• Global community
    • Language:
      • Deutsch
      • English
      • Español
      • Français
      • Português
  • 日本語コミュニティ
    Dedicated community for Japanese speakers
  • 한국 커뮤니티
    Dedicated community for Korean speakers
Exit
0

#CGI.REMOTE_ADDR# sql injection?

Enthusiast ,
Mar 09, 2009 Mar 09, 2009

Copy link to clipboard

Copied

Could #CGI.REMOTE_ADDR# be spoofed to do sql injection?
TOPICS
Advanced techniques

Views

6.5K

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
LEGEND ,
Mar 09, 2009 Mar 09, 2009

Copy link to clipboard

Copied

easily, but these days it is spoofed to run sql injection attacks only
by amatures - pros use 'bot armies' to run massive-scale sql injection
attacks, when spoofing anything is not needed since it is infected
machines of unsuspecting users that are executing the sql injection
attacks; the 'generals' stay in the shade and reap the rewards...

Azadi Saryev
Sabai-dee.com
http://www.sabai-dee.com/

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Community Expert ,
Aug 30, 2009 Aug 30, 2009

Copy link to clipboard

Copied

Something else just caught my eye. Azadi, your 237, 923 posts since Jan 1 1999 makes it 60 posts per day, every day of the year, for more than 10 years !

Something just doesn't add up. This might be something for the webmaster to look at.

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Valorous Hero ,
Aug 30, 2009 Aug 30, 2009

Copy link to clipboard

Copied

LATEST

BKBK wrote:

Something else just caught my eye. Azadi, your 237, 923 posts since Jan 1 1999

The old forums must have lumped all newgroup posts under the same user account. The mighty "Newsgroup_User" is quite the prolific poster 😉

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
LEGEND ,
Mar 09, 2009 Mar 09, 2009

Copy link to clipboard

Copied

nikos101 wrote:
> Could #CGI.REMOTE_ADDR# be spoofed to do sql injection?

Yes, CGI variables can be spoofed. Anything received from another
computer can be spoofed. Yes it can be used to do sql injection if you
are using CGI variables inside of unparameterized SQL code. I.E.
without <cfqueryparam...> tags.

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
LEGEND ,
Mar 09, 2009 Mar 09, 2009

Copy link to clipboard

Copied

for some reason i read the OP's question differently and didn't think of
that aspect of spoofing cgi.remote_address... your answer now makes the
original question make more sense to me...

Azadi Saryev
Sabai-dee.com
http://www.sabai-dee.com/

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
LEGEND ,
Mar 09, 2009 Mar 09, 2009

Copy link to clipboard

Copied

nikos101 wrote:
> Could #CGI.REMOTE_ADDR# be spoofed to do sql injection?

No, I don't think CGI.REMOTE_ADDR can be spoofed as it's set by the web
server and not by the client (client set headers have HTTP_ as a prefix).

--
Mack

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
LEGEND ,
Mar 09, 2009 Mar 09, 2009

Copy link to clipboard

Copied

Mack wrote:
> nikos101 wrote:
>> Could #CGI.REMOTE_ADDR# be spoofed to do sql injection?
>
> No, I don't think CGI.REMOTE_ADDR can be spoofed as it's set by the web
> server and not by the client (client set headers have HTTP_ as a prefix).
>

Yes it is set by the web server. The spoofing comes in that the hacker
uses his own web server to set these variables as he desires to work
over your site.

http://www.12robots.com/index.cfm/2008/12/9/Spoofing-CGI-variables--Security-Series-11

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
LEGEND ,
Mar 11, 2009 Mar 11, 2009

Copy link to clipboard

Copied

Ian Skinner wrote:
> Mack wrote:
>> nikos101 wrote:
>>> Could #CGI.REMOTE_ADDR# be spoofed to do sql injection?
>>
>> No, I don't think CGI.REMOTE_ADDR can be spoofed as it's set by the web
>> server and not by the client (client set headers have HTTP_ as a prefix).
>>
>
> Yes it is set by the web server. The spoofing comes in that the hacker
> uses his own web server to set these variables as he desires to work
> over your site.
>
> http://www.12robots.com/index.cfm/2008/12/9/Spoofing-CGI-variables--Security-Series-11

CGI.HTTP_* variables are set by the client and their content should be
treated as untrusted input. CGI.REMOTE_ADDR (and others like
CGI.SCRIPT_NAME, CGI.PATH_INFO) are set by the web server that connects
to the CF application instance so I'm pretty sure that they cannot be
spoofed.

