How Your PHP Application Can Get Hacked, And How To Prevent That From Happening?

How Your PHP Application Can Get Hacked, And How To Prevent That From Happening?

You’ve probably heard about the likes of XSS, CSRF, SQL Injection, RCE, Man-in-the-middle attack, and LFI. Very few of the developers out there have witnessed first-hand what exploiting any of the mentioned vulnerabilities looks like, and therefore don’t necessarily realize what the possible implications of being hacked can be. In this talk, we’ll exploit some commonly known vulnerabilities and misconfigurations that can occur to a PHP (Laravel) application running on a Linux-based host. By learning to think like a hacker you’ll be able to develop more secure applications with Laravel, and to keep yourself, your clients, and your users' data safe.

73b9c5161bb047391fd949f8089b9396?s=128

Antti Rössi

November 16, 2019
Tweet

Transcript

  1. How your PHP application can get hacked, and how to

    prevent that from happening? Antti Rössi PHPCon Poland 2019
  2. whoami Antti Rössi @anamus_ Helsinki, Finland CTO, Partner @ Jobilla

    Oy OSCP Certified Pentester During daytime I’m building a digital software product. During night-time I hack software in order to make it more secure. (CTFs, pentesting, bug bounties, reversing…)
  3. Faith of our users is in our hands (as developers

    and admins)
  4. Our users, clients and employers expect that the applications we

    write are secure.
  5. Hackers love edge cases and quirks of our technologies.

  6. “How can I break this application in ways that the

    developers never even thought of…?”
  7. We as developers need to know about these quirks and

    oddities.
  8. Hack yourself first (before someone else does)

  9. None
  10. !! Disclaimer !! All material and examples in this talk

    are for educational use only. The term ‘hacking’ in this presentation refers to ‘ethical hacking’ and should not be confused with ‘black hat hacking’, meaning attacking or attempting to attack any application, systems or network unauthorised. Hacking or attempting to hack anything you don’t own is by default illegal. Doing so will eventually get you in jail. Please act responsibly. I as the author is this presentation, nor any author of the tools used in this presentation shall not be responsible for any individual performing illegal actions with the tools or methods used in this presentation. The intent of this presentation and of all the demonstrations involved, is to help professional software developers to write more secure software. @anamus_
  11. Where can I practise hacking then? @anamus_

  12. Download the examples (Link to Github in my Twitter, @anamus_)

    @anamus_
  13. @anamus_

  14. SQL Injection (there’s also a NoSQL injection…) @anamus_

  15. Attacker injects malicious SQL queries into an HTTP request. @anamus_

    SQL Injection
  16. SQL Injection Can lead to a full disclosure of the

    DB content when successful. @anamus_
  17. DB::"raw("select * from users order by $order desc"); @anamus_

  18. Certain edge cases can be very hard to spot in

    code reviews. @anamus_ SQL Injection
  19. Biggest danger however usually lies within our attitude. @anamus_ SQL

    Injection
  20. “You’d have to enumerate this completely blind, there aren’t even

    errors returned. Not doable.” @anamus_ SQL Injection
  21. “It would take a person ages to manually get anything

    out of this ‘theoretical’ vulnerability.” @anamus_ SQL Injection
  22. Easy to test & exploit with proper tooling. @anamus_ SQL

    Injection
  23. Round 1 Fight! @anamus_

  24. Object Injection (from PHAR Deserialisation to Remote Code Execution) @anamus_

  25. Quick theory lesson first @anamus_ Object Injection

  26. Stream Wrappers in PHP file:// — Accessing local filesystem http://

    — Accessing HTTP(s) URLs ftp:// — Accessing FTP(s) URLs php:// — Accessing various I/O streams zlib:// — Compression Streams data:// — Data (RFC 2397) glob:// — Find pathnames matching pattern phar:// — PHP Archive ssh2:// — Secure Shell 2 rar:// — RAR ogg:// — Audio streams expect:// — Process Interaction Streams @anamus_ Object Injection
  27. Stream Wrappers in PHP file:// — Accessing local filesystem http://

    — Accessing HTTP(s) URLs ftp:// — Accessing FTP(s) URLs php:// — Accessing various I/O streams zlib:// — Compression Streams data:// — Data (RFC 2397) glob:// — Find pathnames matching pattern phar:// — PHP Archive ssh2:// — Secure Shell 2 rar:// — RAR ogg:// — Audio streams expect:// — Process Interaction Streams @anamus_ Object Injection
  28. PHAR Files @anamus_ Object Injection

  29. Complete PHP application in a single file bundle. @anamus_ Object

    Injection
  30. phar:// allows reading PHP files from a PHAR bundle. @anamus_

    Object Injection
  31. Object Serialization In PHP @anamus_ Object Injection

  32. Object ->" String ->" Object @anamus_ Object Injection

  33. Example @anamus_ Object Injection

  34. class Logger { public $file = 'log.txt'; public $data =

    'testing'; public function __construct() { // ... } public function switchContext() { // ... } } @anamus_
  35. $logger = new Logger(); print serialize($logger); @anamus_

