Hi All,
Doing some experiments with the sql_injection.nasl yesterday
showed that it failed to detect a trivially injectable CGI we
set up. Looking back through the history of the plugin it
appears that the problem was introduced in revision 1.25 when
support for blind injection was added. I've attached a version
that correctly detects the injection vulnerability (and also
added a generic signature for oracle error messages).
The problem sections are below:
# This breaks detecting a trivially injectable CGI
# if (egrep(string:bres, pattern:"^HTTP/1\..*200 OK"))
# {
# exit(0);
# }
Many CGIs will always give a 200 response, so this test will
always call the script to exit rather than properly testing
the CGI.
# This breaks detecting a trivially injectable CGI
# for ( i = 0; posreply[i]; i ++ )
# {
# if ( posreply[i] >< res ) {
# exit(0);
# }
# }
This check follows sending a big number as the query string
and terminates unless the script gives you an error. This
is often not true for injectable CGIs - they may simply ignore
the input and return (for example) a form for you to fill in.
Neither of these checks were in revision 1.24 and it seems
likely that their addition will lead to many new false
negatives.
Cheers
Rich.
--
Richard Moore, Principal Software Engineer,
Westpoint Ltd,
Albion Wharf, 19 Albion Street, Manchester, M1 5LN, England
Tel: +44 161 237 1028
Fax: +44 161 237 1031
Doing some experiments with the sql_injection.nasl yesterday
showed that it failed to detect a trivially injectable CGI we
set up. Looking back through the history of the plugin it
appears that the problem was introduced in revision 1.25 when
support for blind injection was added. I've attached a version
that correctly detects the injection vulnerability (and also
added a generic signature for oracle error messages).
The problem sections are below:
# This breaks detecting a trivially injectable CGI
# if (egrep(string:bres, pattern:"^HTTP/1\..*200 OK"))
# {
# exit(0);
# }
Many CGIs will always give a 200 response, so this test will
always call the script to exit rather than properly testing
the CGI.
# This breaks detecting a trivially injectable CGI
# for ( i = 0; posreply[i]; i ++ )
# {
# if ( posreply[i] >< res ) {
# exit(0);
# }
# }
This check follows sending a big number as the query string
and terminates unless the script gives you an error. This
is often not true for injectable CGIs - they may simply ignore
the input and return (for example) a form for you to fill in.
Neither of these checks were in revision 1.24 and it seems
likely that their addition will lead to many new false
negatives.
Cheers
Rich.
--
Richard Moore, Principal Software Engineer,
Westpoint Ltd,
Albion Wharf, 19 Albion Street, Manchester, M1 5LN, England
Tel: +44 161 237 1028
Fax: +44 161 237 1031
Attached Files:
-
sql_injection.nasl (10.8 KB)