Sql Injection MS Access - sql-injection

I am on a pen test doing a 3rd party validation of a vendor's staging web server & have found an instance of IIS that appears to be running MS-Access as its backend database. I think that I may have found a potential SQLi attack vector but need some verification. I have done some research on SQLi exploits with MS-Access & have not really gotten any useful information relevant to my situation.
When I initially accessed the login page I entered '1 OR 1=1' as the user name to see if I could get some low hanging fruit. Here is the error message that I got:
HTTP 500.100 - Internal Server Error - ASP error
Internet Information Services
Technical Information (for support personnel)
Error Type:
Microsoft OLE DB Service Components (0x80040E73)
Format of the initialization string does not conform to the OLE DB specification.
/arnisi/start.asp, line 204
Browser Type:
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:15.0) Gecko/20100101 Firefox/15.0.1
Page:
POST 196 bytes to /arnisi/start.asp
POST Data:
username=%271+OR+1%3D1%27&password=&dataSource=mkgt13&lang=en&database=esuite& provider=SQLOLEDB&FromLoginPage=1&dir=ltr&screenHeight=900&screenWidth=1600&browserType=NS&browserVer=6&font=arial
The interesting thing is that the error shows the datasource to be mkgt1 and the database to be esuite. The thing that is killing me is the syntax for running queries on MS-Access. Is this possible? Any help would be greatly appreciated.

Try a'or'1'='1.
This will work and if sql injection vulnerability is there it will be exposed.

Related

WSO2 Carbon 404 Error Redirection for Webapp Deployment?

We are using WSO2 Carbon 4.2.0 through the WSO2 Application Server (AS) package. In replacing an older, highly customized Carbon installation (provided by a company that no longer supports the product, has abandoned it and refuses to work on it, and left us no details on how/what they modified in Carbon), we have deployed a couple web applications in the webapps container as they were deployed before in the older instance. We have changed our WebContextRoot in the carbon.xml from the default "/" to a sub-URL of ex: "/stuff", as is also detailed in the self-answered SO question here. However the answer given there is not detailed in what the OP actually encountered when he modified his WSO2 instance.
In testing the above configuration we noticed that if a user were to go to a non-existent web address on the server, depending on the format of the URL they are either:
redirected to a blank page;
receive a "500 Internal server error" (I suspect this is the embedded Tomcat?);
get sent to the Carbon login page (which we definitely do not want to happen for security reasons); or
get an XML document stating:
<faultString> The service cannot be found for the endpoint reference (EPR) /stuff/services/nonexistantservicename </faultString>
At least in the case of missing content we wish the user to be sent to a standardized 404 error page, or at the least be sent an HTTP 404 error by the server. For services the XML error is palatable, we can deal with that.
The only option for us right now to circumvent this issue is to place a proxy in front of the WSO2 instance, which would be another layer to manage and tune, and possibly degrade performance. Please know that I am not a programmer but just an admin with DevOps experience. I would not know how to handle this with e.g. a Java solution or re-coding parts of WSO2. Customizing the core product would also hamper future upgrades of WSO2, a scenario we are trying to dig ourselves out of now as detailed above. Is there no internal WSO2 mechanism to handle non-existent content? Can we not redirect any errors to a standard canned response page?

Unexpected 401.5 error. Authentication header changed to Kerberos?

This problem seems to exist on a specific server. All other servers are working ok.
Background: The website is basically Forms Auth but there's an asmx that manually requires Basic Auth.
I have two C# client.
When invoking using SOAP (asmx client proxy) with basic auth credentials - all is well.
When invoking using WebClient or WebRequest with the same basic auth credentials, I get 401.5.
The folders have "Everyone" set to them.
When setting up iis trace, I see a very weird behavior. The request arrives with the correct Basic auth header. But further down the trace I see the following:
GENERAL_REQUEST_HEADERS
Headers="Connection: Keep-Alive
Content-Length: 68
Content-Type: application/json
Authorization: Kerberos
Expect: 100-continue
Host: 1.2.3.4
The Kerberos seems very weird. It is as if the request headers changed throughout the process, and perhaps that explains the 401.5.
Again, I would like to stress out that on other servers there's no problem with both clients. The only difference I can think of is that the problematic server is a DC. But if that is a problem then why is the SOAP client working well?
Any ideas?
Progress!
After some debugging I noticed that Application_AuthenticateRequest was fired twice for every request. The first time with Basic auth as I expected and the second time with the Kerberos!
After googling I found this:
http://forums.asp.net/t/1868629.aspx?HttpModule+triggered+two+times+for+request+to+URL+without+default+document
Seems like for extensionless urls those events might fire multiple times, depending on the configured Extensionless urls.
Going back to the trace I noticed that in the non-working server the trace shows usage of ExtensionlessUrl-ISAPI-4.0_64bit, and in the working servers no such entry existed. After comparing the two IIS I noticed that the non-working IIS had ExtensionlessUrl-ISAPI-4.0_64bit configured whereas in the working IIS there was ExtensionlessUrl**Handler**-ISAPI-4.0_64bit (note the "handler"). I compared the dlls involved and the working server had a newer aspnet_isapi.dll. I assume that this is an updated extensionless url handler. I suppose an upgrade to IIS or .NET might install a later version, but for now I tried to remove the ExtensionlessUrl-ISAPI-4.0_xxbit like so:
<remove name="ExtensionlessUrl-ISAPI-4.0_32bit" />
<remove name="ExtensionlessUrl-ISAPI-4.0_64bit" />
And it worked! Now there is only a single Application_AuthenticateRequest.
The non-working version that had this in the trace:
OldHandlerName="", NewHandlerName="ExtensionlessUrl-ISAPI-4.0_64bit", NewHandlerModules="IsapiModule", NewHandlerScriptProcessor="C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_isapi.dll", NewHandlerType=""
Now changed to:
OldHandlerName="", NewHandlerName="WebServiceHandlerFactory-ISAPI-4.0_64bit", NewHandlerModules="IsapiModule", NewHandlerScriptProcessor="C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_isapi.dll", NewHandlerType=""
Hopefully that's the end of it. Additional testing still required.
I would appreciate if someone can write how to upgrade IIS dlls to a later version. Is this an upgrade to .NET or is there a specific KB update that is downloaded with Windows Update?

