Arpad Ray's PHPNW08 slides:
Looking at websites from the perspective of potential attackers is a useful technique not only for security professionals.
This talk demonstrates how to use simple PHP scripts to exploit many common security holes in PHP applications, hopefully giving developers a deeper understanding of what it is they are protecting against.
* Getting around common precautions against SQL injection
* Free spam with SMTP injection
* Making a malicious website to exploit PHP sessions
* The holes every attacker hopes for
* Making use of a newly exploited website
2. Why use PHP for this? We already know how to write PHP
3. Why use PHP for this? We already know how to write PHP Can use directly in test scripts
4. Why use PHP for this? We already know how to write PHP Can use directly in test scripts PHP provides everything we need
5. Why use PHP for this? We already know how to write PHP Can use directly in test scripts PHP provides everything we need Writing PHP can be very quick
6. Why use PHP for this? We already know how to write PHP Can use directly in test scripts PHP provides everything we need Writing PHP can be very quick Can efficiently re-use and combine attacks
8. SQL injection $q = "SELECT * FROM foobar WHERE id = $_GET[id]";
9. SQL injection $q = "SELECT * FROM foobar WHERE id = $_GET[id]"; index.php?id=1 OR 1=1 $_GET['id'] = '1 OR 1=1';
10. SQL injection $q = "SELECT * FROM foobar WHERE id = $_GET[id]"; index.php?id=1 OR 1=1 $_GET['id'] = '1 OR 1=1'; $q = "SELECT * FROM foobar WHERE id = 1 OR 1=1 ";
11. SQL injection $q = "SELECT * FROM foobar WHERE id = ' $_GET[id] ' ";
12. SQL injection $q = "SELECT * FROM foobar WHERE id = ' $_GET[id] ' "; index.php?id=' OR ''=' $_GET['id'] = “' OR ''='”;
13. SQL injection $q = "SELECT * FROM foobar WHERE id = ' $_GET[id] ' "; index.php?id=' OR ''=' $_GET['id'] = “' OR ''='”; $q = "SELECT * FROM foobar WHERE id = ' ' OR ''=' ' ";
14. SQL injection $q = "SELECT * FROM foobar WHERE id = ' $_POST[id] ' ";
15. SQL injection $q = "SELECT * FROM foobar WHERE id = $_POST[id]"; <form method=”post” action=” http://example.com/foo.php ”> <input type=”hidden” name=”id” value=”1 OR 1=1” /> <input type=”submit” /> </form>
16. SQL injection $q = "SELECT * FROM foobar WHERE id = $_POST[id]"; $context = stream_context_create(array('http' => array( 'method' => 'post' 'content' => 'id=1 OR 1=1' ))); file_get_contents(' http://example.com/foo.php ', false, $context);
17. SQL injection $q = 'SELECT * FROM foobar WHERE id = ' . addslashes($id);
18. addslashes() $id = addslashes($_POST['id']); $q = "SELECT * FROM foobar WHERE id = ' $id ' "; $_POST['id'] = “' OR ''='”; $q = "SELECT * FROM foobar WHERE id = 'apos; OR apos;apos;=apos;' ";
21. addslashes() Getting around that pesky backslash Multi-byte character attacks Swallow the backslash with a multi-byte character ending with that byte
22. addslashes() Getting around that pesky backslash Multi-byte character attacks Swallow the backslash with a multi-byte character ending with that byte <start of mb character><single quote> // apply addslashes() <mb character><single quote>
28. magic_quotes_gpc Uses addslashes() so escaping is not secure Fosters complacency Applications using magic quotes are much harder to make truly portable
29. magic_quotes_gpc Uses addslashes() so escaping is not secure Fosters complacency Applications using magic quotes are much harder to make truly portable Inconsistencies between PHP versions
38. magic_quotes_gpc There are also problems disabling magic_quotes_gpc function stripslashes_deep($value) { $value = is_array($value) ? array_map('stripslashes_deep', $value) : stripslashes($value); return $value; }
39. magic_quotes_gpc There are also problems disabling magic_quotes_gpc Instead of passing id=1 we can pass: 'id' . str_repeat('[]', 1000) . '=1' We can trivially force the web server to do a lot of unnecessary work
61. Hot vulnerabilities Direct eval() injection preg_replace() using /e modifier Variable in include() call Uploading PHP files
62. Hot vulnerabilities Direct eval() injection preg_replace() using /e modifier Variable in include() call Uploading PHP files Shell injection
63. Making an evil website HTTP requests can give us lots of interesting information PHPSESSID = bingo
64. Making an evil website if (isset($_SESSION['HTTP_REFERER'])) { if (preg_match(' / PHPSESSID=([^=&]+) /xi', $_SESSION['HTTP_REFERER'])); }
65. Making an evil website if (isset($_SESSION['HTTP_REFERER'])) { if (preg_match(' / PHPSESSID=([^=&]+) | (?<==)([a-f]{32}|[a-f]{40}) /xi', $_SESSION['HTTP_REFERER'])); }
67. Making use of victims File scan $dir = new RecursiveIteratorIterator( new RecursiveDirectoryIterator('/', true) ); foreach ($dir as $file) { echo $file->getPathname(), ""; }
68. Making use of victims File scan Subverting existing files
69. Making use of victims File scan Subverting existing files Escalate privileges, take over machine
70. Making use of victims File scan Subverting existing files Escalate privileges, take over machine botnet.php