Re: Serverside script injection?

You might want to look at WebGoat at OWASP. The last stage of the challenge isn't exactly a script injection, but it works in a sort of similar way. You need to know about server-side include SSI syntax to finish it.

--Jeff

Jeff Williams
jeff.williams@aspectsecurity.com
Aspect Security, Inc.
www.aspectsecurity.com

• Original Message ----- From: Marco Aldegheri To: joh ket Cc: webappsec@securityfocus.com Sent: Monday, January 13, 2003 8:51 AM Subject: Re: Serverside script injection?

I found an example "built to duplicate some of PHPs built in functionality" is suggested in:
www.planet-source-code.com/vb/scripts/ShowCode.asp?lngWId=4&txtCodeId=6278 where the VarsFromForm function captures the querystring and executes some code based on it:

Public Sub VarsFromForm

     For Each item In request.form
     execute(item & "=""" & Replace(request.form(item), Chr(34),
Chr(34) & Chr(34)) & """")
     Next
     For Each item In request.QueryString
     execute(item & "=""" & Replace(request.QueryString(item), Chr(34),
Chr(34) & Chr(34)) & """")
     Next

In a 'normal' use if the page is called like: xyz.asp?a=1&b=2
'a' and 'b' variables would be created and assigned values "1" and "2".

If this page is called with a querystring like: xyz.asp?response.write%20Application("password"):Pippo=1

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

the command [response.write Application("password")] is executed and the value "1" is assigned to the variable Pippo ...

Best regards,
Marco Aldegheri, CISSP

joh ket wrote:
>
> Hi there.
was
>
> possible to execute OS-commands through URL/userinput manipulation,
>
> I assume this happened mostly with CGI and perl scripts. Was this just
>
> based on the way the variables (userinput) was used in OS commands,
>
> and if the 'user data' was able to break out the intended command?
>
>
> I think it depends on the applicationserver software if 'serverside
script
>
> injection' is possible or not (assuming the programmer/coder does not
want
>
> any security). In my opinion most important is the way that the
>
> applicationserver handles variables. The possibility for variables to
>
> contain commands...
>
>
> Is it (theoretically) possible on ASP servers to inject 'malicious' code
>
> into the webpage, so that it is processed on the serverside?
>
> Is it possible on PHP or Coldfusion?
>
>
> Are there any real life examples?
>
> (so that I can play with it in my testlab)
>
>
> Thank you for all reactions!
>
>
> Regards,
>
Received on Mon Jan 13 12:15:57 2003