http://www.ush.it/2009/07/26/php-filesystem-attack-vectors-take-two/

Did you enjoyed our previous "PHP filesystem attack vectors" research? This is the second part and continuation of that paper and highlight new ways to evade filters using some path normalization issues. Have a nice reading!

PHP filesystem attack vectors - Take Two

 Name              PHP filesystem attack vectors - Take Two
Systems Affected PHP and PHP+Suhosin
Vendor http://www.php.net/
Advisory http://www_ush_it/team/ush/hack-phpfs/phpfs_mad_2.txt
Authors Giovanni "evilaliv3" Pellerano (evilaliv3 AT ush DOT it)
Antonio "s4tan" Parata (s4tan AT ush DOT it)
Francesco "ascii" Ongaro (ascii AT ush DOT it)
Alessandro "jekil" Tanasi (alessandro AT tanasi DOT it)
Date 20090725 I) Introduction
II) PHP arbitrary Local File Inclusion testing
III) PHP arbitrary Local File Inclusion results
IV) PHP arbitrary File Open testing
V) PHP arbitrary File Open results
VI) PHP arbitrary Remote File Upload testing
VII) PHP arbitrary Remote File Upload results
VIII) Conclusions
IX) References I) Introduction This is the second part and continuation of our previous "PHP filesystem
attack vectors" [1] research. Working with s4tan and ascii on the "SugarCRM 5.2.0e Remote Code
Execution" advisory [2] we noticed a strange behaviour on Windows OS:
trying to upload a file named "a.php." results in just "a.php". Analyzing this we noticed that every time an application, or manually,
was trying to open or save a file with one ore more dots at the end,
Windows was not denying the operation, but it was removing the dots in a
transparent way. Mindful readers probably have already spotted the issue. We wanted to take our time for a deeper investigation about what
normalization issues were available and how to take advantage of them
in order to exploit arbitrary local file inclusion/handling and uploads
functionalities (not only on Windows OS but also on GNU/Linux and *BSD). Below you can find the sources of two simple "academic" fuzzers, later
results are discussed and finally POCs and conclusions are proposed. II) PHP arbitrary Local File Inclusion testing This tests include(), include_once(), require(), require_once() and
similiar functions. --8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<-- alfi_fuzzer.php: <?php error_reporting(0); $InterestingFile = "test_alfi.php";
$fh = @fopen($InterestingFile, 'w+');
fwrite($fh, "<?php ?>");
fclose($fh); for ($i = 1; $i < 256; $i++) {
$chri = chr($i);
for ($j = 0; $j < 256; $j++) {
$chrj = chr($j);
for ($k = 0; $k < 256; $k++) {
$chrk = chr($k);
if($chri.$chrj.$chrk == '://') continue;
if ($j == 0) $FuzzyFile = $InterestingFile.$chri;
else if ($k == 0) $FuzzyFile = $InterestingFile.$chri.$chrj;
else $FuzzyFile = $InterestingFile.$chri.$chrj.$chrk;
if(include($FuzzyFile)) {
print($i." ".$j." ".$k." [".$FuzzyFile."]\n");
fclose($fh);
}
if($j == 0) break;
}
}
} unlink($InterestingFile); ?> --8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<-- Note: This code and the one that will be presented in section IV only
makes use of chars from the ASCII extended table (256 chars) to limit the
combinations because our intent was to test not only a malicious ending
char but a whole ending "extension" of 3 bytes. A better fuzzer would include UTF-8. In the test we also do not
consider \x00, because this vector is already known [3, 4]. III) PHP arbitrary Local File Inclusion results --8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<-- PHP 5.2.10-pl0-Gentoo PHPFS_MAD2 $ php alfi_fuzzer.php
47 46 46 [test_alfi.php/.]
47 47 47 [test_alfi.php//.] --8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<-- PHP 5.2.10-pl0-Gentoo + Suhosin-Patch 0.9.27 PHPFS_MAD2 $ php alfi_fuzzer.php [ NO RESULTS ] --8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<-- PHP 5.2.10-FreeBSD 7.3 + Suhosin-Patch 0.9.7 PHPFS_MAD2 $ php alfi_fuzzer.php [ NO RESULTS ] --8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<- PHP 5.3.0 Windows XP (WampServer 2.0i install) C:\PHPFS_MAD2> php alfi_fuzzer.php
! Valid chars are: \x20 ( ), \x22 ("), \x2E (.), \x3C (<), \x3E (>)
! Valid strings are all combinations of the above chars. --8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<-- PHP 5.3.0 Windows Server 2008 (WampServer 2.0i install) C:\PHPFS_MAD2> php alfi_fuzzer.php
