How Your Laravel Application Can Get Hacked?

How Your Laravel Application Can Get Hacked?

You’ve probably heard about XSS, SQL Injection, and RCE. Very few developers out there have actually witnessed first-hand what exploiting any of the mentioned vulnerabilities looks like, and therefor don’t necessarily understand the consequences that having such vulnerabilities in your application can have. In this talk we’ll exploit some commonly known vulnerabilities and misconfigurations that can occur to a Laravel application running on a Linux based host. By learning to think like a hacker you’ll be able to develop more secure applications with Laravel, and to keep yourself, your clients, and your users data safe.

73b9c5161bb047391fd949f8089b9396?s=128

Antti Rössi

August 29, 2019
Tweet

Transcript

  1. How your Laravel application can get hacked, and how to

    prevent that from happening? Antti Rössi Laracon EU - Amsterdam 2019
  2. whoami Antti Rössi Helsinki, Finland CTO, Partner @ Jobilla Oy

    During daytime I’m building a digital software product. During night-time I hack software in order to make it more secure. (CTFs, pentesting, bug bounties, reversing…) @anamus_
  3. Faith of our users is in our hands (as developers

    and admins) @anamus_
  4. Hack yourself first (before someone else does) @anamus_

  5. None
  6. !! Disclaimer !! All material and examples in this talk

    are for educational use only. The term ‘hacking’ in this presentation refers to ‘ethical hacking’ and should not be confused with ‘black hat hacking’, meaning attacking or attempting to attack any application, systems or network unauthorized. Hacking or attempting to hack anything you don’t own is by default illegal. Doing so will eventually get you in jail. Please act responsibly. I as the author is this presentation, nor any author of the tools used in this presentation shall not be responsible for any individual performing illegal actions with the tools or methods used in this presentation. The intent of this presentation and of all the demonstrations involved, is to help professional software developers to write more secure software. @anamus_
  7. Where can I practise this then? @anamus_

  8. Download the examples (Link to Github in my Twitter, @anamus_)

    @anamus_
  9. @anamus_

  10. SQL Injection (there’s also a NoSQL injection…) @anamus_

  11. SQL Injection Attacker injects malicious SQL queries into an HTTP

    request. @anamus_
  12. SQL Injection Can lead to a full disclosure of the

    DB content when successful. @anamus_
  13. DB::"raw("select * from users order by $order desc"); @anamus_

  14. SQL Injection Certain edge cases can be very hard to

    spot in code reviews. @anamus_
  15. SQL Injection Easy to test & exploit with proper tooling.

    @anamus_
  16. Round 1 Fight! @anamus_

  17. Object Injection (from PHAR Deserialisation to Remote Code Execution) @anamus_

  18. Quick theory lesson first @anamus_

  19. Stream Wrappers in PHP file:// — Accessing local filesystem http://

    — Accessing HTTP(s) URLs ftp:// — Accessing FTP(s) URLs php:// — Accessing various I/O streams zlib:// — Compression Streams data:// — Data (RFC 2397) glob:// — Find pathnames matching pattern phar:// — PHP Archive ssh2:// — Secure Shell 2 rar:// — RAR ogg:// — Audio streams expect:// — Process Interaction Streams @anamus_
  20. Stream Wrappers in PHP file:// — Accessing local filesystem http://

    — Accessing HTTP(s) URLs ftp:// — Accessing FTP(s) URLs php:// — Accessing various I/O streams zlib:// — Compression Streams data:// — Data (RFC 2397) glob:// — Find pathnames matching pattern phar:// — PHP Archive ssh2:// — Secure Shell 2 rar:// — RAR ogg:// — Audio streams expect:// — Process Interaction Streams @anamus_
  21. PHAR Files @anamus_

  22. Complete PHP application in a single file bundle. @anamus_

  23. phar:// allows reading PHP files from a PHAR bundle. @anamus_

  24. Object Serialization In PHP @anamus_

  25. Object ->" String ->" Object @anamus_

  26. Example @anamus_

  27. class Logger { public $file = 'log.txt'; public $data =

    'testing'; public function __construct() { // ... } public function switchContext() { // ... } } @anamus_
  28. $logger = new Logger(); print serialize($logger); @anamus_

