[Snort-users] FP on 18604

Lay, James james.lay at ...15009...
Fri Apr 8 10:49:06 EDT 2011


Heh...hits on this feed:

 

http://feeds.feedburner.com/SpiderlabsAnterior?format=xml

 

0000  00 13 72 59 7a f4 00 90 7f 3e f7 90 08 00 45 00   ..rYz....>....E.

0010  05 a0 24 bb 00 00 3a 06 1e cf 4a 7d e3 2c 00 00   ..$...:...J}.,..

0020  00 00 00 50 c2 6c 6b 72 68 d3 41 db c1 f5 50 10   ...P.lkrh.A...P.

0030  19 20 9e 1a 00 00 77 77 77 2e 67 6f 6f 67 6c 65   . ....www.google

0040  2e 63 6f 6d 2f 73 65 61 72 63 68 3f 61 71 3d 66   .com/search?aq=f

0050  26 61 6d 70 3b 61 6d 70 3b 73 6f 75 72 63 65 69   &sourcei

0060  64 3d 63 68 72 6f 6d 65 26 61 6d 70 3b 61 6d 70   d=chrome&amp

0070  3b 69 65 3d 55 54 46 2d 38 26 61 6d 70 3b 61 6d   ;ie=UTF-8&am

0080  70 3b 71 3d 25 32 32 25 33 43 73 63 72 69 70 74   p;q=%22%3Cscript

0090  2b 73 72 63 25 33 44 68 74 74 70 25 33 41 25 32   +src%3Dhttp%3A%2

00a0  46 25 32 46 6c 69 7a 61 6d 6f 6f 6e 2e 63 6f 6d   F%2Flizamoon.com

00b0  25 32 46 75 72 2e 70 68 70 25 33 45 25 33 43 25   %2Fur.php%3E%3C%

00c0  32 46 73 63 72 69 70 74 25 33 45 25 32 32 22 20   2Fscript%3E%22"

00d0  74 61 72 67 65 74 3d 22 5f 73 65 6c 66 22 26 67   target="_self"&g

00e0  74 3b 47 6f 6f 67 6c 65 20 53 65 61 72 63 68 20   t;Google Search

00f0  71 75 65 73 74 69 6f 6e 20 66 6f 72 20 4c 69 7a   question for Liz

0100  61 4d 6f 6f 6e 20 70 61 79 6c 6f 61 64 73 26 6c   aMoon payloads&l

0110  74 3b 2f 61 26 67 74 3b 2e 20 c2 a0 48 65 72 65   t;/a>. ..Here

0120  20 69 73 20 73 6f 6d 65 20 65 78 61 6d 70 6c 65    is some example

0130  20 72 61 77 20 68 74 6d 6c 20 6f 66 20 61 20 73    raw html of a s

0140  69 74 65 20 72 65 74 75 72 6e 65 64 20 62 79 20   ite returned by

0150  74 68 65 20 73 65 61 72 63 68 3a 26 6c 74 3b 2f   the search:</

0160  70 26 67 74 3b 26 23 78 44 3b 0d 0a 26 6c 74 3b   p>&#xD;..<

0170  70 72 65 26 67 74 3b 26 61 6d 70 3b 6c 74 3b 74   pre>&lt;t

0180  64 20 69 64 3d 22 74 64 44 65 76 65 6c 6f 70 6d   d id="tdDevelopm

0190  65 6e 74 4e 61 6d 65 22 26 61 6d 70 3b 67 74 3b   entName"&gt;

01a0  52 69 79 61 64 20 52 65 73 6f 72 74 20 c2 a0 20   Riyad Resort ..

01b0  c2 a0 20 c2 a0 26 23 78 44 3b 0d 0a 26 61 6d 70   .. ..&#xD;..&amp

01c0  3b 61 6d 70 3b 6c 74 3b 2f 74 69 74 6c 65 26 61   ;amp;lt;/title&a

01d0  6d 70 3b 61 6d 70 3b 67 74 3b 26 61 6d 70 3b 61   mp;amp;gt;&a

01e0  6d 70 3b 6c 74 3b 73 63 72 69 70 74 20 73 72 63   mp;lt;script src

01f0  3d 68 74 74 70 3a 2f 2f 6c 69 7a 61 6d 6f 6f 6e   =http://lizamoon

0200  2e 63 6f 6d 2f 75 72 2e 70 68 70 26 61 6d 70 3b   .com/ur.php&

0210  61 6d 70 3b 67 74 3b 26 61 6d 70 3b 61 6d 70 3b   amp;gt;&amp;

