Web framework’leri yani web uygulama çatıları günümüz web teknolojisinin en önemli yapı taşlarından bir tanesidir. Yapısında bir çok farklı özelliği barındıran ve web uygulamalarının temeli olan framework'lerin güvenliği son derece önem teşkil eder. Drupal, WordPress, Symfony veya CodeIgniter gibi çok kullanılan açık kaynak sistemlerde tespit edilecek bir güvenlik açığı birbirinden bağımsız onlarca projeyi, kurumu ve sistemi etki alanı içine alır. Bu sunum içeriğinde popüler frameworklerde oluşan zafiyetlerin detaylı analizi ve en sık karşılaşılan yanlış kullanımlar uygulamalı örnekler ile anlatılacaktır.

1. InvictusEurope © 2016
Breaking
The
Framework’s Core
Mehmet INCE

2. WHO AM I
Ince, Mehmet Dursun
Senior Penetration Tester, Co-founder / Invictus Europe
Ordinarily;
● Hack the app.
● Make it secure.
● Hack it again.
● Train the developers, help them to build secure apps.
Blogger
http://www.mehmetince.net
@mdisec

3. Web
Application
Framework
A web application
framework (WAF) is a
software framework that
is designed to support the
development of dynamic
websites, web
applications, web services
and web resources.

4. InvictusEurope © 2016
Components
● ORM.
● MVC or MVT Architecture
● DRY => (Don't Repeat Yourself)
● Template engine.
● Out of the box customizable Admin
Interface for CRUD operations.
● Built-in lightweight web server.
● URL design.
● Middleware.
● Authentication / Authorization
schema by default.
● Internationalization.
● Fast development.

5. InvictusEurope © 2016

6. InvictusEurope © 2016
One ring to rule them all
One ring to bring them
all and in the darkness
bind them.

7. InvictusEurope © 2016

8. InvictusEurope © 2016
Where should we look at ?
Encryption, Utils, ORM, Template Engine, Auth Mechanism, ...

9. InvictusEurope © 2016
Example #1 - Drupal SQL Injection ORM

10. InvictusEurope © 2016
Example #1 - Drupal SQL Injection ORM
User input is array E.g : ids[]=1&ids[]=2&ids[]=3

11. InvictusEurope © 2016
Example #1 - Drupal SQL Injection ORM
User input is array E.g : ids[0); DROP TABLE foo; --]=1&ids[]=2

12. InvictusEurope © 2016
MySQL prepared statements are
limited to a single stacked query.
But ?!

13. InvictusEurope © 2016
Mitigation?

14. InvictusEurope © 2016
Fix

15. InvictusEurope © 2016
serialize() ?
unserialize() ?

16. Object
Serialization
serialize() returns a string
containing a byte-stream
representation of any
value that can be stored in
PHP.
Using serialize to save an
object will save all
variables in an object. The
methods in an object will
not be saved, only the
name of the class.

17. Object
Deserialization
unserialize() can use this
string to recreate the
original variable values.
If the variable being
unserialized is an object,
after successfully
reconstructing the object
PHP will automatically
attempt to call the
__wakeup() member
function (if it exists).

18. InvictusEurope © 2016
Code Reuse / POP Attacks
1. Payload is not injected into the application.
2. Instead the application, code flow will be hijacked.
3. Pieces of already available code will be executed in an
attacker defined order.

19. Proof of
Concept
First picture shows Object.
php that contains all the
classes.
Second picture shows
Index.php which is the
beginning of our poc
application.

20. PAYLOAD

21. InvictusEurope © 2016

22. InvictusEurope © 2016
Example #2 - vBulletin Remote Code
Execution via PHP Object Injection
vBulletin 5.1.x
core/vb/api/hook.php
Also above function is callable from unauthenticated user through;
ajax/api/hook/decodeArguments?arguments=PAYLOAD

23. InvictusEurope © 2016
OKAY! We have an entry
point. What we gonna do ?
1 - Identify start point.
2- Find desirable end point.
3 - Make it rain!

24. InvictusEurope © 2016
1 - Find __destruct functions. 2 - This one can cause DoS but still useless.
(vB_vURL class located at core/vb/vurl.php)
3 - This one is interesting (vB_dB_Result
class located at core/vb/db/result.php )
Now, we need to find a class that have
free_result() as a function…!

25. InvictusEurope © 2016
Example #2 - Luck
Luckly! one class has this function..! vB_Database class located at core/vb/database.php

26. PAYLOAD

27. InvictusEurope © 2016

28. Moar! Complicated
Object chaining

29. InvictusEurope © 2016
preg_replace!

30. InvictusEurope © 2016
Find Desirable End point

31. InvictusEurope © 2016
Zend 1.9 POP Attack Diagram

32. InvictusEurope © 2016
Result
- PHP Object Injection “usually” easy to detect,
- Not easy to exploit.
- Do NOT use serialize() / unserialize() with untrusted
inputs.
- Instead use json_encode and json_decode
- Keep up to date! Your framework and components
-

33. InvictusEurope © 2016
Abusing PHP Template
Engines
Twig, Smarty, ….

34. InvictusEurope © 2016
Twig

35. InvictusEurope © 2016
Input as a Template Code

36. InvictusEurope © 2016
Don’t be fool..! It’s not an XSS.
Server-Side Template Injection seems like a XSS but it’s NOT. It’s more dangerous...

37. InvictusEurope © 2016
RTFM

38. Moar! RFTM
We are able to access env
class through self object
on templates, so we can
call functions of
Twig_Environment class.

39. InvictusEurope © 2016
PoC

40. InvictusEurope © 2016
Security is a
serious
business.

41. InvictusEurope © 2016
Final Words
- Before development,
- Risk assessments.
- Architecture security overview.
- SDLC ..?
- Development phase,
- Every single data is under the
hacker control.
- Validate input as much as
possible
- Never ever forget to do
“encoding” in templates.
-
- Deployment phase,
- Secure deployment pipeline ..?
- Maintenance,
- UPDATE your servers, services,
packages, everything you have.
Just keep UPDATING.
- 3rd parties bug tracker.
- During your life,
- RTFM

42. THANK YOU
Ince, Mehmet Dursun
Senior Penetration Tester, Co-founder / Invictus Europe
@mdisec
mehmet.ince@invictuseurope.com
mehmet@mehmetince.net
http://www.mehmetince.net