Php code-auditing

©2009 Justin C. Klein Keane

PHP Code Auditing

Session 3 – Tools of the Trade & Crafting Malicious Input

Justin C. Klein [email protected]


Setting Up Environment

Install VMWare workstation, or player Fusion on the Mac

Download the target host Unzip the host files then start the host in

VMWare


Get VMWare Image Running

If prompted, say you moved the image


CentOS Image Booting

Once image boots log in with root/password


Find the IP Address

Get the IP address of the virtual machine using# /sbin/ifconfig eth0


Ensure Apache is Running


Upload the Exercise


Extract the Exercise


Install the Database


Check the Application


Troubleshooting

If you get a blank screen, check the web server and MySQL server:

# service httpd status

# service mysqld status

If you need to start services use: # /etc/rc.d/init.d/httpd restart

# /etc/rc.d/init.d/mysqld restart


Troubleshooting Cont.

Check the log files: # tail /var/log/httpd/error_log


Install Eclipse PDT

Download PDT all in one from http://www.eclipse.org/pdt/

Alternatively install Eclipse from http://www.eclipse.org/downloads/

Be sure to download “Eclipse IDE for Java Developers”


Install PDT if Necessary

Use instructions at http://wiki.eclipse.org/PDT/Installation

Some platforms, such as Fedora, may have packages for PHP development, these may be more stable than a manual install of PDT


Install RSE

Install the Remote System Explorer tools Help -> Software Updates Click the “Add Site” button Enter the URL

http://download.eclipse.org/dsdp/tm/downloads/

Select Remote System Explorer Core, Remote System Explorer End-User Runtime, Remote System Explorer Extender SDK, and RSE SSH Service


Install the RSE Components

Click “Install”


Open Eclipse

Open Eclipse Default “perspective” is dull and doesn't suit our

purposes Click Window -> Show View -> Remote System In the new window right click and select “new

connection”


Add New Connection

Select “SSH Only”, click Next


Connection Details

Fill in VMWare host information, click Finish


Connect to Remote Host

Click the down arrow for the host, then “Sftp Files” then “Root” and enter credentials


View Source


Look for Potential SQL Injection


Testing the Injection

First we'll try the injection using manual methods

Next we'll use some tools to help us out Sometimes manual testing may be impossible


Manual Testing


Using Tamper Data

To start Firefox Tamper Data plugin select Tools -> Tamper Data

Click “Start Tamper” in the upper left Fill in your test values again and submit When prompted click “Tamper”


That's Interesting


Tamper

Fill in new values for Post Parameters Note that you can also tamper with Cookies and

Referer Data Click “OK” when you're happy with your values


That's More Like It


Checking Cookies

You can also view cookies using the Web Developer Plugin

select Cookies -> View Cookie Information


Using Web Developer


View Source

View -> Source in Firefox Look for comments, JavaScript and the like Sometimes source will reveal information you

may have missed


JavaScript in Source


Paros

Download Paros from http://www.parosproxy.org

Paros is Java based, so if Eclipse can run on your machine, so can Paros

Paros is a proxy, so it captures requests from your web browser to a server and responses from the server back to your browser

You can use it to alter your requests quite easily


Start Up Paros


Configure Firefox

You need to configure Firefox to use Paros as a proxy

Choose Edit -> Preferences, then Advanced -> Network -> Settings


Configure Settings


Create Request

Once Firefox is configured to utilize Paros browse through the site normally

Note how Paros records all your interactions Try submitting the login form Note that Paros records GET and POST

requests


Paros in Action


Paros Records Details


Alter Requests

To alter a request click on it in the bottom window

Next right click and select “Resend” This opens a new window where you can alter

any of the send requests Change any data and click the “Send” button


Paros Resend


Response is Raw


Bypassing the Login

In our manual code analysis we found a SQL injection vulnerability in the login form

A JavaScript check prevents easy manual testing

We could disable JavaScript or use Paros or Tamper Data to alter the data we're submitting for the login form

First let's examine the query


Our Target

$sql = "select user_id from user where user_username = '" . $_POST['username'] . "'AND user_password = md5('" .$_POST['password'] . "')";


Target SQL

select user_id from userwhere user_username = 'somename'and user_password = md5('somepass');


Possible Permutation

select user_id from userwhere user_username = 'somename'

or 1='1'and user_password = md5('somepass');

What is the proper input to create this statement?


Testing Your SQL


Bypassing Loginwith SQL Injection


We're In!


Chained Exploits

Note that the exploitation of the authentication leads to access to new, potentially exploitable functionality

Authentication leads to cookie granting Admin functions are often “trusted”


Steps to Remember

Look for vulnerabilities In the source code In the functional front end

Test your exploits in the “friendliest” environment possible

Use tools to recreate attacks in the live environment.


For Next Time

-Install Paros Proxy

-Install Firefox and the Tamper Data and Web

Developer plug ins

-Download and install the sample SQL injection

application on your VM

-Identify at least 4 SQL injection vulnerabilities

-Develop exploits for each vulnerability

-Develop fixes for each vulnerability

Automotive

Php code-auditing