NEOHAPSIS - Peace of Mind Through Integrity and Insight

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > WWW-Mobile-Code> 2001-q4

From: Jacques Bourdeau (J_Bourdeauvideotron.ca)
Date: Mon Dec 10 2001 - 13:10:40 CST

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hi,

> I am performing a vulnerability test against a web application and would
> like some advice. The application is running IIS 4.0 - all the remote
> exploits are patched.

Wrong : all KNOWNS remote exploits are patched. You are still exposed to
a
lot of remote exploits. IIS will never be safe. Remember the period
before
summer this year ? 3 exploits, all remote exec as Admins, in 6 weeks !
Did someone call Guinness Records ?

IIS is just not choice. For your info, Apache Unix can operate ASP pages
if
you really need them.

> The backend is just a bunch of VB scripts, getting
> info from an oracle8 server on AIX.

So, as soon as a problem will occur on your IIS server, the intruder will
gain full access to your entire system. How soon it is ? For some test,
it can be in 15 minutes...

> Most of the places where input is accepted must strip out unexpected
> characters, but I located one field on a form where input was not
properly
> validated. I've tried posting different strings into the field with
limited
> success. All I'm able to get is errors back. I'd like to take advantage
of
> some stored procedures in oracle.

Using stored procedures is a good thing. When using them, a compromised
front-end server can not do anything he wish against your database... of
course, as long as your stored procedures do not offers to do anything.

> Could you look at the log of my activity
> below and provide advice on where to go next in order to compromise the
> database, or the server itself? I'd even be happy with the ability to
run a
> successful query through injection. It looks like their using a package
or
> stored procedure to post the query, and I'm having trouble breaking out
of
> it. Is it possible, if so, how should I go about it?

Well, its always possible to break through. But when you used stored
procedure,
its a bigger challenge. The last error message just say that nothing
correspond
to your request. I do not conclude that it used stored procedures.

Some others tests can be to satisfy some of the requests from this log
(like
a valid table name) but not all. May be with some valid parameters, your
try
will go deeper in the system and come back with more informations, or at
least,
differents from those one.

Also, all errors being from the line 128 in a single page, may be knowing
this
line will help us to suggest you something to try.

Jacques Bourdeau

> Input: '
> Result:
> Microsoft OLE DB Provider for ODBC Drivers error '80040e14'

> [Microsoft][ODBC driver for Oracle][Oracle]ORA-00907: missing right
> parenthesis