! Valid chars are: \x20 ( ), \x22 ("), \x2E (.), \x3C (<), \x3E (>)
! Valid strings are all combinations of the above chars. --8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<-- IV) PHP arbitrary File Open testing This tests fopen() and similiar functions. --8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<-- afo_fuzzer.php: <?php error_reporting(0); $MaliciousFile = "test_afo.php"; for ($i = 1; $i < 256; $i++) {
$chri = chr($i);
for ($j = 0; $j < 256; $j++) {
$chrj = chr($j);
for ($k = 0; $k < 256; $k++) {
if ($j == 0) $FuzzyFile = $MaliciousFile.$chri;
else if ($k == 0) $FuzzyFile = $MaliciousFile.$chri.$chrj;
else $FuzzyFile = $MaliciousFile.$chri.$chrj.chr($k);
$fh = @fopen($FuzzyFile, 'w+');
if ($fh != FALSE) {
fwrite($fh, $FuzzyFile);
fclose($fh);
if (file_exists($MaliciousFile)) {
if ($j == 0) print($i." ");
else if ($k == 0) print($i." ".$j." ");
else $FuzzyFile = print($i." ".$j." ".$k." ");
print("[".file_get_contents($MaliciousFile)."]\n");
unlink($MaliciousFile);
} else
unlink($FuzzyFile);
}
if($j == 0)
break;
}
}
} ?> --8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<-- V) PHP arbitrary File Open Fuzzer results --8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<-- PHP 5.2.10-pl0-Gentoo PHPFS_MAD2 $ php afo_fuzzer.php
47 46 [test_afo.php/.]
47 47 46 [test_afo.php//.] --8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<-- PHP 5.2.10-pl0-Gentoo + Suhosin-Patch 0.9.27 PHPFS_MAD2 $ php afo_fuzzer.php [ NO RESULTS ] --8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<- PHP 5.2.10-FreeBSD 7.3 + Suhosin-Patch 0.9.7 PHPFS_MAD2 $ php afo_fuzzer.php 47 46 [test_afo.php/.]
47 47 46 [test_afo.php//.] --8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<- PHP 5.3.0 Windows XP (WampServer 2.0i install) C:\PHPFS_MAD2> php afo_fuzzer.php ! Valid chars are: \x2E (.), \x2F (/), \x5C (\)
! Valid strings are all combinations of the above chars. --8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<-- PHP 5.3.0 Windows Server 2008 (WampServer 2.0i install) C:\PHPFS_MAD2> php afo_fuzzer.php ! Valid chars are: \x2E (.), \x2F (/), \x5C (\)
! Valid strings are all combinations of the above chars. --8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<-- VI) PHP arbitrary Remote File Upload testing This tests move_uploaded_file() and similiar functions. --8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<-- upload.php: <?php error_reporting(0); $MaliciousFile = "evil.php"; if (isset($_GET['fuzzy'])) {
$FuzzyDestination = $MaliciousFile.$_GET['fuzzy'];
move_uploaded_file($_FILES['userfile']['tmp_name'], $FuzzyDestination);
printf($FuzzyDestination);
if (file_exists($MaliciousFile)) {
echo "SUCCESS";
unlink($MaliciousFile);
exit();
} else {
unlink($FuzzyDestination);
}
} echo "FAIL"; ?> arfu_fuzzer.sh: #!/bin/bash touch "uploadtest.txt"
url="http://127.0.0.1/uploads/upload.php?fuzzy=" for i in {1..255}; do
xi="%`printf %02x $i`"
for j in {0..255}; do
xj="%`printf %02x $j`"
for k in {0..255}; do
xk="%`printf %02x $k`" ext="$xi$xj$xk"
[ $k -eq 0 ] && ext="$xi$xj"
[ $k -eq 0 ] && [ $j -eq 0 ] && ext="$xi" response=`curl -kis -F "userfile=@uploadtest.txt;" $url$ext | grep
SUCCESS | wc -l` if [ "$response" == "1" ]; then
echo "Found: $i $j $k -> ($ext)";
fi [ $j -eq 0 ] && break done
done
done --8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<-- VII) PHP arbitrary Remote File Upload results --8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<-- PHP 5.2.10-pl0-Gentoo PHPFS_MAD2 $ sh test_arfu.sh FOUND: 47 0 0 -> (/)
FOUND: 47 46 0 -> (/.) --8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<-- PHP 5.2.10-pl0-Gentoo + Suhosin-Patch 0.9.27 PHPFS_MAD2 $ sh test_arfu.sh FOUND: 47 0 0 -> (/)
FOUND: 47 46 0 -> (/.) --8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<- PHP 5.2.10-FreeBSD 7.3 + Suhosin-Patch 0.9.7 PHPFS_MAD2 $ sh test_arfu.sh FOUND: 47 46 0 -> (/.) --8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<- PHP 5.3.0 Windows XP (WampServer 2.0i install) PHPFS_MAD2 $ sh test_arfu.sh [ All the combinations of (space), ., /, \ are valid ones. ] --8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<-- PHP 5.3.0 Windows Server 2008 (WampServer 2.0i install) PHPFS_MAD2 $ sh test_arfu.sh [ All the combinations of (space), ., /, \ are valid ones. ] --8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<-- VIII) Conclusions We found that it's possible to take advantage of filename normalization
