Identifying
Database Servers
Identifying database servers is even trickier
than identifying front-end and internal application servers. Identifying
front-end and internal application servers is easier because both communicate
in HTTP. Their signatures work their way into various elements of HTTP, such as
the URL, HTTP header, and cookies.
In contrast, database servers communicate
with internal application servers in SQL. The only elements of a URL that get
passed to the database interface are the values being exchanged by means of
various input fields and URL parameters. Thus the only way to identify back-end
databases through URLs is to force them to generate errors that are reflected
by the application server and end up being sent back to the Web browser.
Let's consider two URLs:
http://www.example.com/public/index.php?ID=27
http://www.example.org/Profile.cfm?id=3&page=1
The first URL has a PHP script,
suggested by the URL parameter "ID=27."
The second URL is a ColdFusion application, which again seems to perform
database queries based on the parameter id.
To force the database servers to return an
error involves tampering with the values passed to the parameters in both
cases. For the first URL, we substitute a nonnumeric ID
value for "27." For the second URL,
we prematurely truncate the query by replacing the value
appear.
error with PHP
error with ColdFusion
We leave it to you to figure out how much
damage is done by simply obtaining the types of information displayed in these
error messages! Hint: The ColdFusion SQL Server
error message contains enough information to launch a URL request that possibly
could cause remote command execution with Administrator privileges on the
database server of the Web application.
No comments:
Post a Comment