0220  6c 74 3b 2f 73 63 72 69 70 74 26 61 6d 70 3b 61   lt;/script&a

0230  6d 70 3b 67 74 3b 26 23 78 44 3b 0d 0a 26 61 6d   mp;gt;&#xD;..&am

0240  70 3b 61 6d 70 3b 6c 74 3b 2f 74 69 74 6c 65 26   p;amp;lt;/title&

0250  61 6d 70 3b 61 6d 70 3b 67 74 3b 26 61 6d 70 3b   amp;amp;gt;&

0260  61 6d 70 3b 6c 74 3b 73 63 72 69 70 74 20 73 72   amp;lt;script sr

0270  63 3d 68 74 74 70 3a 2f 2f 6c 69 7a 61 6d 6f 6f   c=http://lizamoo

0280  6e 2e 63 6f 6d 2f 75 72 2e 70 68 70 26 61 6d 70   n.com/ur.php&amp

0290  3b 61 6d 70 3b 67 74 3b 26 61 6d 70 3b 61 6d 70   ;amp;gt;&amp

02a0  3b 6c 74 3b 2f 73 63 72 69 70 74 26 0d 0a 31 30   ;lt;/script&..10

02b0  30 30 0d 0a 61 6d 70 3b 61 6d 70 3b 67 74 3b 26   00..amp;amp;gt;&

02c0  23 78 44 3b 0d 0a 20 47 61 6c 6c 65 72 79 26 61   #xD;.. Gallery&a

02d0  6d 70 3b 6c 74 3b 2f 74 64 26 61 6d 70 3b 67 74   mp;lt;/td&gt

02e0  3b 26 6c 74 3b 2f 70 72 65 26 67 74 3b 26 23 78   ;</pre>&#x

02f0  44 3b 0d 0a 26 6c 74 3b 70 26 67 74 3b 54 68 69   D;..<p>Thi

0300  73 20 63 6f 64 65 20 64 6f 65 73 20 6e 6f 74 20   s code does not

0310  65 78 65 63 75 74 65 20 6a 61 76 61 73 63 72 69   execute javascri

0320  70 74 20 62 75 74 20 69 6e 73 74 65 61 64 20 6f   pt but instead o

0330  6e 6c 79 20 72 65 6e 64 65 72 73 20 74 68 65 20   nly renders the

0340  74 65 78 74 2e 20 c2 a0 49 66 20 74 68 65 20 58   text. ..If the X

0350  53 53 20 73 63 72 69 70 74 20 74 61 67 73 20 77   SS script tags w

0360  65 72 65 20 73 75 63 63 65 73 73 66 75 6c 6c 79   ere successfully

0370  20 69 6e 6a 65 63 74 65 64 2c 20 6d 65 61 6e 69    injected, meani

0380  6e 67 20 74 68 61 74 20 74 68 65 20 61 70 70 73   ng that the apps

0390  20 77 65 72 65 20 6e 6f 74 20 70 72 6f 70 65 72    were not proper

03a0  6c 79 20 6f 75 74 70 75 74 20 65 6e 63 6f 64 69   ly output encodi

03b0  6e 67 2f 65 73 63 61 70 69 6e 67 20 70 61 79 6c   ng/escaping payl

03c0  6f 61 64 73 2c 20 74 68 65 6e 20 74 68 65 20 73   oads, then the s

03d0  65 61 72 63 68 20 65 6e 67 69 6e 65 20 73 70 69   earch engine spi

03e0  64 65 72 73 20 77 6f 75 6c 64 20 6e 6f 74 20 62   ders would not b

03f0  65 20 69 6e 64 65 78 69 6e 67 20 74 68 65 20 73   e indexing the s

0400  6e 69 70 70 65 74 73 20 6f 66 20 63 6f 64 65 2e   nippets of code.

0410  20 c2 a0 54 68 65 20 73 65 61 72 63 68 20 65 6e    ..The search en

0420  67 69 6e 65 73 20 64 6f 20 6e 6f 74 20 69 6e 64   gines do not ind

0430  65 78 20 74 68 65 20 72 61 77 20 68 74 6d 6c 20   ex the raw html

0440  73 6f 75 72 63 65 20 63 6f 64 65 20 62 75 74 20   source code but

0450  6f 6e 6c 79 20 74 68 65 20 72 65 6e 64 65 72 65   only the rendere

0460  64 20 74 65 78 74 2e 26 6c 74 3b 2f 70 26 67 74   d text.</p&gt

0470  3b 26 23 78 44 3b 0d 0a 26 6c 74 3b 70 26 67 74   ;&#xD;..<p&gt

0480  3b 53 6f 2c 20 65 76 65 6e 20 74 68 6f 75 67 68   ;So, even though

0490  20 73 69 74 65 73 20 6c 69 73 74 65 64 20 69 6e    sites listed in

04a0  20 74 68 65 20 73 65 61 72 63 68 20 72 65 73 75    the search resu

04b0  6c 74 73 20 77 65 72 65 20 76 75 6c 6e 65 72 61   lts were vulnera

04c0  62 6c 65 20 74 6f 20 53 51 4c 20 49 6e 6a 65 63   ble to SQL Injec

04d0  74 69 6f 6e 20 61 6e 64 20 63 6f 6d 70 72 6f 6d   tion and comprom

04e0  69 73 65 64 2c 20 74 68 65 79 20 61 63 74 75 61   ised, they actua

04f0  6c 6c 79 20 70 72 65 76 65 6e 74 65 64 20 74 68   lly prevented th

0500  65 20 67 6f 61 6c 20 6f 66 20 74 68 69 73 20 61   e goal of this a

0510  74 74 61 63 6b 20 73 69 6e 63 65 20 74 68 65 20   ttack since the

0520  77 65 62 20 61 70 70 20 69 73 20 70 72 6f 70 65   web app is prope

0530  72 6c 79 20 6f 75 74 70 75 74 20 65 6e 63 6f 64   rly output encod

0540  69 6e 67 20 74 68 65 20 64 61 74 61 20 73 65 6e   ing the data sen

0550  74 20 74 6f 20 74 68 65 20 63 6c 69 65 6e 74 73   t to the clients

0560  2e 26 6c 74 3b 2f 70 26 67 74 3b 26 23 78 44 3b   .</p>&#xD;

0570  0d 0a 26 6c 74 3b 68 32 26 67 74 3b 45 6e 73 75   ..<h2>Ensu

0580  72 65 20 70 72 6f 70 65 72 20 4f 75 74 70 75 74   re proper Output

0590  20 45 6e 63 6f 64 69 6e 67 2f 45 73 63 61 70 69    Encoding/Escapi

05a0  6e 67 20 43 6f 76 65 72 61 67 65 26 6c 74         ng Coverage&lt

 

James

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20110408/44c74f44/attachment.html>


More information about the Snort-users mailing list