可利用C＃功能 [英] Exploitable C# Functions

问题描述

这个问题是类似<一个href=\"http://stackoverflow.com/questions/3115559/exploitable-php-functions/3697776#3697776\">Exploitable PHP函数的。

腐坏数据来源于该用户，或更具体的攻击者。当污点变量达到汇的功能，那么你有一个漏洞。例如一个执行sql查询功能是一个水槽，和GET / POST变量异味来源。

Tainted data comes from the user, or more specifically an attacker. When a tainted variable reaches a sink function, then you have a vulnerability. For instance a function that executes a sql query is a sink, and GET/POST variables are sources of taint.

什么是所有的在C＃中汇功能？我要寻找的引入漏洞或软件弱点功能。我在远程code执行漏洞特别感兴趣。是否有包含讨厌的功能，一个黑客想影响整个类/库？人们如何做出意外危险的C＃code？

What are all of the sink functions in C#? I am looking for functions that introduce a vulnerability or software weakness. I am particularly interested in Remote Code Execution vulnerabilities. Are there whole classes/libraries that contain nasty functionally that a hacker would like to influence? How do people accidentally make dangerous C# code?

推荐答案

在事物，C＃（更普遍，ASP.NET）基于Web端通常是容易被的OWASP十大2013 ）。我知道你是主要兴趣在汇功能，其中我介绍一些，但你没有问人​​怎么不小心让危险的C＃code，所以希望我在这里提供一些见解。

On the web based side of things, C# (and more generally, ASP.NET) is commonly vulnerable to the following (items listed by OWASP Top 10 2013). I realise you were mainly interested in sink functions, of which I cover some, however you did ask how people accidentally make dangerous C# code so hopefully I've provided some insight here.

通过生成字符串连接的查询。

Generating queries by string concatenation.

var sql = "SELECT * FROM UserAccount WHERE Username = '" + username "'";
SqlCommand command = new SqlCommand(sql , connection);
SqlDataReader reader = command.ExecuteReader();

这通常可以通过参数化查询的解决，但如果您使用的是在它目前条件也不是没有字符串连接可能。

This can often be solved by parameterised queries, but if you are using an IN condition it currently isn't possible without string concatenation.

code，如

searcher.Filter = string.Format("(sAMAccountName={1})", loginName);

可以使应用程序容易受到伤害。更多信息<一个href=\"http://blogs.msdn.com/b/securitytools/archive/2009/08/11/ldap-injection-and-mitigation.aspx\">here.

这code是易受命令注入因为的Process.Start 第二个参数可以使用＆放有传递给它附加命令; 字符批多个命令

This code is vulnerable to command injection because the second parameter to Process.Start can have extra commands passed to it using the & character to batch multiple commands

string strCmdText= @"/C dir c:\files\" + Request.QueryString["dir"];
ProcessStartInfo info = new ProcessStartInfo("CMD.exe", strCmdText);
Process.Start(info);

例如。 文件夹名称和放大器;＆安培; IPCONFIG

默认表单验证<一个href=\"http://msdn.microsoft.com/en-us/library/system.web.security.formsauthentication.signout.aspx\">SignOut续方法不更新任何服务器端，允许捕获的身份验证令牌中使用

The default Forms Authentication SignOut method does not update anything server side, allowing a captured auth token to be continued to be used.

调用SignOut方法只移除窗体身份验证cookie。 Web服务器没有存储有效，过期身份验证票证供以后比较。这使你的网站容易，如果恶意用户获得一个有效的窗体身份验证cookie重放攻击。

Calling the SignOut method only removes the forms authentication cookie. The Web server does not store valid and expired authentication tickets for later comparison. This makes your site vulnerable to a replay attack if a malicious user obtains a valid forms authentication cookie.

一个会话固定漏洞可能是present如果用户使用的进行验证会话状态

Using Session State for Authentication

A session fixation vulnerability could be present if a user has used session state for authentication.

