Professional Documents
Culture Documents
Code Inject File Vuln Auth Bypass
Code Inject File Vuln Auth Bypass
Directory traversal
Writing arbitrary files
include()
include_once()
require() require_once()
Difference is that require will die (with fatal E_ERROR) if the specified file is not found
_once functions will not re-include the file if it has already been called
Copyright Justin C. Klein Keane
When PHP includes a file it will parse any PHP code within that file
Anything not delimited with the PHP delimiters (<?php and ?>) will be treated as plain text Plain text will simply be rendered inline
Typical Include
include_once('inc/'.$_GET['action']);
?>
If user supplies ../../../../../../../etc/passwd as the 'action' URL variable that file will be rendered during page display!
Some programmers will append a file extension to attempt to limit includes like /etc/passwd
<?php include('inc/'.$_GET['action'].'.php'); ?>
Caveats of C
C doesn't have a string type Instead strings are null terminated character arrays:
char foo[3]; int main() { foo[0] = 'B'; foo[1] = 'A'; foo[2] = 'R'; foo[3] = '\0'; }
Without the null at the end the string would have no end
C reads from the start of the string until it reaches the null character when printing strings
Copyright Justin C. Klein Keane
Using a null character triggers C constructs and defeats the prior example
If user passes in:
action=../../../../../../etc/passwd%00
Because PHP terminates the string at the null bit (and ignores the appended '.php')
Most PHP programmers are unaware of this!
Copyright Justin C. Klein Keane
Often times include files are meant to be included, not directly referenced
Include files live on the filesystem
May contain vulnerabilities when called directly as variables could be redefined or arbitrarily defined
Especially dangerous when register_globals is on!
Copyright Justin C. Klein Keane
Example
Main file:
<?php $style_dir='images/'; include_once('header.php'); [...]
Include file:
<html> <head> <title>Foo Site</title> <style type=text/css> @import url(<?php echo $style_dir;?>style.css); </head> <body>
Rather than specifying a local resource, an attacker could specify a remote file for inclusion
Remote files must be served as plain text, rather than compiled PHP Remote text is pulled for inclusion then the local PHP compiler interprets the text, rendering the PHP locally
If allow_url_fopen is On
Attackers can use includes to bypass direct access restrictions such as .htaccess
Attackers can include Apache files like .htpasswd or .htaccess files which are included as plain text, exposing their contents Attackers can subvert program flow by calling files that are normally not included
Attackers can call files readable by Apache, such as files in /tmp which may contain sensitive data (like session cookies or malicious uploads)
Copyright Justin C. Klein Keane
Writing Files
if(move_uploaded_file($_FILES['form_filename']['tmp_name'], $target)) { echo $filename . " has been uploaded"; } else{ echo "Error uploading file!"; }
Programmer may assume only image files are being uploaded, but this isn't enforced Simply checking $_FILES['upload_file']['type'] is insufficient since this is a browser provided parameter
Attacker uploads a PHP file which contains a backdoor or exposes other system files
Attacker uploads a .htaccess file overwriting Apache rules Attacker overwrites existing files to insert a backdoor
Fwrite()
The fwrite() function is a built in function that allows Apache to write to file handles
Often used in installers to write config files
http://us3.php.net/manual/en/function.fwrite.php
Attacker injects malicious input that is then passed to functions that execute shell commands based on the input
Typical Example
<?php if (isset($_GET['file']) { system('rm ' . $_GET['file'] '.php'); } ?>
Developer hopes to delete a specific PHP file, but the intent of the command is easily bypassed
Injection Strategies
Shell commands are delimited by a semi-colon, so multiple commands can be chained together The pound or hash (#) symbol denotes the beginning of a comment on the shell, any text following it will be ignored Strategies similar to SQL injection can be utilized
Functions to Watch
Luckily, the list of commands which execute via a shell is somewhat limited:
system()
Executes the command and returns output Executes command, can populate PHP variables with output and return values Executes command but only returns return status
exec()
passthru()
Backtick operators
shell_exec()
Pipe Operations
PHP has commands that can open a pipe to a process, so input and output can be directed to the process
proc_open()
Command Sanitization
PHP has two commands that can be used to scrub input before passing it to a command
escapeshellarg()
Adds quotes around string and escapes any internal quotes Escapes all special characters that could be used to interrupt or override execution flow
escapeshellcmd()
Note that you should still strive to sanitize to known good commands
<?php
?>
This is certainly not the first place you would look to find command execution!
<?php
?>
Mitigation
; This directive allows you to disable certain functions for security reasons. ; It receives a comma-delimited list of function names. This directive is ; *NOT* affected by whether Safe Mode is turned On or Off. disable_functions = exec, system, passthru, eval
Won't completely cut off avenues of attack but can limit the programmers power to introduce vulnerabilities
Auth Bypass
Authentication bypass is a vulnerability that allows an attacker to gain access to functionality without providing valid credentials Attackers may seek to steal an authenticated users session
May also be possible to initiate a privileged session without credentials Some functionality may not need a session
Copyright Justin C. Klein Keane
Session Handling
PHP controls session data via a PHPSESSID cookie by default (defined in php.ini)
Session Cookies
Difficult to predict/guess
However, stored on the filesystem Location determined by settings in /etc/php.ini
session.save_path = "/var/lib/php/session" ; Whether to use cookies. session.use_cookies = 1 ; This option enables administrators to make their users invulnerable to ; attacks which involve passing session ids in URLs; defaults to 0. ; session.use_only_cookies = 1 ; Name of the session (used as cookie name). session.name = PHPSESSID ; Initialize session on request startup. session.auto_start = 0 ; Lifetime in seconds of cookie or, if 0, until browser is restarted. session.cookie_lifetime = 0 ; The path for which the cookie is valid. session.cookie_path = / ; The domain for which the cookie is valid. session.cookie_domain =
phpinfo() Disclosure
If attacker can leverage webapp to list the cookie directory they can modify their own cookies Cookie isn't tied to an IP, so cookie holder automatically gains session access
Cookie can also be stolen from the end user
Logical Flaws
Limited Authentication
Brute Force
Logout Failure
Applications that don't properly end sessions could leave them open for exploitation
Kiosks or other public terminals are prime offenders in these circumstances
Unencrypted Authentication
MITM plain text keystroke loggers could be utilized on unencrypted login forms
Information Disclosure
There are many seemingly innocuous ways that information valuable to an attacker can be disclosed
Debugging messages
phpinfo() output can reveal configuration informaiton Plain text files such as .ini or .htaccess or .htpasswd files could be exposed Directory listing could show files that would otherwise be difficult to find HTML comments
Copyright Justin C. Klein Keane
Exposed Information