Here's a quick test file (adapted from the link you provided) which
shows that you cannot spoof REMOTE_ADDR or REMOTE_HOST:

<cfif StructKeyExists(Url, "g")>
<cfdump var="#CGI.REMOTE_ADDR#">
<cfdump var="#cgi#">
<cfdump var="#GetHTTPRequestData()#">
<cfelse>
<cfhttp method="get" url=" http://#CGI.SERVER_NAME#/#CGI.SCRIPT_NAME#?g"
result="myVar">
<cfhttpparam type="header" name="Referer"
value=" http://www.google.com/search?q=coming+from+google">

<cfhttpparam type="header" name="REMOTE_HOST" value="71.244.78.2">
<cfhttpparam type="header" name="HTTP_REMOTE_HOST"
value="71.244.78.2">
<cfhttpparam type="header" name="REMOTE_ADDR" value="71.244.78.2">
<cfhttpparam type="header" name="HTTP_REMOTE_ADDR"
value="71.244.78.2">
</cfhttp>

<cfoutput>#myVar.FileContent#</cfoutput>
</cfif>

--
Mack

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
LEGEND ,
Mar 11, 2009 Mar 11, 2009

Copy link to clipboard

Copied

> Here's a quick test file (adapted from the link you provided) which
> shows that you cannot spoof REMOTE_ADDR or REMOTE_HOST:

... using that technique, anyhow.

One could manually construct or alter the TCP/IP packets and change the
address they're coming from.

But, to be honest, if someone's that dedicated to hacking your system,
there'll probably find a way.

Personally, I would never trust the veracity of a HTTP_ prefixed CGI
variables for the reasons under discussion here, but I don't really feel
very concerned about the possibilities of someone hacking CGI.remote_addr.

For the purposes of securing forms, I'd just set a session variable on the
form-display page, and check the session varibale on the form-action page.

I situations that need to be very very secure, I'd secure the app at
operating system level, and consider what level of external access is
appropriate. The only truely secure server is one that's in a locked room
and not connected to anything, after all ;-)

--
Adam

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
LEGEND ,
Mar 11, 2009 Mar 11, 2009

Copy link to clipboard

Copied

from what i have read, it is pretty trivial to fake cgi.remote_addr on a
linux system using direct socket & tcp/ip programming.
not many people would go to even that extent because faking/spoofing
cgi.remote_addr was usually intended to hide the originating ip - and
with anonymous and real proxies abound now this has become redundant.

on the other hand, faking/spoofing remote_addr to gain access to an
application or to execute malicious code - that's different. but it is
known that not many software apps rely on remote_addr - it is used
mostly in allowing remote admin of hardware devices like router for
instance.

but i guess with the late increase in sqli attacks, and many posts on
the subject mentioning code to log remote ip, it may be the next thing
those &^$^$%# &^%^$^% employ now that every second app is going to be
inserting remote ip address into db....

to be on the side of caution maybe just log it to a text file instead...

sorry, a bit of a wild rant, but then again it is wednesday evening here
and the beer is flowing...


Azadi Saryev
Sabai-dee.com
http://www.sabai-dee.com/

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
LEGEND ,
Mar 11, 2009 Mar 11, 2009

Copy link to clipboard

Copied

did i sense a bit of that "great minds" thing you had with Ian on that
other thread here?...

i surely hope so... :)

Azadi Saryev
Sabai-dee.com
http://www.sabai-dee.com/

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
LEGEND ,
Mar 11, 2009 Mar 11, 2009

Copy link to clipboard

Copied

Adam Cameron wrote:
>> Here's a quick test file (adapted from the link you provided) which
>> shows that you cannot spoof REMOTE_ADDR or REMOTE_HOST:
>
> .... using that technique, anyhow.
>
> One could manually construct or alter the TCP/IP packets and change the
> address they're coming from.

I'm pretty sure you can't spoof the source IP address when using the TCP
protocol in the general case because of the 3-way handshake of TCP. UDP
is pretty trivial to spoof (unless the ISP filters outbound packets with
incorrect IP source addresses).

> But, to be honest, if someone's that dedicated to hacking your system,
> there'll probably find a way.
>
> Personally, I would never trust the veracity of a HTTP_ prefixed CGI
> variables for the reasons under discussion here, but I don't really feel
> very concerned about the possibilities of someone hacking CGI.remote_addr.

That's basically my opinion also: HTTP_* should be treated as untrusted
input, CGI.REMOTE_ADDR is safe (unless the attacker has control of your
web server - but at this point you have bigger problems).

> For the purposes of securing forms, I'd just set a session variable on the
> form-display page, and check the session varibale on the form-action page.

This the one way to protect against CSRF attacks for example.

--
Mack

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
LEGEND ,
Mar 11, 2009 Mar 11, 2009

Copy link to clipboard

Copied

Azadi wrote:
> from what i have read, it is pretty trivial to fake cgi.remote_addr on a
> linux system using direct socket & tcp/ip programming.

Unless the attacker is on the web server this will not work because of
the TCP handshake (the TCP connection is not fully established until the
final ACK from the client to the server - if the client spoofs it's IP
address then the server will send the SYN-ACK packet to the wrong computer).

Spoofing Referer is trivial. Spoofing Remote_addr is not possible in
99.99% of the cases (one way to spoof REMOTE_ADDR is to custom build the
web server if you have access to the source - for example Apache).

--
Mack

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
LEGEND ,
Mar 11, 2009 Mar 11, 2009

Copy link to clipboard

Copied

apparently, on a server running linux/bsd it is pretty trivial to tinker
with tcp and fake remote_addr... NOT on a shared linux server, but
dedicated linux servers (or barebones) are a dime a dozen now, compared
to before...