的Response.Write （和快捷键＆LT;％= =＆GT; ），在默认情况下脆弱的，除非开发商记得HTML EN code的输出。较近期的快捷键＆LT;％： HTML EN codeS在默认情况下，虽然一些开发商可能会借此将值插入JavaScript的，他们仍然可以被攻击者逃脱。即使使用现代剃刀引擎也很难得到这个权利：

Response.Write (and the shortcut <%= =>) vulnerable by default, unless the developer has remembered to HTML encode the output. The more recent shortcut <%: HTML encodes by default, although some developers may use this to insert values into JavaScript where they can still be escaped by an attacker. Even using the modern Razor engine it is difficult to get this right:

var name = '@Html.Raw(HttpUtility.JavaScriptStringEncode(Model.Name))';

ASP.NET默认启用请求验证，这将阻止任何饼干输入，查询字符串和POST数据有可能被恶意的（如HTML标记）。这似乎与通过特定应用程序输入来应付，但是，如果有在从像使用其他技术编写的应用程式其他来源插入的数据库的内容，则有可能是恶意脚本code仍可能是输出。

ASP.NET by default enables Request Validation, which will block any input from cookies, the query string and from POST data that could potentially be malicious (e.g. HTML tags). This appears to cope well with input coming through the particular app, but if there is content in the database that is inserted from other sources like from an app written using other technologies, then it is possible that malicious script code could still be output.

在旧版本的.NET这是一个有点为一个雷场的开发商以确保他们的输出使用一些默认的Web控件的正确连接codeD。

In old versions of .NET it was a bit of a mine-field for a developer to ensure that their output was correctly encoded using some of the default web controls.

不幸的是，数据绑定语法尚不包含一个内置的编码的语法;它的未来在ASP.NET的下一个版本

Unfortunately, the data-binding syntax doesn’t yet contain a built-in encoding syntax; it’s coming in the next version of ASP.NET

例如。不容易：

  <asp:Repeater ID="Repeater1" runat="server">
    <ItemTemplate>
      <asp:TextBox ID="txtYourField" Text='<%# Bind("YourField") %>'
        runat="server"></asp:TextBox>
    </ItemTemplate>
  </asp:Repeater>

脆弱的：

<asp:Repeater ID="Repeater2" runat="server">
  <ItemTemplate>
    <%# Eval("YourField") %>
  </ItemTemplate>
</asp:Repeater>

A4-不安全的直接对象引用

MVC模型绑定可以允许加入到POST数据来映射到参数一个数据模型。由于开发商还没有意识到，恶意用户可以通过这种方式修改参数，这可能在无意间发生。在绑定属性可用于的 prevent这个。

A4-Insecure Direct Object References

MVC model binding can allow parameters added to POST data to be mapped onto the a data model. This can happen unintentionally as the developer hasn't realised that a malicious user may amend parameters in this way. The Bind attribute can be used to prevent this.

有可削弱应用程序的安全性的许多配置选项。例如设置的customErrors 到在或启用跟踪。

There are many configuration options that can weaken the security of an application. For example setting customErrors to On or enabling trace.

扫描仪如 ASafaWeb 可以检查这个共同的错误配置。

Scanners such as ASafaWeb can check for this common misconfigurations.

在ASP.NET默认密码哈希方法有时不是最好的。

The default password hashing methods in ASP.NET are sometimes not the best.

• HashPasswordForStoringInConfigFile() - 如果在使用时没有加盐哈希明文口令，这可能也是坏


• 文章我们的密码哈希没有穿衣服有关ASP.NET成员资格提供.NET 4的。

• HashPasswordForStoringInConfigFile() - this could also be bad if it is used to hash a plain password with no added salt.
• Article "Our password hashing has no clothes" regarding the ASP.NET membership provider in .NET 4.

在集成的管线模式.NET可以看到每一个请求，并把手可以授权每个请求，甚至对非.NET资源（例如的.js 和图像）。但是，如果应用程序，我在经典模式下运行时，.NET只能看到请求的文件，如的.aspx 这样的其他文件可能会被意外不安全。请参见这个答案上的差异的详细信息。

In integrated pipeline mode .NET can see every request and handles can authorise each request, even to non .NET resources (e.g. .js and images). However, if the application i running in classic mode, .NET only sees requests to files such as .aspx so other files may be accidentally unsecured. See this answer for more detail on the differences.

例如。 www.example.com/images/private_photograph_user1.jpg 更可能是在经典模式中运行的应用程序脆弱的，虽然有<一个href=\"http://www.microsoft.com/technet/prodtechnol/WindowsServer2003/Library/IIS/5c5ae5e0-f4f9-44b0-a743-f4c3a5ff68ec.mspx?mfr=true\">workarounds.

e.g. www.example.com/images/private_photograph_user1.jpg is more likely to be vulnerable in an application that runs in classic mode, although there are workarounds.

