Php code-auditing3

©2009 Justin C. Klein Keane
PHP Code Auditing
Session 3 – Tools of the Trade & Crafting
Malicious Input
Justin C. Klein Keane
jukeane@sas.upenn.edu

Setting Up Environment

Install VMWare workstation, or player
− Fusion on the Mac

Download the target host

Unzip the host files then start the host in
VMWare

Get VMWare Image Running

If prompted, say you moved the image

CentOS Image Booting

Once image boots log in with root/password

Find the IP Address

Get the IP address of the virtual machine using
# /sbin/ifconfig eth0

Ensure Apache is Running

Upload the Exercise

Extract the Exercise

Install the Database

Check the Application

Troubleshooting

If you get a blank screen, check the web server
and MySQL server:
− # service httpd status
− # service mysqld status

If you need to start services use:
− # /etc/rc.d/init.d/httpd restart
− # /etc/rc.d/init.d/mysqld restart

Troubleshooting Cont.

Check the log files:
− # tail /var/log/httpd/error_log

Install Eclipse PDT

Download PDT all in one from
http://www.eclipse.org/pdt/

Alternatively install Eclipse from
http://www.eclipse.org/downloads/
− Be sure to download “Eclipse IDE for Java
Developers”

Install PDT if Necessary

Use instructions at
− http://wiki.eclipse.org/PDT/Installation

Some platforms, such as Fedora, may have
packages for PHP development, these may be
more stable than a manual install of PDT

Install RSE

Install the Remote System Explorer tools

Help -> Software Updates

Click the “Add Site” button

Enter the URL
− http://download.eclipse.org/dsdp/tm/download
s/

Select Remote System Explorer Core, Remote
System Explorer End-User Runtime, Remote
System Explorer Extender SDK, and RSE SSH
Service

Install the RSE Components

Click “Install”

Open Eclipse

Open Eclipse

Default “perspective” is dull and doesn't suit our
purposes

Click Window -> Show View -> Remote System

In the new window right click and select “new
connection”

Add New Connection

Select “SSH Only”, click Next

Connection Details

Fill in VMWare host information, click Finish

Connect to Remote Host

Click the down arrow for the host, then “Sftp
Files” then “Root” and enter credentials

View Source

Look for Potential SQL Injection

Testing the Injection

First we'll try the injection using manual
methods

Next we'll use some tools to help us out

Sometimes manual testing may be impossible

Manual Testing

Using Tamper Data

To start Firefox Tamper Data plugin select
− Tools -> Tamper Data

Click “Start Tamper” in the upper left

Fill in your test values again and submit

When prompted click “Tamper”

That's Interesting

Tamper

Fill in new values for Post Parameters

Note that you can also tamper with Cookies
and Referer Data

Click “OK” when you're happy with your values

That's More Like It

Checking Cookies

You can also view cookies using the Web
Developer Plugin
− select Cookies -> View Cookie Information

Using Web Developer

View Source

View -> Source in Firefox

Look for comments, JavaScript and the like

Sometimes source will reveal information you
may have missed

JavaScript in Source

Paros

Download Paros from
http://www.parosproxy.org

Paros is Java based, so if Eclipse can run on
your machine, so can Paros

Paros is a proxy, so it captures requests from
your web browser to a server and responses
from the server back to your browser

You can use it to alter your requests quite
easily

Start Up Paros

Configure Firefox

You need to configure Firefox to use Paros as a
proxy
− Choose Edit -> Preferences, then Advanced
-> Network -> Settings

Configure Settings

Create Request

Once Firefox is configured to utilize Paros
browse through the site normally

Note how Paros records all your interactions

Try submitting the login form

Note that Paros records GET and POST
requests

Paros in Action

Paros Records Details

Alter Requests

To alter a request click on it in the bottom
window

Next right click and select “Resend”

This opens a new window where you can alter
any of the send requests

Change any data and click the “Send” button

Paros Resend

Response is Raw

Bypassing the Login

In our manual code analysis we found a SQL
injection vulnerability in the login form

A JavaScript check prevents easy manual
testing

We could disable JavaScript or use Paros or
Tamper Data to alter the data we're submitting
for the login form

First let's examine the query

Our Target
$sql = "select user_id from user
where user_username = '" .
$_POST['username'] . "'
AND user_password = md5('" .
$_POST['password'] . "')";

Target SQL
select user_id from user
where
user_username = 'somename'
and
user_password = md5('somepass');

Possible Permutation
select user_id from user
where
user_username = 'somename'
or 1='1'
and
user_password = md5('somepass');

What is the proper input to create this
statement?

Testing Your SQL

Bypassing Login
with SQL Injection

We're In!

Chained Exploits

Note that the exploitation of the authentication
leads to access to new, potentially exploitable
functionality

Authentication leads to cookie granting

Admin functions are often “trusted”

Steps to Remember

Look for vulnerabilities
− In the source code
− In the functional front end

Test your exploits in the “friendliest”
environment possible

Use tools to recreate attacks in the live
environment.

For Next Time
-Install Paros Proxy
-Install Firefox and the Tamper Data and Web
Developer plug ins
-Download and install the sample SQL injection
application on your VM
-Identify at least 4 SQL injection vulnerabilities
-Develop exploits for each vulnerability
-Develop fixes for each vulnerability

Php code-auditing3

Recommended

Recommended

More Related Content

What's hot

What's hot (15)

Viewers also liked

Viewers also liked (11)

Similar to Php code-auditing3

Similar to Php code-auditing3 (20)

Php code-auditing3