1 / 52

PHP Code Auditing

Session 3 – Tools of the Trade & Crafting Malicious Input Justin C. Klein Keane jukeane@sas.upenn.edu. PHP Code Auditing. Setting Up Environment. Install VMWare workstation, or player Fusion on the Mac Download the target host Unzip the host files then start the host in VMWare.

ziva
Download Presentation

PHP Code Auditing

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Session 3 – Tools of the Trade & Crafting Malicious Input Justin C. Klein Keane jukeane@sas.upenn.edu PHP Code Auditing ©2009 Justin C. Klein Keane

  2. ©2009 Justin C. Klein Keane Setting Up Environment • Install VMWare workstation, or player • Fusion on the Mac • Download the target host • Unzip the host files then start the host in VMWare

  3. ©2009 Justin C. Klein Keane Get VMWare Image Running • If prompted, say you moved the image

  4. ©2009 Justin C. Klein Keane CentOS Image Booting • Once image boots log in with root/password

  5. ©2009 Justin C. Klein Keane Find the IP Address • Get the IP address of the virtual machine using # /sbin/ifconfig eth0

  6. ©2009 Justin C. Klein Keane Ensure Apache is Running

  7. ©2009 Justin C. Klein Keane Upload the Exercise

  8. ©2009 Justin C. Klein Keane Extract the Exercise

  9. ©2009 Justin C. Klein Keane Install the Database

  10. ©2009 Justin C. Klein Keane Check the Application

  11. ©2009 Justin C. Klein Keane Troubleshooting • If you get a blank screen, check the web server and MySQL server: • # service httpd status • # service mysqld status • If you need to start services use: • # /etc/rc.d/init.d/httpd restart • # /etc/rc.d/init.d/mysqld restart

  12. ©2009 Justin C. Klein Keane Troubleshooting Cont. • Check the log files: • # tail /var/log/httpd/error_log

  13. ©2009 Justin C. Klein Keane Install Eclipse PDT • Download PDT all in one from http://www.eclipse.org/pdt/ • Alternatively install Eclipse from http://www.eclipse.org/downloads/ • Be sure to download “Eclipse IDE for Java Developers”

  14. ©2009 Justin C. Klein Keane Install PDT if Necessary • Use instructions at • http://wiki.eclipse.org/PDT/Installation • Some platforms, such as Fedora, may have packages for PHP development, these may be more stable than a manual install of PDT

  15. ©2009 Justin C. Klein Keane Install RSE • Install the Remote System Explorer tools • Help -> Software Updates • Click the “Add Site” button • Enter the URL • http://download.eclipse.org/dsdp/tm/downloads/ • Select Remote System Explorer Core, Remote System Explorer End-User Runtime, Remote System Explorer Extender SDK, and RSE SSH Service

  16. ©2009 Justin C. Klein Keane Install the RSE Components • Click “Install”

  17. ©2009 Justin C. Klein Keane Open Eclipse • Open Eclipse • Default “perspective” is dull and doesn't suit our purposes • Click Window -> Show View -> Remote System • In the new window right click and select “new connection”

  18. ©2009 Justin C. Klein Keane Add New Connection • Select “SSH Only”, click Next

  19. ©2009 Justin C. Klein Keane Connection Details • Fill in VMWare host information, click Finish

  20. ©2009 Justin C. Klein Keane Connect to Remote Host • Click the down arrow for the host, then “Sftp Files” then “Root” and enter credentials

  21. ©2009 Justin C. Klein Keane View Source

  22. ©2009 Justin C. Klein Keane Look for Potential SQL Injection

  23. ©2009 Justin C. Klein Keane Testing the Injection • First we'll try the injection using manual methods • Next we'll use some tools to help us out • Sometimes manual testing may be impossible

  24. ©2009 Justin C. Klein Keane Manual Testing

  25. ©2009 Justin C. Klein Keane Using Tamper Data • To start Firefox Tamper Data plugin select • Tools -> Tamper Data • Click “Start Tamper” in the upper left • Fill in your test values again and submit • When prompted click “Tamper”

  26. ©2009 Justin C. Klein Keane That's Interesting

  27. ©2009 Justin C. Klein Keane Tamper • Fill in new values for Post Parameters • Note that you can also tamper with Cookies and Referer Data • Click “OK” when you're happy with your values

  28. ©2009 Justin C. Klein Keane That's More Like It

  29. ©2009 Justin C. Klein Keane Checking Cookies • You can also view cookies using the Web Developer Plugin • select Cookies -> View Cookie Information

  30. ©2009 Justin C. Klein Keane Using Web Developer

  31. ©2009 Justin C. Klein Keane View Source • View -> Source in Firefox • Look for comments, JavaScript and the like • Sometimes source will reveal information you may have missed

  32. ©2009 Justin C. Klein Keane JavaScript in Source

  33. ©2009 Justin C. Klein Keane Paros • Download Paros from http://www.parosproxy.org • Paros is Java based, so if Eclipse can run on your machine, so can Paros • Paros is a proxy, so it captures requests from your web browser to a server and responses from the server back to your browser • You can use it to alter your requests quite easily

  34. ©2009 Justin C. Klein Keane Start Up Paros

  35. ©2009 Justin C. Klein Keane Configure Firefox • You need to configure Firefox to use Paros as a proxy • Choose Edit -> Preferences, then Advanced -> Network -> Settings

  36. ©2009 Justin C. Klein Keane Configure Settings

  37. ©2009 Justin C. Klein Keane Create Request • Once Firefox is configured to utilize Paros browse through the site normally • Note how Paros records all your interactions • Try submitting the login form • Note that Paros records GET and POST requests

  38. ©2009 Justin C. Klein Keane Paros in Action

  39. ©2009 Justin C. Klein Keane Paros Records Details

  40. ©2009 Justin C. Klein Keane Alter Requests • To alter a request click on it in the bottom window • Next right click and select “Resend” • This opens a new window where you can alter any of the send requests • Change any data and click the “Send” button

  41. ©2009 Justin C. Klein Keane Paros Resend

  42. ©2009 Justin C. Klein Keane Response is Raw

  43. ©2009 Justin C. Klein Keane Bypassing the Login • In our manual code analysis we found a SQL injection vulnerability in the login form • A JavaScript check prevents easy manual testing • We could disable JavaScript or use Paros or Tamper Data to alter the data we're submitting for the login form • First let's examine the query

  44. $sql = "select user_id from user where user_username = '" . $_POST['username'] . "' AND user_password = md5('" . $_POST['password'] . "')"; Our Target ©2009 Justin C. Klein Keane

  45. select user_id from user where user_username = 'somename' and user_password = md5('somepass'); Target SQL ©2009 Justin C. Klein Keane

  46. select user_id from user where user_username = 'somename' or 1='1' and user_password = md5('somepass'); What is the proper input to create this statement? Possible Permutation ©2009 Justin C. Klein Keane

  47. ©2009 Justin C. Klein Keane Testing Your SQL

  48. ©2009 Justin C. Klein Keane Bypassing Loginwith SQL Injection

  49. ©2009 Justin C. Klein Keane We're In!

  50. ©2009 Justin C. Klein Keane Chained Exploits • Note that the exploitation of the authentication leads to access to new, potentially exploitable functionality • Authentication leads to cookie granting • Admin functions are often “trusted”

More Related