虽然传统的Web窗体应用程序通常对CSRF更安全，由于要求攻击者伪造的视图状态和<一个href=\"http://msdn.microsoft.com/en-us/library/system.web.ui.page.enableeventvalidation%28v=vs.110%29.aspx\">Event验证值，除非开发商手动实现新的MVC应用可能会受到<一href=\"http://blog.stevensanderson.com/2008/09/01/$p$pvent-cross-site-request-forgery-csrf-using-aspnet-mvcs-antiforgerytoken-helper/\">anti伪造令牌。请注意，我不是说web表单是不容易受到攻击，只是它是比较困难的，简单地传递一些基本参数 - 有修复虽然如的用户密钥融入视图状态值。

Although the legacy web forms applications are usually more secure against CSRF due to requiring the attacker to forge the View State and Event Validation values, newer MVC applications could be vulnerable unless the developer has manually implemented anti forgery tokens. Note I am not saying that web forms is not vulnerable, just that it is more difficult that simply passing on a few basic parameters - there are fixes though, such as integrating the user key into the View State value.

当EnableEventValidation属性设置为true，ASP.NET验证了控制事件起源于一个由该控件呈现的用户界面。控制渲染过程中注册自己的事件，然后回发或回调处理过程中验证的事件。例如，如果一个列表控件包含的选项编号为1，2或3时，在页面显示，如果回发请求被接收指定选项号4，ASP.NET引发异常。 ASP.NET中的所有事件驱动的控件默认使用此功能。

When the EnableEventValidation property is set to true, ASP.NET validates that a control event originated from the user interface that was rendered by that control. A control registers its events during rendering and then validates the events during postback or callback handling. For example, if a list control includes options numbered 1, 2, or 3 when the page is rendered, and if a postback request is received specifying option number 4, ASP.NET raises an exception. All event-driven controls in ASP.NET use this feature by default.

[EnableEventValidation]功能可降低未授权或恶意的回发请求和回调的风险。强烈建议您不要禁用事件验证。

[EnableEventValidation] feature reduces the risk of unauthorized or malicious postback requests and callbacks. It is strongly recommended that you do not disable event validation.

添加code，如

Response.Redirect(Request.QueryString["Url"]);

会让你的网站受到攻击。攻击者可能通过发送网络钓鱼电子邮件包含一个链接，用户可以启动。如果用户是警惕他们可能有双重检查URL的域名点击之前。然而，正如该域名将你自己的域名，用户信任，他们会点击该链接不知道该页面将用户重定向到攻击者的域。

will make your site vulnerable. The attack could be initiated by sending a phishing email to a user containing a link. If the user is vigilant they may have double checked the domain of the URL before clicking. However, as the domain will match your domain which the user trusts, they will click the link unaware that the page will redirect the user to the attacker's domain.

验证应采取网​​址到位，以确保它可以是一个相对的，允许的URL或绝对URL到您自己允许的域和页面之一。您可能要检查的人是不是重定向你的用户 /Logout.aspx 为例。虽然有可能什么都不是直接链接到 http://www.example.com/Logout.aspx 停止攻击，他们可以使用重定向隐藏URL所以是用户了解正在访问的页面（更难 http://www.example.com/Redirect.aspx?Url=%2f%4c%6f%67%6f%75%74% 2E％61％73％70％78 ）。

Validation should take place on Url to ensure that it is either a relative, allowed URL or an absolute URL to one of your own allowed domains and pages. You may want to check someone isn't redirecting your users to /Logout.aspx for example. Although there may be nothing stopping an attacker from directly linking to http://www.example.com/Logout.aspx, they could use the redirect to hide the URL so it is harder for a user to understand which page is being accessed (http://www.example.com/Redirect.aspx?Url=%2f%4c%6f%67%6f%75%74%2e%61%73%70%78).

其他的OWASP类别是：

The other OWASP categories are:

• A9-使用组件与已知的漏洞

其中，我想不出任何在脑海中所特有的C＃/ ASP.NET。如果我想到的任何（如果你认为他们是有关您的问题）我会更新我的答案。

of which I can't think of any to mind that are specific to C#/ASP.NET. I'll update my answer if I think of any (if you think they are relevant to your question).

这篇关于可利用C＃功能的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！