CSE 453 Problem Set 06

Exercises 05.03: C# and SQL

For the following C# code, answer the following questions:
● What is the code meant to do?
The code is meant to obtain the user's login, save it to a SQL command that selects all data from a table related to the specific user, opens a
connection to the database, executes the SQL command, then closes the connection to the database.

● What is the vulnerability?

There is no check to see if the user data is valid. It opens the connection and executes commands with no check in place.
The vulnerability is:
“1. there must exist an SQL interpreter on the system
2. user input must be used to build an SQL statement
3. the user input must not filter out a semicolon
4. the system must pass the SQL statement to the interpreter” (p. 109) [1]
[1] Helfrich

● How can it be exploited?

With possible access to the “Login” file, the attacker could add a section that is then retrieved from the code and gives him access through the
opened connection. The easiest way to exploit this would be with an additional statement. An "Additional Statement" attack can exploit the
program such that the "Login.GetData().ToString()" can receive an additional SQL statement.

● How should it be mitigated?

Put the connection.open and execute functions inside an if statement that checks for valid login credentials and returns true. The filter could be
to remove semicolons and/or SQL keywords.

string commandString = "SELECT * FROM table1 WHERE row='"

+ Login.GetData().ToString()
+ "'"
using (SqlConnection connection = new SqlConnection(connectionString)
using (SqlCommand command = new SqlCommand(commandString, connection)

connection.Open();
command.ExecuteNonQuery();
connection.Close();

Exercises 05.04: PHP and Ping

For the following PHP code, answer the following questions:
● What is the code meant to do?
The code is meant to obtain the user input value from a form, check if the value is set to the global $_GET variable, and, if true, append that
variable's value to the end of a user's directory, then execute that directory. The exec() function is an inbuilt function in PHP which is used to
execute an external program and returns the last line of the output.
 ● What is the vulnerability?
Shell Injection
"1. A mechanism must exist to send text to the operating system command interpreter.
2. The text must be accessible through user input" (p. 111) [1].
[1] Helfrich
The execute function pulls the IP from the current person running the code. This creates risk as what is inside their directory can not be
verified. They could then run their code in the shell.

● How can it be exploited?

The attacker could add an additional statement to their ping directory file to execute their own code. "The code can be exploited by adding a
semicolon to the user input and then adding a malicious Linux command" (p. 113) [1].
[1] Helfrich
.; rm –R *

● How should it be mitigated?

"When allowing user-supplied data to be passed to this function, use escapeshellarg() or escapeshellcmd() to ensure that users cannot trick the
system into executing arbitrary commands" [1]. It should be modified to just return a value and not execute anything. It should also check for
the specific IPAddress format so that if other items are passed, they will not pass through.
[1] https://www.phptutorial.info/?exec
Or...
“Remove the system call from the code and use another way to provide a directory list. (p. 111) [2].
[2] Helfrich

<?php
if (isset($_GET["IPAddress"]))
{
exec("/usr/bin/ping " . $_GET["IPAddress"]);
}
?>
Exercises 05.05: PHP and NS Lookup
For the following PHP code, answer the following questions:
● What is the code meant to do?
The code is meant to obtain user input via form, then assign it to a variable ($host), then append it to and execute a system execution.
<system> executes an external program and displays the output [1].
[1] ​https://www.phptutorial.info/?system

● What is the vulnerability?

The code is vulnerable to the users hostName in the way that it is passed in. Because the <system> execution is being used and the text can be
accessible through user input, an "additional statement" attack can be made (p. 110-111) [1].
[1] Helfrich

● How can it be exploited?

The attacker could modify their own hostName to return a set of code that would run along with the form. This could cause modified or added
variables to the form to take you to a malicious site. A malicious user can use this exploit as a way to alter the HTML and change the value to a
snippet of malicious JavaScript.

● How should it be mitigated?

Put a check in place to verify the hostName variable and its value. Special characters in the hostName should expose the potentially modified
variable. "When allowing user-supplied data to be passed to this function, use <escapeshellarg()> or <escapeshellcmd()> to ensure that users
cannot trick the system into executing arbitrary commands" [1]. Or use <htmlentities"> to sanitize user input such that the "<" and ">"
characters will turn into "&lt;" and "&gt;" [2].
[1] https://www.phptutorial.info/?system
[2] https://stackoverflow.com/questions/18008017/are-drop-down-select-fields-vulnerable-to-any-sort-of-injection

<?php
$host = 'byui.edu';
if (isset( $_GET['hostName'] ) )
$host = $_GET['hostName'];
system("/usr/bin/nslookup " . $host);
?>
<form method="get">
<select name="hostName">
<option value="server1.com">one</option>
<option value="server2.com">two</option>
</select>
<input type="submit"/>
</form>
Exercises 05.06: PHP and SQL
For the following PHP code, answer the following questions:
● What is the code meant to do?
The code will take the value of the $size variable and append it to the SELECT statement, then it will connect to the database, execute the
statement, and set the $result variable with the result. The $query variable is selecting a variable with a specified size. it is then taking the
specified string and sending it to the server with the command ​odbc_exec ​which takes in a resource and a string as parameters.

● What is the vulnerability?

The vulnerability is in the $size variable that could be modified by the user potentially and act as a way to insert their own code into a server.
It appears that this could be vulnerable to "additional statements" attack, because:
"1. There must exist an SQL interpreter on the system.
2. User input must be used to build an SQL statement.
3. The user input must not filter out a semicolon.
4. The system must pass the SQL statement to the interpreter" (p. 107) [1].
The vulnerable part of the code is the $size variable, assuming it is accessible from external user input.
[1] Helfrich

● How can it be exploited?

