Last active
August 29, 2015 14:05
-
-
Save DinisCruz/c0acb607b20522a0f516 to your computer and use it in GitHub Desktop.
6 C# and Java security flaws, can you spot the vulnerability?
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| public class WS_UsersCommunity : System.Web.Services.WebService | |
| { | |
| [WebMethod()] | |
| public void PostMessage(string sessionID, string userID, string messageSubject, string messageText) | |
| { | |
| HacmeBank_v2_WS.DataFactory.PostMessage(userID, messageSubject, messageText); | |
| } | |
| } | |
| public class DataFactory | |
| { | |
| public static void PostMessage(string userID, string messageSubject, string messageText) | |
| { | |
| SqlServerEngine.executeSQLCommand("Insert into fsb_messages " + "(user_id,message_date,subject,text) " + "Values " + "('" + userID + "','" + DateTime.Now + "','" + messageSubject + "','" + messageText + "')"); | |
| } | |
| } | |
| public class SqlServerEngine | |
| { | |
| public static int executeSQLCommand(string sqlQueryToExecute) | |
| { | |
| Global.createSqlServerConnection(); | |
| string text1 = sqlQueryToExecute; | |
| SqlCommand command1 = new SqlCommand(text1, Global.globalSqlServerConnection); | |
| Global.globalSqlServerConnection.Open(); | |
| int executeNonQuery_Result = command1.ExecuteNonQuery(); | |
| Global.globalSqlServerConnection.Close(); | |
| return executeNonQuery_Result; | |
| } | |
| } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Socket sock = null; | |
| BufferedReader buffread = null; | |
| InputStreamReader instrread = null; | |
| try { | |
| sock = new Socket("host.example.org", 39544); | |
| /* read input from socket */ | |
| instrread = new InputStreamReader(sock.getInputStream()); | |
| buffread = new BufferedReader(instrread); | |
| data = buffread.readLine(); | |
| } | |
| catch( IOException ioe ) | |
| { | |
| log_bad.warning("Error with stream reading"); | |
| } | |
| String root = "C:\\uploads\\"; | |
| File fIn = new File(root + data); | |
| if( fIn.exists() && fIn.isFile() ) | |
| { | |
| IO.writeLine(new BufferedReader(new FileReader(fIn)).readLine()); | |
| } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Socket sock = null; | |
| BufferedReader buffread = null; | |
| InputStreamReader instrread = null; | |
| try | |
| { | |
| /* Read data using an outbound tcp connection */ | |
| sock = new Socket("host.example.org", 39544); | |
| /* read input from socket */ | |
| instrread = new InputStreamReader(sock.getInputStream()); | |
| buffread = new BufferedReader(instrread); | |
| data = buffread.readLine(); | |
| } | |
| catch( IOException ioe ) | |
| { | |
| log_bad.warning("Error with stream reading"); | |
| } | |
| Hashtable<String, String> env = new Hashtable<String, String>(); | |
| env.put(Context.INITIAL_CONTEXT_FACTORY,"com.sun.jndi.ldap.LdapCtxFactory"); | |
| env.put(Context.PROVIDER_URL, "ldap://localhost:389"); | |
| DirContext ctx = new InitialDirContext(env); | |
| String search = "(cn=" + data + ")"; | |
| NamingEnumeration<SearchResult> answer = ctx.search("", search, null); |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| protected void Page_Load(object sender, System.EventArgs e) | |
| { | |
| { | |
| if (Session["userID"] != null) { | |
| Global.objGui.loadDefaultPageControls(ascxPlaceHolder_LeftMenu, ascxPlaceHolder_TopMenu, ascxPlaceHolder_Footer); | |
| if ("Welcome" == Request.QueryString["function"]) { | |
| ascxThreadingIssue.preloadAllAscxControls(); | |