routines in order to bypass common web application security routines,
detailed below: - On GNU/Linux both (include|require)(_once)? functions will convert
"foo.php" followed by one or more sequences of \x2F (/) and \x2E (.)
back to "foo.php".
This does not work if Suhosin patch is applied. - On GNU/Linux the fopen function will convert "foo.php" followed by one
or more sequences of \x2F (/) and \x2E (.) back to "foo.php".
This does not work if Suhosin patch is applied. - On GNU/Linux move_uploaded_file function will convert "foo.php"
followed by one or more sequences of \x2F (/) and \x2E (.) back to
"foo.php".
This does work anyway *also* if Suhosin patch is applied. - On FreeBSD the fopen function will convert "foo.php" followed by one
or more sequences of \x2F (/) and \x2E (.) back to "foo.php".
This does work anyway *also* if Suhosin patch is applied.
Suhosin is shipped in the the default install. - On FreeBSD the move_uploaded_file function will convert "foo.php"
followed by one or more sequences of \x2F (/) and \x2E (.) back to
"foo.php".
This does work anyway *also* if Suhosin patch is applied.
Suhosin is shipped in the the default install. - On Windows OS both (include|require)(_once)? functions will convert
"foo.php" followed by one or more of the chars \x20 ( ), \x22 ("),
\x2E (.), \x3C (<), \x3E (>) back to "foo.php". - On Windows OS the fopen function will convert "foo.php" followed by
one or more of the chars \x2E (.), \x2F (/), \x5C (\) back to
"foo.php". - On Windows OS move_uploaded_file function will convert "foo.php"
followed by one or more of the chars \x2E (.), \x2F (/), \x5C (\)
back to "foo.php". We have observed that some particular strings like "foo.php./" or
"foo.php.\" force Windows to create a file called "foo.php.". It
seems that Windows' functions do not contemplate the existence of
a file with dots at the end (perhaps Windows hackers can better
comment on this). All functions on that file will fail their attempt, so that it's not
possible to easily delete or rename that file (one has to do del *
or similiar). IX) References [1] http://www_ush_it/2009/02/08/php-filesystem-attack-vectors/
http://www_ush_it/team/ush/hack-phpfs/phpfs_mad.txt
[2] http://www_ush_it/team/ush/hack-sugarcrm_520e/adv.txt
[3] http://www.securiteam.com/securitynews/5FP0C0KJPQ.html
[4] http://ha.ckers.org/blog/20060914/php-vulnerable-to-null-byte-injection/ --8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<-- Credits (Out of band) This article has been bought to you by the ush.it team. Giovanni
"evilaliv3" Pellerano, Antonio "s4tan" Parata and Francesco "ascii"
Ongaro are the ones who spent most hours on it with the precious help
of Alessandro "Jekil" Tanasi, Florin "Slippery" Iamandi and many other
friends. Giovanni "evilaliv3" Pellerano
web site: http://www_ush_it/, http://www.evilaliv3.org/
mail: evilaliv3 AT ush DOT it Antonio "s4tan" Parata
web site: http://www_ush_it/
mail: s4tan AT ush DOT it Francesco "ascii" Ongaro
web site: http://www_ush_it/
mail: ascii AT ush DOT it Alessandro "jekil" Tanasi
web site: http://www.tanasi.it/
mail: alessandro AT tanasi DOT it --8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<-- Legal Notices Copyright (c) 2009 Francesco "ascii" Ongaro Permission is granted for the redistribution of this alert
electronically. It may not be edited in any way without mine express
written consent. If you wish to reprint the whole or any
part of this alert in any other medium other than electronically,
please email me for permission. Disclaimer: The information in the article is believed to be accurate
at the time of publishing based on currently available information. Use
of the information constitutes acceptance for use in an AS IS condition.
There are no warranties with regard to this information. Neither the
author nor the publisher accepts any liability for any direct, indirect,
or consequential loss or damage arising from use of, or reliance on,
this information.

