Server Help

Trash Talk - Vulnerability scanners?
Quan Chi2 - Wed Jun 14, 2006 8:27 am
Post subject: Vulnerability scanners?
Can you guys tell me what a VERY good vulnerability scanner is besides core impact and nessus? I already use nmap to find some openings, but I want specific vulnerabilities pertaining to sql abd php. I know there are many out there and I can just search google, but there are a lot and I want to know what is usually used, and what is really worth downloading..
Anonymous - Wed Jun 14, 2006 8:33 am
Post subject:
the best vunrability scanner is looking at you in the mirror.
Quan Chi2 - Wed Jun 14, 2006 8:34 am
Post subject:
That didn't make sense.
Mine GO BOOM - Wed Jun 14, 2006 12:03 pm
Post subject:
It means, almost any vulnerability dealing with PHP/SQL is usually injection type code. An example would be, with PHP, taking user input and sending it directly into a SQL statement.
Code: Show/Hide
$limit = $HTTP_GET_VARS['limit'];
$sql = "GET * FROM table LIMIT " . $limit;

Oops. Someone sends the string 0; DROP table; as your limit variable, and you just lost your table. Even worse is if the output of the statement is somehow directly visible by the user, because then they can use GET statements to find out information from your SQL database, such as passwords or table names, to do even more damage.

The same idea with php. If you don't sanitize user input, and you open a filename based upon their input, you could accidently open /etc/passwd and give the user ever login name on your system. Even worse would be to somehow allow the script to include/execute another script based upon user input, because if they could upload a gif file that is actually a script, and they get your program to include/execute that file, they just gained full access to your system.

How to fix this? Don't trust register_globals, as it is much better to parse all input from $HTTP_POST/GEt yourself. This would also force you to look at when you are accepting user input, so you can recognize that input needs to be in a certain form, and can halt the script early to print out errors.

Hell, read this article for php security checks.
Cyan~Fire - Wed Jun 14, 2006 1:03 pm
Post subject:
Huh? Register_globals is setting every get/post/cookie variable as a global variable, which is an unrelated security concern.
Mine GO BOOM - Wed Jun 14, 2006 2:05 pm
Post subject:
Cyan~Fire wrote:
.. unrelated security concern.

No, it isn't. If used correctly, it is great. The reason it is a security concern is that with beginners, or even those that have used it for a while, it easily allows itself for abuse. Sample from link posted before:
Code: Show/Hide
// Assume $article_id is set by the URL
if ($article_id == 0) {
    $guest_ok = true;
}

if (!$guest_ok) {
    // Check user is authenticated using a function defined elsewhere
    check_auth();
}

Yes, it is easy to fix. The problem is that most people don't know to look for errors such as this, and it is usually better to initialize only the user inputs you want, as it forces the programmer to recognize where the values are coming from, POST, GET, or cookie.
Cyan~Fire - Wed Jun 14, 2006 3:34 pm
Post subject:
But turning register globals off will not fix the problem you are talking about, opening a file based on user's input. What it will fix is opening a file using a variable that's not supposed to be user input.
Quan Chi2 - Wed Jun 14, 2006 5:15 pm
Post subject:
Anon, I understand what you said now. I had to think about it for a little while. I still can't beat the standard vulnerability scanner when it comes to speed, so I don't agree. lol

Anyway, good points, but can someone point out a good vulnerability scanner? lol
Doc Flabby - Thu Jun 15, 2006 6:03 am
Post subject:
Learn how to find secuity problems first, then you will understand the value of a scanner.

Secuitry scanners are just one in a range of tool to secure a system. They are not to be used on there own, or to be relyed on. I have rarely found any use for them, A simple port-scan tends to tell me more about what i need to know to secure a system.

nessus is the best btw
Quan Chi2 - Thu Jun 15, 2006 10:02 am
Post subject:
Argh. I beg to differ! I want to find vulnerabilities in databases mainly. And Im don't think its necessary to try a million ways manually, when I have something to do it for me - and quickly!

So Nessus is the best hm?
---

BTW, port scans can only get you but so far.
SpecShip - Thu Jun 15, 2006 11:15 am
Post subject:
You do realise quan is a dumb scriptkiddie wannabe who's just looking for ez ways to "haxor" forums, right?



