perl – Page 4 – WindowsTechs.com

perl SSL mysql configuration [migrated]

Posted on September 14, 2018 by blablatrace

We have an application written in Perl and I need to configure it to “talk SSL” with MySQL. mysq_ssl

mysql_ssl_ca_file

The path to a file in PEM format that contains a list of trusted SSL certificate authorities.

We have a… Continue reading perl SSL mysql configuration [migrated]→

How I can use perl + burp?

Posted on June 15, 2018 by misdeed

Hello, users!

I need your help! How I can use [any]-perl script for pentesting (for example: script for subdomains enumeration)?

How to redirect output from a perl-script to burp? This is possible? How can this architecture… Continue reading How I can use perl + burp?→

Is this Perl database connection vulnerable to SQL Injection

Posted on December 18, 2017 by Ludisposed

I have this (stripped down) Perl database query, and I wonder if this can be exploited in any way. This is from a challenge, so I know things could be done different, the task is to exploit this.

To my knowledge it uses prep… Continue reading Is this Perl database connection vulnerable to SQL Injection→

Perl, Perl 6, and Two Application Frameworks Release 2017 Advent Calendars

Posted on December 2, 2017 by EditorDavid

An anonymous reader writes:

Friday saw this year’s first new posts on the Perl Advent Calendar, a geeky tradition first started back in 2000. It describes Santa including Unicode’s “Father Christmas” emoji by enabling UTF-8 encoding and then using the… Continue reading Perl, Perl 6, and Two Application Frameworks Release 2017 Advent Calendars→

Finding backdoors in ubuntu 14.04/16.04 [on hold]

Posted on October 12, 2017 by suomynonA

In a competition (not allowed to mention the name) I have to remove existing backdoors from a ubuntu 14.04/16.04 virtual image. There are numerous backdoors including a perl backdoor. I have to figure out where it is/what it … Continue reading Finding backdoors in ubuntu 14.04/16.04 [on hold]→

New Video Peeks ‘Inside the Head’ of Perl Creator Larry Wall

Posted on October 8, 2017 by EditorDavid

“I was trained more as a linguist than a computer scientist,” says Perl creator Larry Wall, “and some people would say it shows.”
An anonymous reader describes Wall’s new video interview up on InfoQ:
“With a natural language, you learn it as you go,” … Continue reading New Video Peeks ‘Inside the Head’ of Perl Creator Larry Wall→

New Video Peeks ‘Inside the Head’ of Perl Creator Larry Wall

Posted on October 8, 2017 by EditorDavid

CVE-2016-5843 SQL injection in Open Ticket Request System (OTRS) 5.x

Posted on July 24, 2017 by Belly W.

I’m a novice InfoSec student conducting research on the SQL injection vulnerabilities present in FAQ package 2.x before 2.3.6, 4.x before 4.0.5, and 5.x before 5.0.5 in Open Ticket Request System (OTRS) which allow remote attackers to execute arbitrary SQL commands via crafted search parameters (CVE-2016-5843).

The details of this vulnerability, as advertised on multiple security advisories such as SecurityTracker, seem to suggest that unauthenticated attackers can execute arbitrary code on the underlying SQL database via [OTRS_BaseURI]/index.pl?Action=Login&User=%27[SQL_HERE] to bypass authentication procedures.

SQL injection is definitely one of the weaker tools in my arsenal, so I would truly appreciate some guidance in this regard.

I have taken steps to determine appropriate attack vectors, but so far none have proven fruitful. In addition to manually fuzzing the entry point above, I’ve also utilised various command-line configurations of sqlmap to detect injection flaws—no luck.

So, I proceeded to inspect the source code, and found what appears to be the user validation query.

# sql query
my $SQL = "SELECT $Self->{UserTableUserPW}, $Self->{UserTableUserID}, $Self->{UserTableUser} "
    . " FROM "
    . " $Self->{UserTable} "
    . " WHERE "
    . " valid_id IN ( ${\(join ', ', $Kernel::OM->Get('Kernel::System::Valid')->ValidIDsGet())} ) AND "
    . " $Self->{UserTableUser} = '" . $DBObject->Quote($User) . "'";
$DBObject->Prepare( SQL => $SQL );

This snippet resides in otrs-5.0.2/Kernel/System/Auth/DB.pm of the otrs-5.0.2 package.

I’m not too familiar with Perl, but it seems the $User parameter is double quoted before being passed to the database. Curiously enough, the other SQL queries I found in this package used “?” placeholders instead.