PHP filesystem attack vectors - Take Two的更多相关文章

  1. PHP filesystem attack vectors

    http://www.ush.it/2009/02/08/php-filesystem-attack-vectors/ On Apr 07, 2008 I spoke with Kuza55 and ...

  2. XML External Entity attack

    解析外部xml给本地带来的安全隐患. https://en.wikipedia.org/wiki/XML_external_entity_attack An XML External Entity ( ...

  3. (转) [it-ebooks]电子书列表

    [it-ebooks]电子书列表   [2014]: Learning Objective-C by Developing iPhone Games || Leverage Xcode and Obj ...

  4. PatentTips - Hardware virtualization such as separation kernel hypervisors

    BACKGROUND 1. Field Innovations herein pertain to computer virtualization, computer security and/or ...

  5. A Study of WebRTC Security

    转自:http://webrtc-security.github.io/ A Study of WebRTC Security Abstract Web Real-Time Communication ...

  6. Java开源框架推荐(全)

    Build Tool Tools which handle the buildcycle of an application. Apache Maven - Declarative build and ...

  7. ASP.NET 4.0 potentially dangerous Request.Form value was detected

    A few days ago, while working on an ASP.NET 4.0 Web project, I got an issue. The issue was, when use ...

  8. backtrack5渗透 笔记

    目录        1.信息收集        2.扫描工具        3.漏洞发现        4.社会工程学工具        5.运用层攻击msf        6.局域网攻击       ...

  9. Metasploit 笔记

    目录一.名词解释···································································· 3二.msf基础··············· ...

随机推荐

  1. 性能测试中TPS和并发用户数

    并发用户数与TPS之间的关系 1.  背景 在做性能测试的时候,很多人都用并发用户数来衡量系统的性能,觉得系统能支撑的并发用户数越多,系统的性能就越好:对TPS不是非常理解,也根本不知道它们之间的关系 ...

  2. poj 1651 Multiplication Puzzle (区间dp)

    题目链接:http://poj.org/problem?id=1651 Description The multiplication puzzle is played with a row of ca ...

  3. [xsd学习]xsd实例

    以下为一个表示学校的xml文件,学校内有若干学生,每个学生都有基本信息,电脑信息,选课信息 <?xml version="1.0" encoding="UTF-8& ...

  4. bpl 包的编写和引用

    转载:http://www.cnblogs.com/gxch/archive/2011/04/23/bpl.html 为什么要使用包? 答案很简单:因为包的功能强大.设计期包(design-time ...

  5. HTML DOM Document

    Document 对象 每个载入浏览器的 HTML 文档都会成为 Document 对象. Document 对象使我们可以从脚本中对 HTML 页面中的所有元素进行访问. 提示:Document 对 ...

  6. jquerymobile页面跳转和参数传递

    http://blog.csdn.net/chen052210123/article/details/7481578 页面跳转: 页面跳转时pagebeforechange事件会被触发两次,通过$(d ...

  7. Storm与Spark:谁才是我们的实时处理利器

    Storm与Spark:谁才是我们的实时处理利器 ——实时商务智能目前已经逐步迈入主流,而Storm与Spark开源项目的支持无疑在其中起到了显著的推动作用.那么问题来了:实时处理到底哪家强? 实时商 ...

  8. 对只转发结果集的无效操作 first

    今天只用jdbc连接Oracle查询结果时,出现了一个: 对只转发结果集的无效操作 first 的错误java.sql.sqlexception. 出现这个结果的原因是:使用 Statement st ...

  9. 20145304 刘钦令 Java程序设计第二周学习总结

    20145304 <Java程序设计>第2周学习总结 教材学习内容总结 java可区分基本类型和类类型(即参考类型)两大类型系统. 基本类型主要可区分为整数.字节.浮点数.字符与布尔. 整 ...

  10. Jquery实现下拉联动表单

    <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/ ...