How Your Laravel Application Can Get Hacked?

Transcript

1. How your Laravel application can get hacked, and how to

   prevent that from happening? Antti Rössi Laracon EU - Amsterdam 2019

2. whoami Antti Rössi Helsinki, Finland CTO, Partner @ Jobilla Oy

   During daytime I’m building a digital software product. During night-time I hack software in order to make it more secure. (CTFs, pentesting, bug bounties, reversing…) @anamus_

3. Faith of our users is in our hands (as developers

   and admins) @anamus_

4. Hack yourself first (before someone else does) @anamus_

5. None

6. !! Disclaimer !! All material and examples in this talk

   are for educational use only. The term ‘hacking’ in this presentation refers to ‘ethical hacking’ and should not be confused with ‘black hat hacking’, meaning attacking or attempting to attack any application, systems or network unauthorized. Hacking or attempting to hack anything you don’t own is by default illegal. Doing so will eventually get you in jail. Please act responsibly. I as the author is this presentation, nor any author of the tools used in this presentation shall not be responsible for any individual performing illegal actions with the tools or methods used in this presentation. The intent of this presentation and of all the demonstrations involved, is to help professional software developers to write more secure software. @anamus_

7. Where can I practise this then? @anamus_

8. Download the examples (Link to Github in my Twitter, @anamus_)

   @anamus_

9. @anamus_

10. SQL Injection (there’s also a NoSQL injection…) @anamus_

11. SQL Injection Attacker injects malicious SQL queries into an HTTP

    request. @anamus_

12. SQL Injection Can lead to a full disclosure of the

    DB content when successful. @anamus_

13. DB::"raw("select * from users order by $order desc"); @anamus_

14. SQL Injection Certain edge cases can be very hard to

    spot in code reviews. @anamus_

15. SQL Injection Easy to test & exploit with proper tooling.

    @anamus_

16. Round 1 Fight! @anamus_

17. Object Injection (from PHAR Deserialisation to Remote Code Execution) @anamus_

18. Quick theory lesson first @anamus_

19. Stream Wrappers in PHP file:// — Accessing local filesystem http://

    — Accessing HTTP(s) URLs ftp:// — Accessing FTP(s) URLs php:// — Accessing various I/O streams zlib:// — Compression Streams data:// — Data (RFC 2397) glob:// — Find pathnames matching pattern phar:// — PHP Archive ssh2:// — Secure Shell 2 rar:// — RAR ogg:// — Audio streams expect:// — Process Interaction Streams @anamus_

20. Stream Wrappers in PHP file:// — Accessing local filesystem http://

    — Accessing HTTP(s) URLs ftp:// — Accessing FTP(s) URLs php:// — Accessing various I/O streams zlib:// — Compression Streams data:// — Data (RFC 2397) glob:// — Find pathnames matching pattern phar:// — PHP Archive ssh2:// — Secure Shell 2 rar:// — RAR ogg:// — Audio streams expect:// — Process Interaction Streams @anamus_

21. PHAR Files @anamus_

22. Complete PHP application in a single file bundle. @anamus_

23. phar:// allows reading PHP files from a PHAR bundle. @anamus_

24. Object Serialization In PHP @anamus_

25. Object ->" String ->" Object @anamus_

26. Example @anamus_

27. class Logger { public $file = 'log.txt'; public $data =

    'testing'; public function __construct() { // ... } public function switchContext() { // ... } } @anamus_

28. $logger = new Logger(); print serialize($logger); @anamus_

29. O:6:"Logger":2:{s:4:"file";s: 7:"log.txt";s:4:"data";s:7:"testing";} @anamus_

30. O:6:"Logger":2:{s:4:"file";s: 7:"log.txt";s:4:"data";s:7:"testing";} CLASS NAME @anamus_

31. O:6:"Logger":2:{s:4:"file";s: 7:"log.txt";s:4:"data";s:7:"testing";} CLASS PROPERTIES (names, lengths, contents) @anamus_

