Scribd
Upload
14 views31 pages

Unit 5

This document covers various aspects of computer networks, focusing on metacharacters and their implications in security vulnerabilities such as command injection, SQL injection, and NULL character injection. It outlines the definitions, examples, and mitigation strategies for these vulnerabilities, along with the importance of input validation and secure coding practices. Additionally, it discusses the role of Unicode functions in Windows and their relevance to security vulnerabilities.

Uploaded by

swainvladimir600
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
14 views31 pages

Unit 5

This document covers various aspects of computer networks, focusing on metacharacters and their implications in security vulnerabilities such as command injection, SQL injection, and NULL character injection. It outlines the definitions, examples, and mitigation strategies for these vulnerabilities, along with the importance of input validation and secure coding practices. Additionally, it discusses the role of Unicode functions in Windows and their relevance to security vulnerabilities.

Uploaded by

swainvladimir600
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd

Computer Networks

CSE3006
Unit No. 5
Date: November -2024

By
N.D. Patel
Email: narottamdaspatel@[Link]
Linkden: [Link]
Contact Number: 9450095800
1
Computer Networks
CSE3006
Unit No. 5
Metacharacters, Embedded Delimiters, NULL Character Injection, Common
Metacharacter Formats, Path Metacharacters, Shell Metacharacters, SQL
Queries, Metacharacter Filtering, Eliminating and Escaping Metacharacters,
Unicode, Windows Unicode Functions.

By N.D. Patel
Email: narottamdaspatel@[Link]
Linkden: [Link]
3
Contact Number: 9450095800
Metacharacters
Metacharacters are special characters that have a specific meaning in programming, scripting, or command-line interfaces.

In software vulnerability testing, metacharacter vulnerabilities occur when user inputs containing these characters are not
properly sanitized, leading to security risks such as code injection, command injection, and SQL injection.

Metacharacter Meaning Security Risk


Can allow command injection
; (semicolon) Command separator
in shell scripts
Can execute additional
& (ampersand) Background process execution
commands
` ` (pipe) Command chaining
> (greater than) Redirect output Can overwrite critical files
< (less than) Redirect input Can read unauthorized files
Allows execution of arbitrary
$(...) / `...` Command substitution
commands
Can lead to SQL injection or
' and " (quotes) String delimiters
XSS
\ (backslash) Escape character Can bypass security filters
% Wildcard in SQL Used for SQL injection
Allows access to restricted
Metacharacters: Command Injection
Occurs when unsanitized user input is executed as part of a system command.

int main() {
char command[100];
char userInput[50];
Exploitation
printf("Enter filename to delete: "); Input: [Link]; rm -rf /
scanf("%s", userInput); Effect: Deletes all files on the system.
sprintf(command, "rm %s", userInput); // No input
validation! Mitigation
system(command);
Use whitelisting for allowed characters.
return 0; Use execvp() instead of system().
} Validate and sanitize user input.
Metacharacters: SQL Injection
Occurs when special metacharacters in SQL queries allow attackers to manipulate database commands..

$user = $_GET['user'];
$query = "SELECT * FROM users WHERE name = '$user'";
$result = mysqli_query($conn, $query);

Exploitation

Input: ' OR 1=1 --Query Executed: SELECT * FROM users WHERE


name = '' OR 1=1 --Effect: Bypasses authentication and returns
all users.

Mitigation
Use prepared statements:
$stmt = $conn->prepare("SELECT * FROM users WHERE name = ?");
$stmt->bind_param("s", $user);
$stmt->execute();

Escape inputs using mysqli_real_escape_string().


Metacharacters: SQL Injection
Metacharacters: SQL Injection
Metacharacters: Cross-Site Scripting (XSS)
Metacharacters in web forms can lead to JavaScript execution.

Example: Vulnerable Code (HTML/JavaScript)

<input type="text" name="comment" value="<?php


echo $_GET['comment']; ?>">

Exploitation
Input: <script>alert('Hacked!');</script>Effect: Executes
JavaScript in a victim's browser.

Mitigation
Sanitize input using htmlspecialchars()
Implement Content Security Policy (CSP).
NULL Character Injection
NULL Character Injection is a security vulnerability where an attacker inserts a NULL byte (\0) into user inputs to
manipulate string termination, bypass security controls, or cause unexpected application behavior. This can lead to
authentication bypass, file inclusion attacks, data corruption, and memory exploitation.

Authentication Bypass using NULL Injection

If a web application improperly processes user input with a NULL byte, an attacker may bypass authentication.