Jaspersoft Studio: Username may not be null (HTTP proxy issue)

if you get an error similar to this although your credentials are correct or have even worked before in this environment, it may be due to an HTTP proxy misconfiguration (see answer below)
java.lang.IllegalArgumentException: Username may not be null
at org.apache.http.util.Args.notNull(Args.java:48)
at org.apache.http.auth.UsernamePasswordCredentials.<init>(UsernamePasswordCredentials.java:78)
at com.jaspersoft.studio.server.utils.HttpUtils.getCredentials(HttpUtils.java:107)
at com.jaspersoft.studio.server.utils.HttpUtils.setupProxy(HttpUtils.java:45)
at com.jaspersoft.studio.server.protocol.restv2.RestV2ConnectionJersey.connect(RestV2ConnectionJersey.java:91)
at com.jaspersoft.studio.server.protocol.ProxyConnection.connect(ProxyConnection.java:61)
at com.jaspersoft.studio.server.WSClientHelper.checkConnection(WSClientHelper.java:85)
at com.jaspersoft.studio.server.wizard.ServerProfileWizard.connect(ServerProfileWizard.java:101)
at com.jaspersoft.studio.server.wizard.ServerProfileWizard.access$1(ServerProfileWizard.java:97)
at com.jaspersoft.studio.server.wizard.ServerProfileWizard$2.run(ServerProfileWizard.java:78)
at org.eclipse.jface.operation.ModalContext$ModalContextThread.run(ModalContext.java:121)
Check your Eclipse->Window->Preferences->General->Network Connections settings. If your Jasper server is not behind an HTTP proxy it must be included and selected (yellow) in the Proxy bypass section (or no proxy may be necessary at all - but this seems more unlikely because other proxied network services would not be available then within Eclipse).
Otherwise it should not be included therein.
If you should get another error org.apache.http.client.HttpResponseException: Not Found
later on it could be an unrelated error due to a server<->studio version mismatch, e.g. described here:
https://community.jaspersoft.com/questions/823765/jaspersoft-studio-551-unable-connect-jasperreports-server-450
(I know this is not directly related to the question, but it may help after such an update scenario (which may be a big waste of time) ...)
Instead of downgrading Jasper Studio you can try to change the URL and Jasper version in the server connection. Try to remove services/repository/ from your URL, which worked for me :-)
(...as mentioned here: http://community.jaspersoft.com/jaspersoft-studio/issues/3497 )

Can I call synchroniseUserDirectories (ConfluenceRpc) via REST, SOAP or XML-RPC?

I am using Confluence 4.2.5 (build 3284) with CAS SSO connected to my LDAP server and would like to be able to call synchroniseUserDirectories() from the LDAP server when a user changes their password so that the change is instantaneous.
The way it works now is that users have to wait for the Confluence to run it's periodic LDAP synchronization which can be disconcerting for them.
I have tried using the XML-RPC interface to call changeUserPassword() (as an administrator) but it doesn't work. The operation raises an exception "Error changing password for user ...". I presume that that is because the user is defined in the LDAP but I can't tell for sure because the exception message wasn't clear about the cause.
Here is example code that I would like to be able to use. It doesn't work.
#!/usr/bin/env python
import xmlrpclib
url = 'https://docs.example.com'
admin_user = 'frobisher'
admin_pass = 'supersecretstuff'
username = 'bigbob'
new_password = 'bigbobsbigsecret'
server = xmlrpclib.ServerProxy(url + '/rpc/xmlrpc')
token = server.confluence2.login(admin_user, admin_pass)
# CITATION: https://developer.atlassian.com/display/CONFDEV/Remote+Confluence+Methods
# this doesn't exist but would be my preferred approach.
# It raises a NoSuchMethodException exception.
server.confluence2.synchroniseUserDirectories(token)
# this throws a general exception, because of the LDAP? The message
# wasn't clear about the source of the problem.
#server.confluence2.changeUserPassword(token,
# username,
# password)
server.confluence2.logout(token)
Is there any way to do this using SOAP or REST? I was concerned about REST because it sounds like it is still a prototype.
If none of those approaches will work, can it be done with a simple plugin considering that this must be a push operation from the LDAP server to the Confluence server? I have no experience writing plugins but I do some java work occasionally.
Any hints would be greatly appreciated.
The short answer is "no". The ability to synchronise remote user directories is not exposed as a remote operation in Confluence.
The long answer is "yes", you can write a plugin to do this. If you're already familiar with java, then perhaps the best answer is to just show you some source code I've written that performs a similar function: https://bitbucket.org/jaysee00/confluence-user-sync-api This plugin gives you SOAP, XML-RPC and JSON-RPC methods to force an individual user account to be synced in to Confluence from a remote directory.
That might suit your purposes as-is, but I imagine it would be possible to edit the source of this plugin and change it to synchronise an entire directory, too.