=item Quote()

to quote sql parameters

quote strings, date and time:
=============================
my $DBString = $DBObject->Quote( "This isn't a problem!" );

my $DBString = $DBObject->Quote( "2005-10-27 20:15:01" );

quote integers:
===============
my $DBString = $DBObject->Quote( 1234, 'Integer' );

quote numbers (e. g. 1, 1.4, 42342.23424):
==========================================
my $DBString = $DBObject->Quote( 1234, 'Number' );

=cut

sub Quote {
    my ( $Self, $Text, $Type ) = @_;

    # return undef if undef
    return if !defined $Text;

    # quote strings
    if ( !defined $Type ) {
        return ${ $Self->{Backend}->Quote( \$Text ) };
    }

    # quote integers
    if ( $Type eq 'Integer' ) {
        if ( $Text !~ m{\A [+-]? \d{1,16} \z}xms ) {
            $Kernel::OM->Get('Kernel::System::Log')->Log(
                Caller   => 1,
                Priority => 'error',
                Message  => "Invalid integer in query '$Text'!",
            );
            return;
        }
        return $Text;
    }

    # quote numbers
    if ( $Type eq 'Number' ) {
        if ( $Text !~ m{ \A [+-]? \d{1,20} (?:\.\d{1,20})? \z}xms ) {
            $Kernel::OM->Get('Kernel::System::Log')->Log(
                Caller   => 1,
                Priority => 'error',
                Message  => "Invalid number in query '$Text'!",
            );
            return;
        }
        return $Text;
    }

    # quote like strings
    if ( $Type eq 'Like' ) {
        return ${ $Self->{Backend}->Quote( \$Text, $Type ) };
    }

    $Kernel::OM->Get('Kernel::System::Log')->Log(
        Caller   => 1,
        Priority => 'error',
        Message  => "Invalid quote type '$Type'!",
    );

    return;
}

Taking these snippets into consideration, my questions are:

Is the login form vulnerable to SQL injection?
If indeed it is, why can’t I seem to execute arbitrary code?
How would one go about compromising a Linux box with this specific vulnerability?

Continue reading CVE-2016-5843 SQL injection in Open Ticket Request System (OTRS) 5.x→

CVE-2016-5843 SQL injection in Open Ticket Request System (OTRS) 5.x

Posted on July 24, 2017 by Belly W.

SQL injection is definitely one of the weaker tools in my arsenal, so I would truly appreciate some guidance in this regard.

So, I proceeded to inspect the source code, and found what appears to be the user validation query.

# sql query
my $SQL = "SELECT $Self->{UserTableUserPW}, $Self->{UserTableUserID}, $Self->{UserTableUser} "
    . " FROM "
    . " $Self->{UserTable} "
    . " WHERE "
    . " valid_id IN ( ${\(join ', ', $Kernel::OM->Get('Kernel::System::Valid')->ValidIDsGet())} ) AND "
    . " $Self->{UserTableUser} = '" . $DBObject->Quote($User) . "'";
$DBObject->Prepare( SQL => $SQL );

This snippet resides in otrs-5.0.2/Kernel/System/Auth/DB.pm of the otrs-5.0.2 package.

=item Quote()

to quote sql parameters

quote strings, date and time:
=============================
my $DBString = $DBObject->Quote( "This isn't a problem!" );

my $DBString = $DBObject->Quote( "2005-10-27 20:15:01" );

quote integers:
===============
my $DBString = $DBObject->Quote( 1234, 'Integer' );

quote numbers (e. g. 1, 1.4, 42342.23424):
==========================================
my $DBString = $DBObject->Quote( 1234, 'Number' );

=cut

sub Quote {
    my ( $Self, $Text, $Type ) = @_;

    # return undef if undef
    return if !defined $Text;

    # quote strings
    if ( !defined $Type ) {
        return ${ $Self->{Backend}->Quote( \$Text ) };
    }

    # quote integers
    if ( $Type eq 'Integer' ) {
        if ( $Text !~ m{\A [+-]? \d{1,16} \z}xms ) {
            $Kernel::OM->Get('Kernel::System::Log')->Log(
                Caller   => 1,
                Priority => 'error',
                Message  => "Invalid integer in query '$Text'!",
            );
            return;
        }
        return $Text;
    }

    # quote numbers
    if ( $Type eq 'Number' ) {
        if ( $Text !~ m{ \A [+-]? \d{1,20} (?:\.\d{1,20})? \z}xms ) {
            $Kernel::OM->Get('Kernel::System::Log')->Log(
                Caller   => 1,
                Priority => 'error',
                Message  => "Invalid number in query '$Text'!",
            );
            return;
        }
        return $Text;
    }

    # quote like strings
    if ( $Type eq 'Like' ) {
        return ${ $Self->{Backend}->Quote( \$Text, $Type ) };
    }

    $Kernel::OM->Get('Kernel::System::Log')->Log(
        Caller   => 1,
        Priority => 'error',
        Message  => "Invalid quote type '$Type'!",
    );

    return;
}

Taking these snippets into consideration, my questions are:

Is the login form vulnerable to SQL injection?
If indeed it is, why can’t I seem to execute arbitrary code?
How would one go about compromising a Linux box with this specific vulnerability?

Continue reading CVE-2016-5843 SQL injection in Open Ticket Request System (OTRS) 5.x→

How would someone execute a Perl script on a webpage?

Posted on April 29, 2017 by Keegan Kuhn

OWASP’s XSS Filter Evasion Cheatsheet has a Perl script listed:

perl -e ‘print “<IMG SRC=java\0script:alert(\”XSS\”)>”;’ > out

It also says this above it:

Null chars also work as XSS vectors but not like above, y… Continue reading How would someone execute a Perl script on a webpage?→