  29. O:6:"Logger":2:{s:4:"file";s: 7:"log.txt";s:4:"data";s:7:"testing";} @anamus_

  30. O:6:"Logger":2:{s:4:"file";s: 7:"log.txt";s:4:"data";s:7:"testing";} CLASS NAME @anamus_

  31. O:6:"Logger":2:{s:4:"file";s: 7:"log.txt";s:4:"data";s:7:"testing";} CLASS PROPERTIES (names, lengths, contents) @anamus_

  32. No methods are included. (good move security wise…) @anamus_

  33. Deserialised objects are automatically injected into the current application’s scope.

    @anamus_
  34. Here comes the catch #1 @anamus_

  35. There are 2 magic methods that get called automatically. @anamus_

  36. public function __wakeup() { // called upon deserialisation } public

    function __destruct() { // called before garbage collection } @anamus_
  37. public $arg = 'id'; public function __destruct() { shell_exec($this->%arg); }

    @anamus_
  38. O:6:"Logger":1:{s:3:"arg";s:2:"id";} @anamus_

  39. O:6:"Logger":1:{s:3:"arg";s:2:"id";} @anamus_

  40. O:6:"Logger":1:{s:3:"arg";s:3:"h4x";} @anamus_

  41. public function __destruct() { shell_exec(“h4x"); } @anamus_

  42. This is a so called ‘Gadget’ @anamus_

  43. Here’s the catch #2 @anamus_

  44. PHAR files can contain metadata in a serialised format @anamus_

  45. Any file operation on the archive will cause the meta

    data to be deserialised @anamus_
  46. copy file_exists file_get_contents file_put_contents file fileatime filectime filegroup fileinode filemtime

    fileowner fileperms filesize filetype fopen is_dir is_executable is_file is_link is_readable is_writable lstat mkdir parse_ini_file readfile rename rmdir stat touch unlink @anamus_
  47. copy file_exists file_get_contents file_put_contents file fileatime filectime filegroup fileinode filemtime

    fileowner fileperms filesize filetype fopen is_dir is_executable is_file is_link is_readable is_writable lstat mkdir parse_ini_file readfile rename rmdir stat touch unlink @anamus_
  48. Catch #3 @anamus_

  49. phar:// stream wrapper doesn’t discriminate between different filetypes @anamus_

  50. 1. Take an image file 2. Hide malicious PHAR file

    in it 3. Call filesize() on it with phar:// 4. Object from PHAR metadata gets injected in application runtime 5. Gadget kicks in on __destruct() @anamus_
  51. Round 2 Fight! @anamus_

  52. Privilege Escalation @anamus_

  53. Privilege Escalation Exploiting a bug, design flaw, or configuration flaw…

    @anamus_
  54. Privilege Escalation …to access resources otherwise unreachable to us. @anamus_

  55. Privilege Escalation Eg. find a process that’s running as root,

    and exploit that. @anamus_
  56. Privilege Escalation Hijack the process execution flow, but don’t crash

    it. @anamus_
  57. Privilege Escalation Very few things should ever run as root

    on the host machine. @anamus_
  58. Privilege Escalation Artisan scheduler is certainly not one of these

    things. @anamus_
  59. Round 3 Fight! @anamus_

  60. How to not get hacked? @anamus_

  61. Tip #1 Do not trust user input of any format.

    Validate everything. Sanitise everything. @anamus_
  62. Tip #2 Do not run outdated software in production. @anamus_

  63. Tip #3 Do not run code that you don’t understand

    in production. Eg. copy-pasting code from online tutorials. @anamus_
  64. Tip #4 Follow the principle of least privilege. Both in

    your application, and on your production host. @anamus_
  65. Tip #5 Learn to think like a hacker. And preferably

    the basics of hacking. @anamus_
  66. Closing Words @anamus_

  67. Security is not a one- time effort that you can

    tick off your to-do list. @anamus_
  68. It’s an infinite ongoing process, and requires you to pay

    attention to it every single day you write or run code. @anamus_
  69. –Uncle Ben, Spiderman “With great power comes great responsibility.” @anamus_

  70. Thanks! Twitter: anamus_ @anamus_

  71. Related Links & Materials @anamus_ •https://github.com/ambionics/phpggc •https://blog.ripstech.com/2018/new-php-exploitation-technique/ •https://www.ixiacom.com/company/blog/exploiting-php-phar- deserialization-vulnerabilities-part-1 •https://www.youtube.com/watch?v=GePBmsNJw6Y

    •Hack The Box - CronOS