(disclaimer: this is all from just browsing mailing lists'
archives/forums/blackhat wikis... not that i have any experience
myself... but seen a lot of posts with full perl/python scripts to
fake/spoof remote_addr on a server running linux/bsd....)

Azadi Saryev
Sabai-dee.com
http://www.sabai-dee.com/

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
LEGEND ,
Mar 11, 2009 Mar 11, 2009

Copy link to clipboard

Copied

Azadi wrote:
> apparently, on a server running linux/bsd it is pretty trivial to tinker
> with tcp and fake remote_addr... NOT on a shared linux server, but
> dedicated linux servers (or barebones) are a dime a dozen now, compared
> to before...

Do you have a link ? I'm genuinely interested in this.

We might be talking about slightly different things here. You might be
able to fake remote_addr when connecting to a web server on the same
machine as the attacker. But if you're trying to connect to a remote web
server from a server running linux/bsd you're bumping into TCP and it's
3-way handshake which means spoofing over (unless you're a gateway
machine and you're spoofing an IP from your own network).

--
Mack

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
LEGEND ,
Mar 11, 2009 Mar 11, 2009

Copy link to clipboard

Copied

let me try and dig it up... one sec...


Azadi Saryev
Sabai-dee.com
http://www.sabai-dee.com/

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
LEGEND ,
Mar 11, 2009 Mar 11, 2009

Copy link to clipboard

Copied

here's one that was still buried in my ff history... is that any good?
)i can't possibly tell now, sorry... way too many mohitos... :) )

Azadi Saryev
Sabai-dee.com
http://www.sabai-dee.com/

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
LEGEND ,
Mar 11, 2009 Mar 11, 2009

Copy link to clipboard

Copied

Azadi wrote:
> here's one that was still buried in my ff history... is that any good?
> )i can't possibly tell now, sorry... way too many mohitos... 🙂 )
>
Must be the mohitos, you did not post a link! ;-)

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
LEGEND ,
Mar 11, 2009 Mar 11, 2009

Copy link to clipboard

Copied

eeeeeeeeeeeeeeeeehhhhhhhhhhhhhhhhhhhhhhhhhhhhh!
must be them b*&%&^%ds!
here it is:
http://www.blackhatworld.com/blackhat-seo/black-hat-seo/34772-simple-method-fake-your-ip-address-wit...

(just checked my tap and there are 8 of them already on it...
thanks [cf] it's _MY_ bar!)


Azadi Saryev
Sabai-dee.com
http://www.sabai-dee.com/

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
LEGEND ,
Mar 11, 2009 Mar 11, 2009

Copy link to clipboard

Copied

Azadi wrote:
> eeeeeeeeeeeeeeeeehhhhhhhhhhhhhhhhhhhhhhhhhhhhh!
> must be them b*&%&^%ds!
> here it is:
> http://www.blackhatworld.com/blackhat-seo/black-hat-seo/34772-simple-method-fake-your-ip-address-wit...

Well, that method sends a bogus "X-Forwarded-For" header
("HTTP-X-Forwarded-For" in CF) but REMOTE_ADDR would still contain the
IP address of the computer that sent the request (it's just that some
application choose to trust input that should not be trusted and assume
the data in X-Forwarded-For is safe).

--
Mack

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
LEGEND ,
Mar 11, 2009 Mar 11, 2009

Copy link to clipboard

Copied

i shall investigate this when i am more sober than right now... :)
if i can dig out the link i found before i shall post it the same instant...

Azadi Saryev
Sabai-dee.com
http://www.sabai-dee.com/

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
LEGEND ,
Mar 11, 2009 Mar 11, 2009

Copy link to clipboard

Copied

>> the beer is flowing...

> sorry... way too many mohitos... 🙂 )

Man. I would not want to be your head tomorrow.

--
Adam

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Advocate ,
Mar 11, 2009 Mar 11, 2009

Copy link to clipboard

Copied

Funny. One of the posts in that thread states:
"There are some CGI-exploits that can spoof $_SERVER['REMOTE_ADDR'] but only for coldfusion, and coldfusion isn't that popular [used, preferred] on the majority of the internet websites."

which is exactly what we're discussing here. Outside of doing packet-level spoofing (very non-trivial, and whoever was doing the spoofing would _have_ to be able to get the response in order to complete the handshake, which means he'd have something on at least the same subnet as the IP he was spoofing), or having a different web server front-end your coldfusion server (in which case you have bigger problems), or the hacker having access to your server (again, in which case you have bigger problems), I don't see a way to spoof CGI.REMOTE_ADDR. As has already been said, any HTTP_xxxx values are suspect and very trivial to spoof.

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Enthusiast ,
Mar 11, 2009 Mar 11, 2009

Copy link to clipboard

Copied

Wow just sat down to read this thread, its gonna take me a while to get my head rounds all this.

Thanks very much so far 🙂

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Resources
Documentation