$username = $_GET['user'];
$query = "SELECT * FROM users WHERE username =
'$username'";
$result = mysqli_query($conn, $query);

Exploitation
Input: admin\0xyzExpected Query
Execution: SELECT * FROM users WHERE username = 'admin\0xyz’

Impact: If \0 terminates string processing in some versions of PHP or MySQL, the application may treat "admin" as a valid
username and ignore the rest, leading to unauthorized access.
NULL Character Injection
File Inclusion & Path Traversal via NULL Injection

Many web applications process user-supplied filenames. If an attacker injects a NULL character, they can manipulate file
operations.

$file = $_GET['file'];
include("/var/www/html/" . $file . ".php");

Exploitation

Input: [Link]\0
Expected Execution: include("/var/www/html/[Link]");

Impact: If \0 truncates the string, an attacker may include sensitive system files like /etc/passwd.
NULL Character Injection
Web Application Firewall (WAF) Bypass
NULL characters can be used to bypass WAF rules or security filters that check for specific attack patterns.

Normal Payload Blocked by WAF:


' OR 1=1 --

WAF Bypass with NULL Injection:

' OR 1=1\0 --

Impact: Some security filters may ignore everything after \0, making the payload effective.
Common Metacharacter Formats
Metacharacters are special characters with predefined meanings in different contexts, such as command-line
interfaces, SQL queries, URLs, and programming languages. In Software Vulnerability Testing (SVT), attackers
exploit metacharacters to manipulate system behavior, bypass security mechanisms, and execute malicious
payloads.

Shell Metacharacters (Command Injection)

Metacharacter Usage Example Impact


; ping [Link]; rm -rf / Command separation
&& whoami && cat /etc/passwd Execute multiple commands
` `
` ` `cat /etc/passwd
> echo "hacked" > [Link] File overwrite
>> echo "appended" >> [Link] File append
& sleep 10 & Run in background
$() $(cat /etc/passwd) Command substitution
Common Metacharacter Formats
SQL Metacharacters (SQL Injection)

Metacharacter Usage Example Impact


' ' OR 1=1 -- Bypass authentication
SELECT * FROM users WHERE
" Query manipulation
name="admin" OR "1"="1"
Comment out rest of
-- ' OR 1=1 --
query
SELECT * FROM users WHERE
# SQL comment
name='admin' #
SQL statement
; admin'; DROP TABLE users;
separation
Common Metacharacter Formats
URL & HTTP Header Metacharacters

Metacharacte
Usage Example Impact
r
GET /index HTTP/1.1%0AHost:
%0A Header injection
[Link]
GET / HTTP/1.1%0D%0AHost:
%0D Newline injection
[Link]
SQL Injection via
%20 /search?q=%20OR%201=1
encoding
%27 /login?user=admin%27-- URL-encoded ' for SQLi
Encoded ; for command
%3B [Link]
injection
Common Path Metacharacters
Path metacharacters are special symbols that affect file system paths in operating systems. Attackers exploit
these metacharacters in Path Traversal, Directory Traversal, Arbitrary File Inclusion, and Remote File Inclusion
attacks to gain unauthorized access to files.

Metacharacter Usage Example Impact

../ ../../etc/passwd Directory traversal

./ ./[Link] Current directory reference

/ /var/log/syslog Absolute path reference

~ ~/[Link] User home directory access

\ C:\Windows\system32 Windows path separator


Path Metacharacter Detection & Prevention
🔹 Input Validation:
✔ Restrict input to only expected filenames.
✔ Disallow special characters (../, ;, |).

🔹 Secure File Handling:


✔ Use absolute paths and prevent path traversal.
✔ Apply sandboxing techniques to isolate files.

🔹 Web Server Hardening:


✔ Configure file access permissions to restrict sensitive directories.
✔ Disable directory listing in web servers.
Shell Metacharacters
Shell metacharacters are special characters in command-line interfaces (CLI) that modify how commands are
interpreted and executed. Attackers exploit these characters in Command Injection and Shell Injection attacks
to execute arbitrary commands, bypass security measures, or escalate privileges.

Metacharacter Usage Example Impact


Command separator (Executes
; ls; cat /etc/passwd
multiple commands)
Execute second command if first
&& ls && rm -rf /
succeeds
` `
& ping [Link] & Background process execution
` ` `cat /etc/passwd
Command substitution
`` echo `whoami`
(Executes inside backticks)
Command substitution (Safer
$() echo $(whoami)
alternative to backticks)
Shell Metacharacters
Remote Code Execution (RCE) via Command Substitution

Goal: Execute system commands via backticks ( ) or $().

Example: Vulnerable Shell Script:

echo "User: $(whoami)"


Exploit:

$(rm -rf /)

Impact: Deletes the entire system if executed with root privileges.


SQL Queries
SQL queries are crucial in software vulnerability testing (SVT) to identify security flaws such
as SQL Injection, improper input validation, and privilege escalation.

Understanding how attackers exploit SQL vulnerabilities can help in securing applications.
Testing for SQL Injection
SQL injection occurs when an attacker manipulates an SQL query through user input.
Example:

SELECT * FROM Users WHERE username = 'admin' --' AND password =


'password';
If unsanitized, attackers can bypass authentication or delete data.
Testing for Unvalidated Input
Using metacharacters to check for security flaws:
Example:

SELECT * FROM Products WHERE name = 'Laptop'; DROP TABLE


Users; --';
If the database executes both queries, the application is vulnerable.
Testing for Privilege Escalation
Privilege escalation exploits flaws in role management.
Example:

SELECT * FROM UserRoles WHERE role = 'admin';


If unauthorized users gain admin access, it's a major security risk.
Detecting Data Leakage via Error Messages
Improper error handling can expose database structure.
Example:

SELECT * FROM Users WHERE email = 'alice@[Link]' AND


password = 'xyz';
If a detailed error message is returned, attackers can infer database schema.
Preventing SQL Injection with Secure Queries
Use parameterized queries to prevent SQL injection.
Example (Prepared Statement):

PREPARE stmt FROM 'SELECT * FROM Users WHERE username = ? AND


password = ?';
EXECUTE stmt USING 'Alice', 'securepassword';

This ensures user input is treated as data, not executable code.


Metacharacter Filtering
1. What Are Metacharacters?
Metacharacters are special characters that perform specific functions in programming,
databases, or operating system commands. Examples include:

• SQL Metacharacters: ', ", ;, --, /*, */, #


• Shell Metacharacters: |, &, ;, <, >, $, *, ?, {}, (), \
• Path Traversal Metacharacters: ../, ..\\, ~, %00
• Scripting Metacharacters: <, >, ', ", /, \, (), = (used in JavaScript and
HTML)
Common Security Threats Due to Unfiltered Metacharacters

Attack Type Example Exploit Consequence


SELECT * FROM users
SQL Injection WHERE username = '' Bypasses authentication
OR '1'='1' --'
Executes system
Command Injection ping [Link]; rm -rf /
commands
Reads restricted system
Path Traversal ../../etc/passwd
files
XSS (Cross-Site <script>alert('Hacked!'); Injects malicious
Scripting) </script> JavaScript
Eliminating and Escaping Metacharacters
Eliminating metacharacters means removing or restricting the use of potentially dangerous characters in input fields.
Whitelisting (Allow-Only Approach)
•Define a set of allowed characters and reject all others.
•Example: Allow only alphanumeric characters for usernames.
•Example in Python:

import re

def sanitize_input(user_input):
if [Link]("^[a-zA-Z0-9]+$", user_input): # Only letters
and numbers
return user_input
else:
return "Invalid input"

print(sanitize_input("Admin123")) # ✅ Valid
print(sanitize_input("Admin$@!")) # ❌ Invalid
Windows Unicode Functions
Windows operating systems support Unicode for handling international text and character encoding. Unicode
functions in Windows API allow applications to work with multi-language text, special characters, and different
character encodings (UTF-8, UTF-16, etc.).

1. Unicode Function Naming Conventions

Windows API provides two versions of most functions:

ANSI version (A-suffix) – Uses single-byte encoding (e.g., CreateFileA)


Unicode version (W-suffix) – Uses UTF-16 encoding (e.g., CreateFileW)

BOOL SetWindowTextA(HWND hWnd, LPCSTR lpString); // ANSI version


BOOL SetWindowTextW(HWND hWnd, LPCWSTR lpString); // Unicode version
👉 To enable Unicode, use the W-suffix functions (SetWindowTextW).
Windows Unicode Functions
Function SetWindowTextA
• Header File: Windows.h
• Library: [Link]
• ANSI Version: SetWindowTextA
• Unicode Version: SetWindowTextW

BOOL SetWindowTextA(
HWND hWnd,
LPCSTR lpString); // ANSI version

BOOL SetWindowTextW(
HWND hWnd,
LPCWSTR lpString); // Unicode version
👉 To enable Unicode, use the W-suffix functions (SetWindowTextW).
Unicode Vulnerability in Windows IIS (Completed)

1. Discription:
2. Identified the CVE Number:
3. CVSS:
4. Impact:
5. Complete Payload (http): %c0%af(Hint):
6. OWASP:
7. Compromise:
8. Detection:
9. Patch/Fix (Mitigations):

You might also like