The attacker could insert their own variable for $size and mess with the inventory or other size related functions inside the server. Another
exploitation could be an additional statement attack where the $size string receives the following input:
​10'; INSERT INTO products (idProduct, size) VALUES 'iphone', '999999

● How should it be mitigated?

The $size variable should either have limits or the code should be filtered for semicolons.

<?php
$query = "SELECT idProduct, size FROM products" .
"WHERE size = '$size'";
$result = odbc_exec($connection_id, $query);
?>
Exercises 05.07: PHP and SQL
For the following PHP code, answer the following questions:
● What is the code meant to do?
The code is meant to obtain a command line argument $argv[0] and save it into $value. The value of $value is then used in a SQL statement.
The SQL statement will select the id and name records from the products table, but only 100 records, beginning from a given place. That given
place is determined by the user’s input through the $argv[0] variable. After a connection has been established with the database, the query is
executed and the results are stored in the variable $result.

● What is the vulnerability?

David: the vulnerability is in the PHP command line variable $argv[0], which value from the user input is to be used to construct a SQL
statement. There is no indication that the program is filtering out a semicolon. It also does not check the input gathered.
“1. There must exist an SQL interpreter on the system.
2. User input must be used to build an SQL statement.
3. The user input must not filter out a semicolon.
4. The system must pass the SQL statement to the interpreter” (p. 107) [1].
[1] Helfrich

● How can it be exploited?

The $argv[0] variable can be exploited via an “Additional Statement Attack”, such that an argument via user input can do something like:
1'; INSERT INTO products (id, name) VALUES '1234', 'iphone
This could also be used to insert code that does not work for the server data or make it crash.

● How should it be mitigated?

Before sending it to the server, check the value variable to make sure it's a number and not any char values included, verify the format of the
$query variable before sending it to the server, or filter input to remove semicolons (p. 107) [1].
[1] Helfrich

<?php
$value = $argv[0];
$query = "SELECT id, name " .
"FROM products " .
"ORDER BY name " .
"LIMIT 100 OFFSET $value;";
$result = odbc_exec($connection_id, $query);
?>
Exercises 05.08: Perl and NS Lookup
For the following PHP code, answer the following questions:
● What is the code meant to do?
The code is meant to allow the user to input a filename and find the list of hosts via <nslookup> command. Then, if a file name is provided, the
program will open the file, then print the user input back to the user, then a new line break.

● What is the vulnerability?

David: I think the vulnerability lies in the use of the ‘host’ variable as a parameter of the param() function. With <nslookup> “a user can look up
an IP address of a domain or host on a network” [1]. If this were the wrong hostname you could add something to a file in an otherwise
unreachable location
[1] https://resources.infosecinstitute.com/topic/command-execution/

● How can it be exploited?

Perhaps the exploit is that a malicious user can input a path to a forbidden file via Shell Injection, adding additional statements (p. 111) [1].
[1] Helfrich

● How should it be mitigated?

The vulnerability can be mitigated by removing the param from the code and using another way to access the domain or host on the network
(complete mitigation) (p. 111) [1]. Another mitigation can be to create a manually verified domain list and have the code compare the host
name passed in by the user with this list.
[1] Helfrich

use CGI qw(:standard);

$host = param('host');
$command = "/usr/bin/nslookup";
if (open($file, "$command $host|"))
{
while (<$file>)
{
print escapeHTML($_);
print "<br/>\n";
}
close($file);
}

Exercises 05.09: Java Transformation

For the following PHP code, answer the following questions:
● What is the code meant to do?
It appears that this code is meant to take a parameter <data> and execute it as part of the Runtime.getRuntime().exec() function. Then, it
returns the value of that exec() function, sets it to <p>. Afterward, it puts <p> into the buffer reader, then the loop reads all of the “data”. Then
it prints it back to the user.
 ● What is the vulnerability?
It appears that the vulnerability lies in the execution of the following code:
Runtime.getRuntime().exec(command); [1]
[1] https://stackoverflow.com/questions/11268189/security-concerns-with-runtime-exec

“Because Runtime.exec() receives unsanitized data originating from the environment, this code is susceptible to a command injection attack”
[3].
vulnerabilities:
“1. A mechanism must exist to send text to the operating system command interpreter.
2. The text must be accessible through user input” (p. 111) [2].
[2] Helfrich
[3] https://wiki.sei.cmu.edu/confluence/display/java/IDS07-J.+Sanitize+untrusted+data+passed+to+the+Runtime.exec%28%29+method

● How can it be exploited?

“Command injection is still possible if the process spawned with Runtime.exec is a command shell like command.com, cmd.exe, or /bin/sh” [1].
For example, the following command injection code could recursively delete a directory and all its contents [2]
foo; rm -r ; ls
[1] https://wiki.owasp.org/index.php/Command_injection_in_Java
[2] https://www.maths.cam.ac.uk/computing/linux/unixinfo/rm

● How should it be mitigated?

You would need to run a filter of sorts to check the data variable being passed in to restrict certain data from executing.
“This compliant solution sanitizes the untrusted user input by permitting only a small group of whitelisted characters in the argument that will
be passed to Runtime.exec(); all other characters are excluded.” [2]

if (!Pattern.matches("[0-9A-Za-z@.]+", dir)) { ​[2]

[1] Helfrich
[2] https://wiki.sei.cmu.edu/confluence/display/java/IDS07-J.+Sanitize+untrusted+data+passed+to+the+Runtime.exec%28%29+method

public static void doSomething(String data) throws Exception

{
Process p = Runtime.getRuntime().exec(
"cmd.exe transform.exe " + data);
BufferedReader in = new BufferedReader(
new InputStreamReader(p.getInputStream()));
while ((line = in.readLine()) != null)
System.out.println(line);
in.close();
}