How Your PHP Application Can Get Hacked, And How To Prevent That From Happening?

How your PHP application can get hacked, and how to
prevent that from happening? Antti Rössi PHPCon Poland 2019

whoami Antti Rössi @anamus_ Helsinki, Finland CTO, Partner @ Jobilla
Oy OSCP Certified Pentester During daytime I’m building a digital software product. During night-time I hack software in order to make it more secure. (CTFs, pentesting, bug bounties, reversing…)

Faith of our users is in our hands (as developers
and admins)

Our users, clients and employers expect that the applications we
write are secure.

Hackers love edge cases and quirks of our technologies.

“How can I break this application in ways that the
developers never even thought of…?”

We as developers need to know about these quirks and
oddities.

Hack yourself first (before someone else does)

!! Disclaimer !! All material and examples in this talk
are for educational use only. The term ‘hacking’ in this presentation refers to ‘ethical hacking’ and should not be confused with ‘black hat hacking’, meaning attacking or attempting to attack any application, systems or network unauthorised. Hacking or attempting to hack anything you don’t own is by default illegal. Doing so will eventually get you in jail. Please act responsibly. I as the author is this presentation, nor any author of the tools used in this presentation shall not be responsible for any individual performing illegal actions with the tools or methods used in this presentation. The intent of this presentation and of all the demonstrations involved, is to help professional software developers to write more secure software. @anamus_

Where can I practise hacking then? @anamus_

Download the examples (Link to Github in my Twitter, @anamus_)
@anamus_

@anamus_

SQL Injection (there’s also a NoSQL injection…) @anamus_

Attacker injects malicious SQL queries into an HTTP request. @anamus_
SQL Injection

SQL Injection Can lead to a full disclosure of the
DB content when successful. @anamus_

DB::"raw("select * from users order by $order desc"); @anamus_

Certain edge cases can be very hard to spot in
code reviews. @anamus_ SQL Injection

Biggest danger however usually lies within our attitude. @anamus_ SQL
Injection

“You’d have to enumerate this completely blind, there aren’t even
errors returned. Not doable.” @anamus_ SQL Injection

“It would take a person ages to manually get anything
out of this ‘theoretical’ vulnerability.” @anamus_ SQL Injection

Easy to test & exploit with proper tooling. @anamus_ SQL
Injection

Round 1 Fight! @anamus_

Object Injection (from PHAR Deserialisation to Remote Code Execution) @anamus_

Quick theory lesson first @anamus_ Object Injection

Stream Wrappers in PHP file:// — Accessing local filesystem http://
— Accessing HTTP(s) URLs ftp:// — Accessing FTP(s) URLs php:// — Accessing various I/O streams zlib:// — Compression Streams data:// — Data (RFC 2397) glob:// — Find pathnames matching pattern phar:// — PHP Archive ssh2:// — Secure Shell 2 rar:// — RAR ogg:// — Audio streams expect:// — Process Interaction Streams @anamus_ Object Injection

PHAR Files @anamus_ Object Injection

Complete PHP application in a single file bundle. @anamus_ Object
Injection

phar:// allows reading PHP files from a PHAR bundle. @anamus_
Object Injection

Object Serialization In PHP @anamus_ Object Injection

Object ->" String ->" Object @anamus_ Object Injection

Example @anamus_ Object Injection

class Logger { public $file = 'log.txt'; public $data =
'testing'; public function __construct() { // ... } public function switchContext() { // ... } } @anamus_

$logger = new Logger(); print serialize($logger); @anamus_

O:6:"Logger":2: {s:4:"file";s:7:"log.txt";s:4 :"data";s:7:"testing";} @anamus_ Object Injection

O:6:"Logger":2: {s:4:"file";s:7:"log.txt";s:4 :"data";s:7:"testing";} CLASS NAME @anamus_ Object Injection

O:6:"Logger":2: {s:4:"file";s:7:"log.txt";s:4 :"data";s:7:"testing";} CLASS PROPERTIES (names, lengths, contents) @anamus_ Object
Injection

No methods are included. (good move security wise…) @anamus_ Object
Injection

Deserialised objects are automatically injected into the current application’s scope.
@anamus_ Object Injection

@anamus_ Here’s the catch #1 Object Injection

There are 2 magic methods that get called automatically. @anamus_
Object Injection

public function __wakeup() { // called upon deserialisation } public
function __destruct() { // called before garbage collection } @anamus_

public $arg = 'id'; public function __destruct() { system($this->%arg); }
@anamus_

O:6:"Logger":1: {s:3:"arg";s:2:"id";} @anamus_ Object Injection

O:6:"Logger":1: {s:3:"arg";s:3:"h4x";} @anamus_ Object Injection

public function __destruct() { system(“h4x”); } @anamus_ Object Injection

This is a so called ‘Gadget’ @anamus_ Object Injection

Here’s the catch #2 @anamus_ Object Injection

PHAR files can contain metadata in a serialised format @anamus_
Object Injection

Any file operation on the archive will cause the meta
data to be deserialised @anamus_ Object Injection

copy file_exists file_get_contents file_put_contents file fileatime filectime filegroup fileinode filemtime
fileowner fileperms filesize filetype fopen is_dir is_executable is_file is_link is_readable is_writable lstat mkdir parse_ini_file readfile rename rmdir stat touch unlink @anamus_ Object Injection

Catch #3 @anamus_ Object Injection

phar:// stream wrapper doesn’t discriminate between different filetypes @anamus_ Object
Injection

1. Take an image file 2. Hide malicious PHAR file
in it 3. Call filesize() on it with phar:// 4. Object from PHAR metadata gets injected in application runtime 5. Gadget kicks in on __destruct() @anamus_ Object Injection

Privilege Escalation @anamus_

Exploiting a bug, design flaw, or configuration flaw… @anamus_ Privilege
Escalation

Privilege Escalation …to access resources otherwise unreachable to us. @anamus_

Eg. find a process that’s running as root, and exploit
that. @anamus_ Privilege Escalation

Hijack the process execution flow, but don’t crash it. @anamus_
Privilege Escalation

Very few things should ever run as root on the
host machine. @anamus_ Privilege Escalation

Your scheduler or queue processes are certainly not one of
these things. @anamus_ Privilege Escalation

How to not get hacked? @anamus_

Tip #1 Do not trust user input of any format.
Validate everything. Sanitise everything. @anamus_

Tip #2 Do not run outdated software in production. @anamus_

Tip #3 Do not run code that you don’t understand
in production. Eg. copy-pasting code from online tutorials. @anamus_

Tip #4 Follow the principle of least privilege. Both in
your application, and on your production host. @anamus_

Tip #5 Learn to think like a hacker. And preferably
the basics of hacking. @anamus_

Closing Words @anamus_

Security is not a one- time effort that you can
tick off your to-do list. @anamus_

It’s an infinite ongoing process, and requires you to pay
attention to it every single day you write or run code. @anamus_

–Uncle Ben, Spiderman “With great power comes great responsibility.” @anamus_

Thanks! Twitter: anamus_ @anamus_

Related Links & Materials •https://github.com/ambionics/phpggc •https://blog.ripstech.com/2018/new-php- exploitation-technique/ •https://www.ixiacom.com/company/blog/exploiting- php-phar-deserialization-vulnerabilities-part-1 •https://www.youtube.com/watch?v=GePBmsNJw6Y
•Hack The Box - CronOS @anamus_

How Your PHP Application Can Get Hacked, And Ho...

How Your PHP Application Can Get Hacked, And How To Prevent That From Happening?

More Decks by Antti Rössi

Other Decks in Programming

Featured

Transcript