session 3 tools of the trade crafting malicious input justin c klein keane jukeane@sas upenn edu
Download
Skip this Video
Download Presentation
PHP Code Auditing

Loading in 2 Seconds...

play fullscreen
1 / 52

PHP Code Auditing - PowerPoint PPT Presentation


  • 111 Views
  • Uploaded on

Session 3 – Tools of the Trade & Crafting Malicious Input Justin C. Klein Keane [email protected] PHP Code Auditing. Setting Up Environment. Install VMWare workstation, or player Fusion on the Mac Download the target host Unzip the host files then start the host in VMWare.

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'PHP Code Auditing' - ziva


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
setting up environment
©2009 Justin C. Klein KeaneSetting Up Environment
  • Install VMWare workstation, or player
    • Fusion on the Mac
  • Download the target host
  • Unzip the host files then start the host in VMWare
get vmware image running
©2009 Justin C. Klein KeaneGet VMWare Image Running
  • If prompted, say you moved the image
centos image booting
©2009 Justin C. Klein KeaneCentOS Image Booting
  • Once image boots log in with root/password
find the ip address
©2009 Justin C. Klein KeaneFind the IP Address
  • Get the IP address of the virtual machine using

# /sbin/ifconfig eth0

troubleshooting
©2009 Justin C. Klein KeaneTroubleshooting
  • If you get a blank screen, check the web server and MySQL server:
    • # service httpd status
    • # service mysqld status
  • If you need to start services use:
    • # /etc/rc.d/init.d/httpd restart
    • # /etc/rc.d/init.d/mysqld restart
troubleshooting cont
©2009 Justin C. Klein KeaneTroubleshooting Cont.
  • Check the log files:
    • # tail /var/log/httpd/error_log
install eclipse pdt
©2009 Justin C. Klein KeaneInstall Eclipse PDT
  • Download PDT all in one from http://www.eclipse.org/pdt/
  • Alternatively install Eclipse from http://www.eclipse.org/downloads/
    • Be sure to download “Eclipse IDE for Java Developers”
install pdt if necessary
©2009 Justin C. Klein KeaneInstall PDT if Necessary
  • Use instructions at
    • http://wiki.eclipse.org/PDT/Installation
  • Some platforms, such as Fedora, may have packages for PHP development, these may be more stable than a manual install of PDT
install rse
©2009 Justin C. Klein KeaneInstall RSE
  • Install the Remote System Explorer tools
  • Help -> Software Updates
  • Click the “Add Site” button
  • Enter the URL
    • http://download.eclipse.org/dsdp/tm/downloads/
  • Select Remote System Explorer Core, Remote System Explorer End-User Runtime, Remote System Explorer Extender SDK, and RSE SSH Service
open eclipse
©2009 Justin C. Klein KeaneOpen Eclipse
  • Open Eclipse
  • Default “perspective” is dull and doesn't suit our purposes
  • Click Window -> Show View -> Remote System
  • In the new window right click and select “new connection”
add new connection
©2009 Justin C. Klein KeaneAdd New Connection
  • Select “SSH Only”, click Next
connection details
©2009 Justin C. Klein KeaneConnection Details
  • Fill in VMWare host information, click Finish
connect to remote host
©2009 Justin C. Klein KeaneConnect to Remote Host
  • Click the down arrow for the host, then “Sftp Files” then “Root” and enter credentials
testing the injection
©2009 Justin C. Klein KeaneTesting the Injection
  • First we'll try the injection using manual methods
  • Next we'll use some tools to help us out
  • Sometimes manual testing may be impossible
using tamper data
©2009 Justin C. Klein KeaneUsing Tamper Data
  • To start Firefox Tamper Data plugin select
    • Tools -> Tamper Data
  • Click “Start Tamper” in the upper left
  • Fill in your test values again and submit
  • When prompted click “Tamper”
tamper
©2009 Justin C. Klein KeaneTamper
  • Fill in new values for Post Parameters
  • Note that you can also tamper with Cookies and Referer Data
  • Click “OK” when you're happy with your values
checking cookies
©2009 Justin C. Klein KeaneChecking Cookies
  • You can also view cookies using the Web Developer Plugin
    • select Cookies -> View Cookie Information
view source31
©2009 Justin C. Klein KeaneView Source
  • View -> Source in Firefox
  • Look for comments, JavaScript and the like
  • Sometimes source will reveal information you may have missed
paros
©2009 Justin C. Klein KeaneParos
  • Download Paros from http://www.parosproxy.org
  • Paros is Java based, so if Eclipse can run on your machine, so can Paros
  • Paros is a proxy, so it captures requests from your web browser to a server and responses from the server back to your browser
  • You can use it to alter your requests quite easily
configure firefox
©2009 Justin C. Klein KeaneConfigure Firefox
  • You need to configure Firefox to use Paros as a proxy
    • Choose Edit -> Preferences, then Advanced -> Network -> Settings
create request
©2009 Justin C. Klein KeaneCreate Request
  • Once Firefox is configured to utilize Paros browse through the site normally
  • Note how Paros records all your interactions
  • Try submitting the login form
  • Note that Paros records GET and POST requests
alter requests
©2009 Justin C. Klein KeaneAlter Requests
  • To alter a request click on it in the bottom window
  • Next right click and select “Resend”
  • This opens a new window where you can alter any of the send requests
  • Change any data and click the “Send” button
bypassing the login
©2009 Justin C. Klein KeaneBypassing the Login
  • In our manual code analysis we found a SQL injection vulnerability in the login form
  • A JavaScript check prevents easy manual testing
  • We could disable JavaScript or use Paros or Tamper Data to alter the data we're submitting for the login form
  • First let's examine the query
our target
$sql = "select user_id from user

where user_username = '" .

$_POST['username'] . "'

AND user_password = md5('" .

$_POST['password'] . "')";

Our Target

©2009 Justin C. Klein Keane

select user id from user where user username somename and user password md5 somepass
select user_id from user

where

user_username = 'somename'

and

user_password = md5('somepass');

Target SQL

©2009 Justin C. Klein Keane

possible permutation
select user_id from user

where

user_username = 'somename'

or 1='1'

and

user_password = md5('somepass');

What is the proper input to create this statement?

Possible Permutation

©2009 Justin C. Klein Keane

chained exploits
©2009 Justin C. Klein KeaneChained Exploits
  • Note that the exploitation of the authentication leads to access to new, potentially exploitable functionality
  • Authentication leads to cookie granting
  • Admin functions are often “trusted”
steps to remember
©2009 Justin C. Klein KeaneSteps to Remember
  • Look for vulnerabilities
    • In the source code
    • In the functional front end
  • Test your exploits in the “friendliest” environment possible
  • Use tools to recreate attacks in the live environment.
for next time
©2009 Justin C. Klein KeaneFor Next Time
  • -Install Paros Proxy
  • -Install Firefox and the Tamper Data and Web
  • Developer plug ins
  • -Download and install the sample SQL injection
  • application on your VM
  • -Identify at least 4 SQL injection vulnerabilities
  • -Develop exploits for each vulnerability
  • -Develop fixes for each vulnerability
ad