Mysql charset Truncation vulnerability
We found that there is a interesting feature in mysql database,when you are using utf8,gbk or other charsets.This feature may make your application unsecure.
Stefen Esser shows some attack manners of mysql in his paper[1], in which he issues the SQL Column Truncation vulnerability.
The application is a forum where new users can register
The administrator’s name is known e.g. ‘admin’
MySQL is used in the default mode
There is no application restriction on the length of new user names
The database column username is limited to 16 characters
WordPress 2.6.1 (SQL Column Truncation) Admin Takeover Exploit
# quick’n’dirty wordpress admin-take0ver poc
# by iso^kpsbr in august 2oo8
# works w/ wordpress 2.6.1
# .oO( private — do not spread! )Oo.
# you’ll have to make sure you run roughly the same
# php version as on the server, that is: if server
# is >=5.2.1 you’ll need to be as well, in case
# server is <5.2.1, your php also needs to be below.
# to make sure it works you’ll need the exact same version!
# also, mod_php works better than (f)cgi..
# (this is a first working version – not a very reliable one)
GDI+ VML 缓冲区溢出漏洞 – CVE-2007-5348
GDI+ EMF 内存损坏漏洞 – CVE-2008-3012
GDI+ GIF 分析漏洞 – CVE-2008-3013
GDI+ WMF 缓冲区溢出漏洞 – CVE-2008-3014
GDI+ BMP 整数溢出漏洞 – CVE-2008-3015
跨站腳本攻擊(Cross Site Scripting,簡稱 XSS,亦翻為跨網站的入侵字串)又有新的攻擊語法!此次觸發惡意腳本不需要用到 script 標籤(譬如 <script>alert(1)</script>),也不用 javascript 協定(譬如 javascript:alert(1)),而是 8 月 26 日所揭露的
<isindex type=image src=1 onerror=alert(1)>
<isindex>是一個很早就有但普遍少用的標籤,其功能與<form>、<input>、<textarea>,以及<select>類似,都可供使用者輸入資料。onerror 屬性也是鮮為人知。
各家瀏覽器在實現 HTML 的支援度不盡相同,各國語系又對編碼有所差異,這些都使得跨站腳本攻擊(XSS)的攻擊語法千變萬化,也讓駭客更能規避掉不少治標的防護機制,像是 WAF 解決方案,畢竟新的攻擊手法就要新的規則(好加在我們家的 WAF 可以幫你生規則,請參考你期望的 WAF 是? XD),源碼檢測才是治本的作法阿,從 Web 應用程式端利用編碼、過濾等方式讓這些奇奇怪怪的攻擊語法全部繳械!(請參考談源碼檢測: CodeSecure的架構與技術)