REGISTER GLOBALS IS BAD!
cyan, stop being stupid and get educated: http://il2.php.net/register_globals
Quan Chi2 - Thu Jun 15, 2006 12:07 pm
Post subject:
Spec, wtf are you talking about? Im never said I would hack anything. Im not a script kiddie. And if I am, then so be it. All im looking for is a good vulnerability scanner.
Smong - Thu Jun 15, 2006 12:57 pm
Post subject:
You do have a reputation for asking how to hack and threatening to hack.
BDwinsAlt - Thu Jun 15, 2006 12:59 pm
Post subject:
Let me test the database for you :p
Check out http://hackthissite.org. You can complete realistic missions and ask them on their forums. It teaches you about sql vunerabilities and stuff like that.
Cerium - Thu Jun 15, 2006 1:13 pm
Post subject:
HAH!
BDwinsAlt teaching quanchi how to hack. You cant write this stuff, folks.
Quan Chi2 - Thu Jun 15, 2006 1:13 pm
Post subject:
:/

Its like you're not even reading what I'm saying. Nvm.

If someone could delete this topic, please do. I'd appreciate it.
Cerium - Thu Jun 15, 2006 1:14 pm
Post subject:
Out of curiosity, why do you need a scanner? What possible use could you have for it?

Everyone here -- myself included -- knows you plan on using it to try to hack someone elses site, because somehow thats cool to you. But just for the hell of it, feel free to attempt to prove us all wrong.
Quan Chi2 - Thu Jun 15, 2006 1:30 pm
Post subject:
Fine, I'll find vulnerabilities manually.

Vulnerability scanners aren't always used to hack systems. I could be patching up a database and need to know if I missed something..

I don't plan on hacking anyone. I plan on helping out a friend with his website, and if you know just as much as I do, then you know that its easy for someone to perform an sql injection on your website. Thats what my friend wants to prevent.

Other information on this is none of your business.
Mine GO BOOM - Thu Jun 15, 2006 1:44 pm
Post subject:
Quan Chi2 wrote:
I don't plan on hacking anyone. I plan on helping out a friend with his website, and if you know just as much as I do, then you know that its easy for someone to perform an sql injection on your website. Thats what my friend wants to prevent.

Tell him to use fgrep or any application that lets you search lines in a file, and make a report of every SQL call. For these forums, it was easy to check every SQL statement, as they setup every SQL call through the same function, and before the function call they always setup the SQL statement with the variable $sql = blah.

When you look at all the calls, check how every variable is assigned. If it is assigned by anything the user can input, be in from a HTTP request or doing a search on a username already returned from a previous SQL request, is it escaped properally? Are variables that are assumed to be numbers actually checked that they are in fact numbers?
Quan Chi2 - Thu Jun 15, 2006 2:07 pm
Post subject:
K, thanks
SpecShip - Thu Jun 15, 2006 2:33 pm
Post subject:
Now, if he actually had a clue he would've known how to take such vulnerabilities and turn them into exploits...thank goodness he's just a stupid kid.

Cerium, heh, good one.
Yep, can't write life, life it's is too damn funny.
Quan Chi2 - Thu Jun 15, 2006 2:36 pm
Post subject:
Spec, hop off my dick, please. You're sucking me hard and I don't like it.
newb - Fri Jun 16, 2006 4:14 am
Post subject:
Sucking what? Your non-existant dick?
Anonymous - Fri Jun 16, 2006 7:04 am
Post subject:
hmm

I wouldnt recommend running any kind of scanner against a server that does not belong to you. There lies the way to a court case.

People have been sucessfully procecuted for less.
CypherJF - Fri Jun 16, 2006 7:25 am
Post subject:
Mine GO BOOM wrote:
...parse all input from $HTTP_POST ...
I am pretty sure they're going to deprecate $HTTP_POST/GET aren't they?

I tell everyone to use super-global's: $_POST, $_GET, $_SERVER, $_COOKIE, $_FILE.

To block SQL injection's using PHP, look into the appropriate API's. MySQL has $return_string = mysql_real_escape_string($string); which will properly escape the query (do not rely on add_slashes(), it's a false sense of security!).

Sometime check out the PHP Security Consortium, and Chris Shiflett (an expert in PHP security), they publish, free, material which can be downloaded.
All times are -5 GMT
View topic
Powered by phpBB 2.0 .0.11 © 2001 phpBB Group