues)
.build();
ScanResponse response = ddb.scan(queryReq);
...
Email = :value AND Password = :password
Username = :value AND Password = :password
type 仅包含任何预期值时,该查询才能正常运行。如果攻击者提供 :value = :value OR :value 等类型值,则该查询会变成::value = :value OR :value = :value AND Password = :password
:value = :value,where 子句的值将始终为 true,这样无论电子邮件的所有者是谁,该查询都会返回 users 集合中存储的所有条目。
...
function getItemsByOwner(username: string) {
db.items.find({ $where: `this.owner === '${username}'` }).then((orders: any) => {
console.log(orders);
}).catch((err: any) => {
console.error(err);
});
}
...
db.items.find({ $where: `this.owner === 'john'; return true; //` })
...
String userName = User.Identity.Name;
String emailId = request["emailId"];
var coll = mongoClient.GetDatabase("MyDB").GetCollection<BsonDocument>("emails");
var docs = coll.Find(new BsonDocument("$where", "this.name == '" + name + "'")).ToList();
...
this.owner == "<userName>" && this.emailId == "<emailId>"
emailId 不包含单引号字符时,该查询才能正常运行。如果一个用户名为 wiley 的攻击者为 emailId 输入字符串“123' || '4' != '5”,则该查询会变成:
this.owner == 'wiley' && this.emailId == '123' || '4' != '5'
|| '4' != '5',where 子句的值将始终为 true,这样无论电子邮件的所有者是谁,该查询都会返回 emails 集合中存储的所有条目。
...
String userName = ctx.getAuthenticatedUserName();
String emailId = request.getParameter("emailId")
MongoCollection<Document> col = mongoClient.getDatabase("MyDB").getCollection("emails");
BasicDBObject Query = new BasicDBObject();
Query.put("$where", "this.owner == \"" + userName + "\" && this.emailId == \"" + emailId + "\"");
FindIterable<Document> find= col.find(Query);
...
this.owner == "<userName>" && this.emailId == "<emailId>"
emailId 不包含双引号字符时,该查询才能正常运行。 如果一个用户名为 wiley 的攻击者为 emailId 输入字符串 123" || "4" != "5,则该查询会变成:
this.owner == "wiley" && this.emailId == "123" || "4" != "5"
|| "4" != "5",where 子句的值将始终为 true,这样无论电子邮件的所有者是谁,该查询都会返回 emails 集合中存储的所有条目。
...
userName = req.field('userName')
emailId = req.field('emaiId')
results = db.emails.find({"$where", "this.owner == \"" + userName + "\" && this.emailId == \"" + emailId + "\""});
...
this.owner == "<userName>" && this.emailId == "<emailId>"
emailId 不包含双引号字符时,该查询才能正常运行。 如果一个用户名为 wiley 的攻击者为 emailId 输入字符串 123" || "4" != "5,则该查询会变成:
this.owner == "wiley" && this.emailId == "123" || "4" != "5"
|| "4" != "5",where 子句的值将始终为 true,则无论电子邮件的所有者是谁,该查询都会返回 emails 集合中存储的所有条目。
...
NSString *emailId = [self getEmailIdFromUser];
NSString *query = [NSString stringWithFormat:@"id == '%@'", emailId];
RLMResults<Email *> *emails = [Email objectsInRealm:realm where:query];
...
id == '<emailId value>'
emailId 不包含单引号字符时,该查询才能正常运行。如果攻击者为 123' or '4' != '5 输入字符串 emailId,则该查询会变成:
id == '123' or '4' != '5'
or '4' != '5',where 子句的值将始终为 true,则无论电子邮件的所有者是谁,该查询都会返回 emails 集合中存储的所有条目。
...
let emailId = getFromUser("emailId")
let email = realm.objects(Email.self).filter("id == '" + emailId + "'")
...
id == '<emailId value>'
emailId 不包含单引号字符时,该查询才能正常运行。如果攻击者为 123' or '4' != '5 输入字符串 emailId,则该查询会变成:
id == '123' or '4' != '5'
or '4' != '5',filter 子句的值将始终为 true,则无论电子邮件的所有者是谁,该查询都会返回 emails 集合中存储的所有条目。unserialize() 函数,则会出现 Object injection 漏洞。攻击者可以将经特殊技术处理的序列化字符串传递到易受攻击的 unserialize() 调用,导致任意 PHP 对象注入应用程序范围。这种漏洞的严重性取决于应用程序范围中可用的类。攻击者会对实施 PHP 幻数方法(如 __wakeup 或 __destruct)的类感兴趣,因为他们可以执行这些方法中的代码。__destruct() 幻数方法并执行定义为类属性的系统命令的 PHP 类。还有使用用户提供的数据对 unserialize() 进行的不安全调用。
...
class SomeAvailableClass {
public $command=null;
public function __destruct() {
system($this->command);
}
}
...
$user = unserialize($_GET['user']);
...
Example 1 中,应用程序可能预期获得一个序列化的 User 对象,但攻击者实际上可能提供 SomeAvailableClass 的序列化版本,并为其 command 属性提供一个预定义值:
GET REQUEST: http://server/page.php?user=O:18:"SomeAvailableClass":1:{s:7:"command";s:8:"uname -a";}
$user 对象的其他引用,析构函数方法将被调用并执行攻击者提供的命令。unserialize() 时声明的不同类,该技术由 Stefan Esser 在 BlackHat 2010 会议上提出。利用该技术,攻击者可以重复使用现有代码以生成其自己的负载。YAML.load() 的反序列化数据的函数,则会出现 Object injection 漏洞。只要在反序列化时将类加载到应用程序中,攻击者就可以将经特殊技术处理的序列化字符串传递到易受攻击的 YAML.load() 调用,从而将任意 Ruby 对象注入程序中。这可能带来大量的各种攻击机会,如绕过验证逻辑找到跨站点脚本漏洞,允许通过看似硬编码值来进行 SQL 注入,甚至进行完整的代码执行。YAML.load() 进行的不安全调用。
...
class Transaction
attr_accessor :id
def initialize(num=nil)
@id = num.is_a?(Numeric) ? num : nil
end
def print_details
unless @id.nil?
print $conn.query("SELECT * FROM transactions WHERE id=#{@id}")
end
end
end
...
user = YAML.load(params[:user]);
user.print_details
...
Example 1 中,应用程序可能预期获取一个序列化的 User 对象,而该对象也恰好具有一个名为 print_details 的函数,但攻击者可能实际上会提供 Transaction 对象的序列化版本,并为其 @id 属性提供一个预定义值。因此,如下所示的请求可能会允许绕过用于确保 @id 为数值的验证检查
GET REQUEST: http://server/page?user=!ruby%2Fobject%3ATransaction%0Aid%3A4%20or%205%3D5%0A
user 参数获分配了 !ruby/object:Transaction\nid:4 or 5=5\n。Transaction 类型的对象,将 @id 设置为 "4 or 5=5"。当开发人员认为他们将调用 User#print_details() 时,其实现在他们将会调用 Transaction#print_details(),且 Ruby 的字符串插值意味着 SQL 查询将被更改,以执行查询:SELECT * FROM transactions WHERE id=4 or 5=5。由于添加了额外语句,所以查询将评估为 true 并将返回 transactions 表中的所有内容,而不是开发人员所期望的单行。YAML.load() 时声明的不同类,该技术由 Stefan Esser 在 BlackHat 2010 会议上提出。利用该技术,攻击者可以重复使用现有代码以生成其自己的负载。