32. No methods are included. (good move security wise…) @anamus_

33. Deserialised objects are automatically injected into the current application’s scope.

    @anamus_

34. Here comes the catch #1 @anamus_

35. There are 2 magic methods that get called automatically. @anamus_

36. public function __wakeup() { // called upon deserialisation } public

    function __destruct() { // called before garbage collection } @anamus_

37. public $arg = 'id'; public function __destruct() { shell_exec($this->%arg); }

    @anamus_

38. O:6:"Logger":1:{s:3:"arg";s:2:"id";} @anamus_

39. O:6:"Logger":1:{s:3:"arg";s:2:"id";} @anamus_

40. O:6:"Logger":1:{s:3:"arg";s:3:"h4x";} @anamus_

41. public function __destruct() { shell_exec(“h4x"); } @anamus_

42. This is a so called ‘Gadget’ @anamus_

43. Here’s the catch #2 @anamus_

44. PHAR files can contain metadata in a serialised format @anamus_

45. Any file operation on the archive will cause the meta

    data to be deserialised @anamus_

46. copy file_exists file_get_contents file_put_contents file fileatime filectime filegroup fileinode filemtime

    fileowner fileperms filesize filetype fopen is_dir is_executable is_file is_link is_readable is_writable lstat mkdir parse_ini_file readfile rename rmdir stat touch unlink @anamus_

47. copy file_exists file_get_contents file_put_contents file fileatime filectime filegroup fileinode filemtime

    fileowner fileperms filesize filetype fopen is_dir is_executable is_file is_link is_readable is_writable lstat mkdir parse_ini_file readfile rename rmdir stat touch unlink @anamus_

48. Catch #3 @anamus_

49. phar:// stream wrapper doesn’t discriminate between different filetypes @anamus_

50. 1. Take an image file 2. Hide malicious PHAR file

    in it 3. Call filesize() on it with phar:// 4. Object from PHAR metadata gets injected in application runtime 5. Gadget kicks in on __destruct() @anamus_

51. Round 2 Fight! @anamus_

52. Privilege Escalation @anamus_

53. Privilege Escalation Exploiting a bug, design flaw, or configuration flaw…

    @anamus_

54. Privilege Escalation …to access resources otherwise unreachable to us. @anamus_

55. Privilege Escalation Eg. find a process that’s running as root,

    and exploit that. @anamus_

56. Privilege Escalation Hijack the process execution flow, but don’t crash

    it. @anamus_

57. Privilege Escalation Very few things should ever run as root

    on the host machine. @anamus_

58. Privilege Escalation Artisan scheduler is certainly not one of these

    things. @anamus_

59. Round 3 Fight! @anamus_

60. How to not get hacked? @anamus_

61. Tip #1 Do not trust user input of any format.

    Validate everything. Sanitise everything. @anamus_

62. Tip #2 Do not run outdated software in production. @anamus_

63. Tip #3 Do not run code that you don’t understand

    in production. Eg. copy-pasting code from online tutorials. @anamus_

64. Tip #4 Follow the principle of least privilege. Both in

    your application, and on your production host. @anamus_

65. Tip #5 Learn to think like a hacker. And preferably

    the basics of hacking. @anamus_

66. Closing Words @anamus_

67. Security is not a one- time effort that you can

    tick off your to-do list. @anamus_

68. It’s an infinite ongoing process, and requires you to pay

    attention to it every single day you write or run code. @anamus_

69. –Uncle Ben, Spiderman “With great power comes great responsibility.” @anamus_

70. Thanks! Twitter: anamus_ @anamus_

71. Related Links & Materials @anamus_ •https://github.com/ambionics/phpggc •https://blog.ripstech.com/2018/new-php-exploitation-technique/ •https://www.ixiacom.com/company/blog/exploiting-php-phar- deserialization-vulnerabilities-part-1 •https://www.youtube.com/watch?v=GePBmsNJw6Y

    •Hack The Box - CronOS