  36. O:6:"Logger":2: {s:4:"file";s:7:"log.txt";s:4 :"data";s:7:"testing";} @anamus_ Object Injection

  37. O:6:"Logger":2: {s:4:"file";s:7:"log.txt";s:4 :"data";s:7:"testing";} CLASS NAME @anamus_ Object Injection

  38. O:6:"Logger":2: {s:4:"file";s:7:"log.txt";s:4 :"data";s:7:"testing";} CLASS PROPERTIES (names, lengths, contents) @anamus_ Object

    Injection
  39. No methods are included. (good move security wise…) @anamus_ Object

    Injection
  40. Deserialised objects are automatically injected into the current application’s scope.

    @anamus_ Object Injection
  41. @anamus_ Here’s the catch #1 Object Injection

  42. There are 2 magic methods that get called automatically. @anamus_

    Object Injection
  43. public function __wakeup() { // called upon deserialisation } public

    function __destruct() { // called before garbage collection } @anamus_
  44. public $arg = 'id'; public function __destruct() { system($this->%arg); }

    @anamus_
  45. O:6:"Logger":1: {s:3:"arg";s:2:"id";} @anamus_ Object Injection

  46. O:6:"Logger":1: {s:3:"arg";s:2:"id";} @anamus_ Object Injection

  47. O:6:"Logger":1: {s:3:"arg";s:3:"h4x";} @anamus_ Object Injection

  48. public function __destruct() { system(“h4x”); } @anamus_ Object Injection

  49. This is a so called ‘Gadget’ @anamus_ Object Injection

  50. Here’s the catch #2 @anamus_ Object Injection

  51. PHAR files can contain metadata in a serialised format @anamus_

    Object Injection
  52. Any file operation on the archive will cause the meta

    data to be deserialised @anamus_ Object Injection
  53. copy file_exists file_get_contents file_put_contents file fileatime filectime filegroup fileinode filemtime

    fileowner fileperms filesize filetype fopen is_dir is_executable is_file is_link is_readable is_writable lstat mkdir parse_ini_file readfile rename rmdir stat touch unlink @anamus_ Object Injection
  54. copy file_exists file_get_contents file_put_contents file fileatime filectime filegroup fileinode filemtime

    fileowner fileperms filesize filetype fopen is_dir is_executable is_file is_link is_readable is_writable lstat mkdir parse_ini_file readfile rename rmdir stat touch unlink @anamus_ Object Injection
  55. Catch #3 @anamus_ Object Injection

  56. phar:// stream wrapper doesn’t discriminate between different filetypes @anamus_ Object

    Injection
  57. 1. Take an image file 2. Hide malicious PHAR file

    in it 3. Call filesize() on it with phar:// 4. Object from PHAR metadata gets injected in application runtime 5. Gadget kicks in on __destruct() @anamus_ Object Injection
  58. Round 2 Fight! @anamus_

  59. Privilege Escalation @anamus_

  60. Exploiting a bug, design flaw, or configuration flaw… @anamus_ Privilege

    Escalation
  61. Privilege Escalation …to access resources otherwise unreachable to us. @anamus_

  62. Eg. find a process that’s running as root, and exploit

    that. @anamus_ Privilege Escalation
  63. Hijack the process execution flow, but don’t crash it. @anamus_

    Privilege Escalation
  64. Very few things should ever run as root on the

    host machine. @anamus_ Privilege Escalation
  65. Your scheduler or queue processes are certainly not one of

    these things. @anamus_ Privilege Escalation
  66. Round 3 Fight! @anamus_

  67. How to not get hacked? @anamus_

  68. Tip #1 Do not trust user input of any format.

    Validate everything. Sanitise everything. @anamus_
  69. Tip #2 Do not run outdated software in production. @anamus_

  70. Tip #3 Do not run code that you don’t understand

    in production. Eg. copy-pasting code from online tutorials. @anamus_
  71. Tip #4 Follow the principle of least privilege. Both in

    your application, and on your production host. @anamus_
  72. Tip #5 Learn to think like a hacker. And preferably

    the basics of hacking. @anamus_
  73. Closing Words @anamus_

  74. Security is not a one- time effort that you can

    tick off your to-do list. @anamus_
  75. It’s an infinite ongoing process, and requires you to pay

    attention to it every single day you write or run code. @anamus_
  76. –Uncle Ben, Spiderman “With great power comes great responsibility.” @anamus_

  77. Thanks! Twitter: anamus_ @anamus_

  78. Related Links & Materials •https://github.com/ambionics/phpggc •https://blog.ripstech.com/2018/new-php- exploitation-technique/ •https://www.ixiacom.com/company/blog/exploiting- php-phar-deserialization-vulnerabilities-part-1 •https://www.youtube.com/watch?v=GePBmsNJw6Y

    •Hack The Box - CronOS @anamus_