| Global.objGui.loadControlOnPlaceHolder(ascxPlaceHolder_ContentArea, "Welcome"); | |
| } else { | |
| Global.objGui.loadControlOnPlaceHolder(ascxPlaceHolder_ContentArea, Request.QueryString["function"]); | |
| } | |
| lblWUserName.Text = Session["username"].ToString(); | |
| } else { | |
| string lmsg; | |
| lmsg = "Session Timed-out"; | |
| Response.Redirect("Login.aspx?lmsg=" + lmsg); | |
| } | |
| } | |
| } | |
| public void loadControlOnPlaceHolder(PlaceHolder placeHolderToUse, string pathToControlToLoad) | |
| { | |
| string fullVirtualPathToControlToLoad = pathToAscxFolder + pathToControlToLoad + ".ascx"; | |
| Control loadedControl = this.LoadControl(fullVirtualPathToControlToLoad); | |
| placeHolderToUse.Controls.Add(loadedControl); | |
| } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| public class Gui : System.Web.UI.Page | |
| { | |
| public static string pathToAscxFolder = "~/ascx/"; | |
| public void loadDefaultPageControls(PlaceHolder ascx_LeftMenu, PlaceHolder ascx_TopMenu, PlaceHolder ascx_Footer) | |
| { | |
| if ((null != HttpContext.Current.Request.Cookies["Admin"]) && ("true" == HttpContext.Current.Request.Cookies["Admin"].Value)) { | |
| loadControlOnPlaceHolder(ascx_LeftMenu, "_AdminLeftMenu"); | |
| } else { | |
| loadControlOnPlaceHolder(ascx_LeftMenu, "_LeftMenu"); | |
| } | |
| loadControlOnPlaceHolder(ascx_TopMenu, "_TopMenu"); | |
| loadControlOnPlaceHolder(ascx_Footer, "_Footer"); | |
| } | |
| public void loadControlOnPlaceHolder(PlaceHolder placeHolderToUse, string pathToControlToLoad) | |
| { | |
| string fullVirtualPathToControlToLoad = pathToAscxFolder + pathToControlToLoad + ".ascx"; | |
| Control loadedControl = this.LoadControl(fullVirtualPathToControlToLoad); | |
| placeHolderToUse.Controls.Add(loadedControl); | |
| } | |
| public void preloadControlOnDummyLocation(string pathToControlToLoad) | |
| { | |
| string fullVirtualPathToControlToLoad = pathToAscxFolder + pathToControlToLoad + ".ascx"; | |
| this.LoadControl(fullVirtualPathToControlToLoad); | |
| } | |
| } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| static public ArrayList returnArrayListWithCurrentHandles_usingBruteForceMethod(int numberOfHandlesToTry) | |
| { | |
| ArrayList listOfHandlesNames = new ArrayList(); | |
| IntPtr ObjectInformation = Marshal.AllocHGlobal(512); | |
| ulong Length = 512; | |
| ulong ResultLength = 0; | |
| for (int i=0; i<numberOfHandlesToTry;i++) | |
| { | |
| long callReturnValue = NtQueryObject(i*4,OBJECT_INFORMATION_CLASS.ObjectNameInformation,ObjectInformation ,Length,ref ResultLength); | |
| if (callReturnValue !=0 && callReturnValue != 0xc0000008) | |
| { | |
| listOfHandlesNames.Add(":::::ERROR::::: on Item " + Convert.ToString(i*4,16).ToString() + " the error " + Convert.ToString(callReturnValue,16).ToString() + " occured"); | |
| } | |
| if (callReturnValue ==0) | |
| { | |
| NAME_QUERY objectName = new NAME_QUERY(); | |
| objectName = (NAME_QUERY)Marshal.PtrToStructure(ObjectInformation,objectName.GetType()); | |
| if (objectName.noIdeaWhatThisIs != "") | |
| { | |
| handleItemInfo tempHandleItemInfo = new handleItemInfo( i*4, objectName.Name); | |
| listOfHandlesNames.Add(tempHandleItemInfo); | |
| } | |
| else | |
| { | |
| handleItemInfo tempHandleItemInfo = new handleItemInfo( 0, ""); | |
| listOfHandlesNames.Add(tempHandleItemInfo); | |
| } | |
| } | |
| } | |
| return listOfHandlesNames; | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment