php code-auditing3
TRANSCRIPT
©2009 Justin C. Klein Keane
PHP Code Auditing
Session 3 – Tools of the Trade & Crafting Malicious Input
Justin C. Klein [email protected]
©2009 Justin C. Klein Keane
Setting Up Environment
Install VMWare workstation, or player− Fusion on the Mac
Download the target host Unzip the host files then start the host in
VMWare
©2009 Justin C. Klein Keane
Get VMWare Image Running
If prompted, say you moved the image
©2009 Justin C. Klein Keane
CentOS Image Booting
Once image boots log in with root/password
©2009 Justin C. Klein Keane
Find the IP Address
Get the IP address of the virtual machine using# /sbin/ifconfig eth0
©2009 Justin C. Klein Keane
Ensure Apache is Running
©2009 Justin C. Klein Keane
Upload the Exercise
©2009 Justin C. Klein Keane
Extract the Exercise
©2009 Justin C. Klein Keane
Install the Database
©2009 Justin C. Klein Keane
Check the Application
©2009 Justin C. Klein Keane
Troubleshooting
If you get a blank screen, check the web server and MySQL server:
− # service httpd status
− # service mysqld status
If you need to start services use:− # /etc/rc.d/init.d/httpd restart
− # /etc/rc.d/init.d/mysqld restart
©2009 Justin C. Klein Keane
Troubleshooting Cont.
Check the log files:− # tail /var/log/httpd/error_log
©2009 Justin C. Klein Keane
Install Eclipse PDT
Download PDT all in one from http://www.eclipse.org/pdt/
Alternatively install Eclipse from http://www.eclipse.org/downloads/
− Be sure to download “Eclipse IDE for Java Developers”
©2009 Justin C. Klein Keane
Install PDT if Necessary
Use instructions at − http://wiki.eclipse.org/PDT/Installation
Some platforms, such as Fedora, may have packages for PHP development, these may be more stable than a manual install of PDT
©2009 Justin C. Klein Keane
Install RSE
Install the Remote System Explorer tools Help -> Software Updates Click the “Add Site” button Enter the URL
− http://download.eclipse.org/dsdp/tm/downloads/
Select Remote System Explorer Core, Remote System Explorer End-User Runtime, Remote System Explorer Extender SDK, and RSE SSH Service
©2009 Justin C. Klein Keane
Install the RSE Components
Click “Install”
©2009 Justin C. Klein Keane
Open Eclipse
Open Eclipse Default “perspective” is dull and doesn't suit our
purposes Click Window -> Show View -> Remote System In the new window right click and select “new
connection”
©2009 Justin C. Klein Keane
Add New Connection
Select “SSH Only”, click Next
©2009 Justin C. Klein Keane
Connection Details
Fill in VMWare host information, click Finish
©2009 Justin C. Klein Keane
Connect to Remote Host
Click the down arrow for the host, then “Sftp Files” then “Root” and enter credentials
©2009 Justin C. Klein Keane
View Source
©2009 Justin C. Klein Keane
Look for Potential SQL Injection
©2009 Justin C. Klein Keane
Testing the Injection
First we'll try the injection using manual methods
Next we'll use some tools to help us out Sometimes manual testing may be impossible
©2009 Justin C. Klein Keane
Manual Testing
©2009 Justin C. Klein Keane
Using Tamper Data
To start Firefox Tamper Data plugin select− Tools -> Tamper Data
Click “Start Tamper” in the upper left Fill in your test values again and submit When prompted click “Tamper”
©2009 Justin C. Klein Keane
That's Interesting
©2009 Justin C. Klein Keane
Tamper
Fill in new values for Post Parameters Note that you can also tamper with Cookies
and Referer Data Click “OK” when you're happy with your values
©2009 Justin C. Klein Keane
That's More Like It
©2009 Justin C. Klein Keane
Checking Cookies
You can also view cookies using the Web Developer Plugin
− select Cookies -> View Cookie Information
©2009 Justin C. Klein Keane
Using Web Developer
©2009 Justin C. Klein Keane
View Source
View -> Source in Firefox Look for comments, JavaScript and the like Sometimes source will reveal information you
may have missed
©2009 Justin C. Klein Keane
JavaScript in Source
©2009 Justin C. Klein Keane
Paros
Download Paros from http://www.parosproxy.org
Paros is Java based, so if Eclipse can run on your machine, so can Paros
Paros is a proxy, so it captures requests from your web browser to a server and responses from the server back to your browser
You can use it to alter your requests quite easily
©2009 Justin C. Klein Keane
Start Up Paros
©2009 Justin C. Klein Keane
Configure Firefox
You need to configure Firefox to use Paros as a proxy
− Choose Edit -> Preferences, then Advanced -> Network -> Settings
©2009 Justin C. Klein Keane
Configure Settings
©2009 Justin C. Klein Keane
Create Request
Once Firefox is configured to utilize Paros browse through the site normally
Note how Paros records all your interactions Try submitting the login form Note that Paros records GET and POST
requests
©2009 Justin C. Klein Keane
Paros in Action
©2009 Justin C. Klein Keane
Paros Records Details
©2009 Justin C. Klein Keane
Alter Requests
To alter a request click on it in the bottom window
Next right click and select “Resend” This opens a new window where you can alter
any of the send requests Change any data and click the “Send” button
©2009 Justin C. Klein Keane
Paros Resend
©2009 Justin C. Klein Keane
Response is Raw
©2009 Justin C. Klein Keane
Bypassing the Login
In our manual code analysis we found a SQL injection vulnerability in the login form
A JavaScript check prevents easy manual testing
We could disable JavaScript or use Paros or Tamper Data to alter the data we're submitting for the login form
First let's examine the query
©2009 Justin C. Klein Keane
Our Target
$sql = "select user_id from user where user_username = '" . $_POST['username'] . "'AND user_password = md5('" .$_POST['password'] . "')";
©2009 Justin C. Klein Keane
Target SQL
select user_id from userwhere user_username = 'somename'and user_password = md5('somepass');
©2009 Justin C. Klein Keane
Possible Permutation
select user_id from userwhere user_username = 'somename'
or 1='1'and user_password = md5('somepass');
What is the proper input to create this statement?
©2009 Justin C. Klein Keane
Testing Your SQL
©2009 Justin C. Klein Keane
Bypassing Loginwith SQL Injection
©2009 Justin C. Klein Keane
We're In!
©2009 Justin C. Klein Keane
Chained Exploits
Note that the exploitation of the authentication leads to access to new, potentially exploitable functionality
Authentication leads to cookie granting Admin functions are often “trusted”
©2009 Justin C. Klein Keane
Steps to Remember
Look for vulnerabilities− In the source code− In the functional front end
Test your exploits in the “friendliest” environment possible
Use tools to recreate attacks in the live environment.
©2009 Justin C. Klein Keane
For Next Time
-Install Paros Proxy
-Install Firefox and the Tamper Data and Web
Developer plug ins
-Download and install the sample SQL injection
application on your VM
-Identify at least 4 SQL injection vulnerabilities
-Develop exploits for each vulnerability
-Develop fixes for each vulnerability