Php code-auditing

PHP Code Auditing

Session 3 – Tools of the Trade & Crafting Malicious Input

Justin C. Klein Keanejukeane@sas.upenn.edu

Setting Up Environment

Install VMWare workstation, or player Fusion on the Mac

Download the target host Unzip the host files then start the host in

VMWare

Get VMWare Image Running

If prompted, say you moved the image

CentOS Image Booting

Once image boots log in with root/password

Find the IP Address

Get the IP address of the virtual machine using# /sbin/ifconfig eth0

Ensure Apache is Running

Upload the Exercise

Extract the Exercise

Install the Database

Check the Application

Troubleshooting

If you get a blank screen, check the web server and MySQL server:

# service httpd status

# service mysqld status

If you need to start services use: # /etc/rc.d/init.d/httpd restart

# /etc/rc.d/init.d/mysqld restart

Troubleshooting Cont.

Check the log files: # tail /var/log/httpd/error_log

Install Eclipse PDT

Download PDT all in one from http://www.eclipse.org/pdt/

Alternatively install Eclipse from http://www.eclipse.org/downloads/

Be sure to download “Eclipse IDE for Java Developers”

Install PDT if Necessary

Use instructions at http://wiki.eclipse.org/PDT/Installation

Some platforms, such as Fedora, may have packages for PHP development, these may be more stable than a manual install of PDT

Install RSE

Install the Remote System Explorer tools Help -> Software Updates Click the “Add Site” button Enter the URL

http://download.eclipse.org/dsdp/tm/downloads/

Select Remote System Explorer Core, Remote System Explorer End-User Runtime, Remote System Explorer Extender SDK, and RSE SSH Service

Install the RSE Components

Click “Install”

Open Eclipse

Open Eclipse Default “perspective” is dull and doesn't suit our

purposes Click Window -> Show View -> Remote System In the new window right click and select “new

connection”

Add New Connection

Select “SSH Only”, click Next

Connection Details

Fill in VMWare host information, click Finish

Connect to Remote Host

Click the down arrow for the host, then “Sftp Files” then “Root” and enter credentials

View Source

Look for Potential SQL Injection

Testing the Injection

First we'll try the injection using manual methods

Next we'll use some tools to help us out Sometimes manual testing may be impossible

Manual Testing

Using Tamper Data

To start Firefox Tamper Data plugin select Tools -> Tamper Data

Click “Start Tamper” in the upper left Fill in your test values again and submit When prompted click “Tamper”

That's Interesting

Tamper

Fill in new values for Post Parameters Note that you can also tamper with Cookies and

Referer Data Click “OK” when you're happy with your values

That's More Like It

Checking Cookies

You can also view cookies using the Web Developer Plugin

select Cookies -> View Cookie Information

Using Web Developer

View Source

View -> Source in Firefox Look for comments, JavaScript and the like Sometimes source will reveal information you

may have missed

JavaScript in Source

Download Paros from http://www.parosproxy.org

Paros is Java based, so if Eclipse can run on your machine, so can Paros

Paros is a proxy, so it captures requests from your web browser to a server and responses from the server back to your browser

You can use it to alter your requests quite easily

Start Up Paros

Configure Firefox

You need to configure Firefox to use Paros as a proxy

Choose Edit -> Preferences, then Advanced -> Network -> Settings

Configure Settings

Create Request

Once Firefox is configured to utilize Paros browse through the site normally

Note how Paros records all your interactions Try submitting the login form Note that Paros records GET and POST

requests

Paros in Action

Paros Records Details

Alter Requests

To alter a request click on it in the bottom window

Next right click and select “Resend” This opens a new window where you can alter

any of the send requests Change any data and click the “Send” button

Paros Resend

Response is Raw

Bypassing the Login

In our manual code analysis we found a SQL injection vulnerability in the login form

A JavaScript check prevents easy manual testing

We could disable JavaScript or use Paros or Tamper Data to alter the data we're submitting for the login form

First let's examine the query

Our Target

$sql = "select user_id from user where user_username = '" . $_POST['username'] . "'AND user_password = md5('" .$_POST['password'] . "')";

Target SQL

select user_id from userwhere user_username = 'somename'and user_password = md5('somepass');

Possible Permutation

select user_id from userwhere user_username = 'somename'

or 1='1'and user_password = md5('somepass');

What is the proper input to create this statement?

Testing Your SQL

Bypassing Loginwith SQL Injection

We're In!

Chained Exploits

Note that the exploitation of the authentication leads to access to new, potentially exploitable functionality

Authentication leads to cookie granting Admin functions are often “trusted”

Steps to Remember

Look for vulnerabilities In the source code In the functional front end

Test your exploits in the “friendliest” environment possible

Use tools to recreate attacks in the live environment.

For Next Time

-Install Paros Proxy

-Install Firefox and the Tamper Data and Web

Developer plug ins

-Download and install the sample SQL injection

application on your VM

-Identify at least 4 SQL injection vulnerabilities

-Develop exploits for each vulnerability

-Develop fixes for each vulnerability

Php code-auditing

Automotive

PHP Introduction. PHP - Introduction2 Creating PHP Code Blocks Code declaration blocks are separate sections within a Web page that are interpreted by

PD 1445, Government Auditing Code

Almost Continuous Almost Delivery · PHP Code Sniffer (phpcs) PHP Mess Detector (phpmd) PHP Copy/Paste Detector (phpcpd) Reports published by Jenkins CI. PHP Code Sniffer Mess Detector

Non-alphanumeric code With JavaScript & PHP $=~[];$={_:++$,$$$$:(![]+"")[$],$:++$,$_$_:(![]+"")[$],_$_:++$,$_$$:({}+"")[$],$$_$:($[$]+"")[$],_$$:++$,$$$_:(!""+"")[

Php Fuzzing Auditing

SOLID PHP & Code Smell Wrap-Up

Electrify your code with PHP Generators

Preparing code for Php 7 workshop

Code metrics in PHP

Code smells in PHP

Copyright 2009 Justin C. Klein Keane PHP Code Auditing Session 1 – PHP Foundations Justin C. Klein Keane jukeane@sas.upenn.edu

Property Selling Website Php Code

Pay Online Code PHP

PHP Security Crash Course - 6 - PHP Code Inclusion / Evaluation

PCI-DSS Auditing Linux, Apache, PHP,

PHP code profiling using XDebug

PHP Source Code Search with PHP

PHP code audits - O'Reilly Mediaassets.en.oreilly.com/1/event/27/PHP Code Audit Presentation.pdf · PHP code audits OSCON 2009 ... July 21th 2009 samedi 25 juillet 2009 1. Agenda

NET Code Auditing

PHP Facebook Code