How to push contacts to Microsoft Exchange from Talend?

I'm trying to use Talend Open Studio to sync contacts from a variety of input sources into an Exchange 2007 server.
I know Talend can talk SOAP, and EWS has a WSDL, but having bumped into all
sorts of problems trying to marry the two together (since Exchange's WSDL is lacking elements which Talend needs) I don't know if that's the best plan of attack, or if I should be looking at building a more Exchange-specific plugin for Talend using the EWS Java API from MS.
Alternatively, if these are both known to not be possible, I'd appreciate a pointer to an explanation as to why - all the buzzwords seem to line up on each side, after all.
I work at Talend and would be happy to try and help you out a bit, but I myself am not familiar with the Exchange WSDL. I would assume that a SOAP interface from an established vendor like Microsoft is going to be WS-I Basic Profile compatible and should be easily invoked directly just like any regular WS. Would you mind trying the following:
What particular elements are missing from the MS WSDL, or is it trying to use some non-standard feature? CXF is fully JAX-WS compliant, and it is certified WS-I BP compliant, so I have to assume something odd is going on.
post the WSDL from exchange that you are trying to invoke from Talend.
create a proxy client for that WSDL using CXF.
Give it a try and send the error message.
Generate a mock service provider based on that wsdl using CXF and run the CXF mock and try against that with the CXF wsdl client. This will give you added confidence that the client and wsdl have no problems.
you can also try generating a simple test case with just SOAP UI or similar tooling against the Exchange WS.
ps: CXF is apache based open source. It is easy to use and has tight integration with Talend via the ASF suite. But you can also just use it by itself for diagnostic purposes.
Ed
I have been struggling with that too...
You can use tSoap for that purpose.
tWebServiceInput does not work for me with EWS.
tSoap->tLogRow
eg:
tSoap component that resolves a given name is the method ResolveNames()
Value to resolve = Thierry
Set "Need Authentication" with username and password
Set End Point, eg "https://yourserver/EWS/Exchange.asmx"
Set SOAP Action,
"http://schemas.microsoft.com/exchange/services/2006/messages/ResolveNames"
SOAP Version 1.1
Set SOAP Message:
... Enter Soap Method enclosed with ".
Joins tSoap to tLogRow
Run the Job. Voila the result...
Starting job xSoap_ResolveNames_LogRow at 13:43 30/05/2012.
[statistics] connecting to socket on port 3682
[statistics] connected
<Header><t:ServerVersionInfo xmlns:t="http://schemas.microsoft.com/exchange/services/2006/types" MajorBuildNumber="685" MajorVersion="8" MinorBuildNumber="24" MinorVersion="0" /></Header>|<m:ResolveNamesResponse xmlns:m="http://schemas.microsoft.com/exchange/services/2006/messages" xmlns:t="http://schemas.microsoft.com/exchange/services/2006/types"><m:ResponseMessages><m:ResolveNamesResponseMessage ResponseClass="Success"><m:ResponseCode>NoError</m:ResponseCode><m:ResolutionSet IncludesLastItemInRange="true" TotalItemsInView="1"><t:Resolution><t:Mailbox><t:Name>Thierry TYS. Yen Suin</t:Name><t:EmailAddress>thierry.suin#sc-mauritius.com</t:EmailAddress><t:RoutingType>SMTP</t:RoutingType><t:MailboxType>Mailbox</t:MailboxType></t:Mailbox><t:Contact><t:DisplayName>Thierry Yen Suin</t:DisplayName><t:GivenName>Thierry</t:GivenName><t:EmailAddresses><t:Entry Key="EmailAddress1">SMTP:thierry.suin#sc-mauritius.com</t:Entry></t:EmailAddresses><t:ContactSource>ActiveDirectory</t:ContactSource><t:Surname>Yen Suin</t:Surname></t:Contact></t:Resolution></m:ResolutionSet></m:ResolveNamesResponseMessage></m:ResponseMessages></m:ResolveNamesResponse>|
[statistics] disconnected
Job xSoap_ResolveNames_LogRow ended at 13:43 30/05/2012. [exit code=0]
It should work similarly with a method that creates a contact.
Hope it helps because I haven't found a lot of post on integrating Talend with Exchange Web Services despite searching for a long time.