More Related Content
Similar to Php code-auditing3
Similar to Php code-auditing3 (20)
Php code-auditing3
- 1. ©2009 Justin C. Klein Keane
PHP Code Auditing
Session 3 – Tools of the Trade & Crafting
Malicious Input
Justin C. Klein Keane
jukeane@sas.upenn.edu
- 2. ©2009 Justin C. Klein Keane
Setting Up Environment
Install VMWare workstation, or player
− Fusion on the Mac
Download the target host
Unzip the host files then start the host in
VMWare
- 3. ©2009 Justin C. Klein Keane
Get VMWare Image Running
If prompted, say you moved the image
- 4. ©2009 Justin C. Klein Keane
CentOS Image Booting
Once image boots log in with root/password
- 5. ©2009 Justin C. Klein Keane
Find the IP Address
Get the IP address of the virtual machine using
# /sbin/ifconfig eth0
- 11. ©2009 Justin C. Klein Keane
Troubleshooting
If you get a blank screen, check the web server
and MySQL server:
− # service httpd status
− # service mysqld status
If you need to start services use:
− # /etc/rc.d/init.d/httpd restart
− # /etc/rc.d/init.d/mysqld restart
- 12. ©2009 Justin C. Klein Keane
Troubleshooting Cont.
Check the log files:
− # tail /var/log/httpd/error_log
- 13. ©2009 Justin C. Klein Keane
Install Eclipse PDT
Download PDT all in one from
http://www.eclipse.org/pdt/
Alternatively install Eclipse from
http://www.eclipse.org/downloads/
− Be sure to download “Eclipse IDE for Java
Developers”
- 14. ©2009 Justin C. Klein Keane
Install PDT if Necessary
Use instructions at
− http://wiki.eclipse.org/PDT/Installation
Some platforms, such as Fedora, may have
packages for PHP development, these may be
more stable than a manual install of PDT
- 15. ©2009 Justin C. Klein Keane
Install RSE
Install the Remote System Explorer tools
Help -> Software Updates
Click the “Add Site” button
Enter the URL
− http://download.eclipse.org/dsdp/tm/download
s/
Select Remote System Explorer Core, Remote
System Explorer End-User Runtime, Remote
System Explorer Extender SDK, and RSE SSH
Service
- 16. ©2009 Justin C. Klein Keane
Install the RSE Components
Click “Install”
- 17. ©2009 Justin C. Klein Keane
Open Eclipse
Open Eclipse
Default “perspective” is dull and doesn't suit our
purposes
Click Window -> Show View -> Remote System
In the new window right click and select “new
connection”
- 18. ©2009 Justin C. Klein Keane
Add New Connection
Select “SSH Only”, click Next
- 19. ©2009 Justin C. Klein Keane
Connection Details
Fill in VMWare host information, click Finish
- 20. ©2009 Justin C. Klein Keane
Connect to Remote Host
Click the down arrow for the host, then “Sftp
Files” then “Root” and enter credentials
- 23. ©2009 Justin C. Klein Keane
Testing the Injection
First we'll try the injection using manual
methods
Next we'll use some tools to help us out
Sometimes manual testing may be impossible
- 25. ©2009 Justin C. Klein Keane
Using Tamper Data
To start Firefox Tamper Data plugin select
− Tools -> Tamper Data
Click “Start Tamper” in the upper left
Fill in your test values again and submit
When prompted click “Tamper”
- 27. ©2009 Justin C. Klein Keane
Tamper
Fill in new values for Post Parameters
Note that you can also tamper with Cookies
and Referer Data
Click “OK” when you're happy with your values
- 29. ©2009 Justin C. Klein Keane
Checking Cookies
You can also view cookies using the Web
Developer Plugin
− select Cookies -> View Cookie Information
- 31. ©2009 Justin C. Klein Keane
View Source
View -> Source in Firefox
Look for comments, JavaScript and the like
Sometimes source will reveal information you
may have missed
- 33. ©2009 Justin C. Klein Keane
Paros
Download Paros from
http://www.parosproxy.org
Paros is Java based, so if Eclipse can run on
your machine, so can Paros
Paros is a proxy, so it captures requests from
your web browser to a server and responses
from the server back to your browser
You can use it to alter your requests quite
easily
- 35. ©2009 Justin C. Klein Keane
Configure Firefox
You need to configure Firefox to use Paros as a
proxy
− Choose Edit -> Preferences, then Advanced
-> Network -> Settings
- 37. ©2009 Justin C. Klein Keane
Create Request
Once Firefox is configured to utilize Paros
browse through the site normally
Note how Paros records all your interactions
Try submitting the login form
Note that Paros records GET and POST
requests
- 40. ©2009 Justin C. Klein Keane
Alter Requests
To alter a request click on it in the bottom
window
Next right click and select “Resend”
This opens a new window where you can alter
any of the send requests
Change any data and click the “Send” button
- 43. ©2009 Justin C. Klein Keane
Bypassing the Login
In our manual code analysis we found a SQL
injection vulnerability in the login form
A JavaScript check prevents easy manual
testing
We could disable JavaScript or use Paros or
Tamper Data to alter the data we're submitting
for the login form
First let's examine the query
- 44. ©2009 Justin C. Klein Keane
Our Target
$sql = "select user_id from user
where user_username = '" .
$_POST['username'] . "'
AND user_password = md5('" .
$_POST['password'] . "')";
- 45. ©2009 Justin C. Klein Keane
Target SQL
select user_id from user
where
user_username = 'somename'
and
user_password = md5('somepass');
- 46. ©2009 Justin C. Klein Keane
Possible Permutation
select user_id from user
where
user_username = 'somename'
or 1='1'
and
user_password = md5('somepass');
What is the proper input to create this
statement?
- 50. ©2009 Justin C. Klein Keane
Chained Exploits
Note that the exploitation of the authentication
leads to access to new, potentially exploitable
functionality
Authentication leads to cookie granting
Admin functions are often “trusted”
- 51. ©2009 Justin C. Klein Keane
Steps to Remember
Look for vulnerabilities
− In the source code
− In the functional front end
Test your exploits in the “friendliest”
environment possible
Use tools to recreate attacks in the live
environment.
- 52. ©2009 Justin C. Klein Keane
For Next Time
-Install Paros Proxy
-Install Firefox and the Tamper Data and Web
Developer plug ins
-Download and install the sample SQL injection
application on your VM
-Identify at least 4 SQL injection vulnerabilities
-Develop exploits for each vulnerability
-Develop fixes for each vulnerability