Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Hacking ExpressionEngine

Df40690d0b5dcb50296682356bc4a0e6?s=47 lowell kitchen
October 16, 2012
Technology
3
1.2k

Hacking ExpressionEngine

Df40690d0b5dcb50296682356bc4a0e6?s=128

lowell kitchen

October 16, 2012
Tweet

Other Decks in Technology

See All in Technology
hey BOOK
69f5ab96892df4d8cbe32189f2ed2d9d?s=48 heyinc
26
290k
JAWS-UG 朝会 #36 登壇資料
08dd0b93e011904f40d60d5a1b54c671?s=48 takakuni
1
500
GCCP Creator @ COSCUP 2022
2102a6b8760bd6f57f672805723dd83a?s=48 line_developers_tw
PRO
0
1.4k
サイバー攻撃を想定したクラウドネイティブセキュリティガイドラインとCNAPP及びSecurity Observabilityの未来
D9130a0952480278c7f44527c6989da7?s=48 syoshie
1
790
Autonomous Database Cloud 技術詳細 / adb-s_technical_detail_jp
3115a782126be714b5f94d24073c957d?s=48 oracle4engineer
PRO
10
19k
Trusted Web プロトタイプ
525442fc70ca92f82ae503f826956137?s=48 finengine
0
310
DMMプラットフォーム ゼロから始めるKubernetes運用 課題と改善
F91225895fc7411d415604147af75cab?s=48 pospome
0
380
SBOMを利用したソフトウェアサプライチェーンの保護
45b7a05a1056c10d70bc4caa77d1b2c9?s=48 masahiro331
0
150
Azure DevOps Online Vol.6 - 業務で必要なCIをみんなで考えよう
10be5c6d7c18735c1169520e55e15214?s=48 kkamegawa
0
230
Software de Colombia para el mundo
02c817926d446faab88b0202be4391eb?s=48 tiangolo
0
970
CloudWatchアラームによるサービス継続のための監視入門 / Introduction to Monitoring for Service Continuity with CloudWatch Alarms
107ea34bd4da51e40f1c30b9ca0c459e?s=48 inomasosan
1
390
Microsoft Data Analytics trends : ”Lakehouse” , ”Data Mesh"
0d7a3b61c5c1f64a50136cf4bb5702b7?s=48 ryomaru0825
2
100

Featured

See All Featured
How GitHub Uses GitHub to Build GitHub
78b475797a14c84799063c7cd073962f?s=48 holman
465
280k
Mobile First: as difficult as doing things right
0fe2973fa8d27d96547e43322341183a?s=48 swwweet
213
7.5k
StorybookのUI Testing Handbookを読んだ
50fc0fdc2327ecbe7350645812de52e3?s=48 zakiyama
5
2.5k
How to Ace a Technical Interview
2f5463832ccb768ccb4a1ca3607c27ef?s=48 jacobian
266
21k
The World Runs on Bad Software
20bfe76b3d6105641f879fe45cfc9272?s=48 bkeepers
PRO
57
5.4k
10 Git Anti Patterns You Should be Aware of
Dafc4723e9a1c067796c0fec6f509774?s=48 lemiorhan
638
52k
WebSockets: Embracing the real-time Web
E76911cbe088e5b850d966de3fc7435b?s=48 robhawkes
57
5.5k
Clear Off the Table
Ef32e0b1ac5082450dc8c1fca3a26b5c?s=48 cherdarchuk
79
290k
VelocityConf: Rendering Performance Case Studies
96270e4c3e5e9806cf7245475c00b275?s=48 addyosmani
316
22k
Practical Orchestrator
168ccec72eee0530b818d44f3fedaacf?s=48 shlominoach
178
8.7k
Streamline your AJAX requests with AmplifyJS and jQuery
9cde37f47e4a800ea081ea42de8d749a?s=48 dougneiner
127
8.5k
Statistics for Hackers
56c4053438af8e8b90d6f53cbb7573be?s=48 jakevdp
782
210k

Transcript

  1. © 2012 Blue State Digital 1 Hacking ExpressionEngine the good,

    the bad{ass}, and the ugly. @lowellkitchen, senior software engineer, blue state digital

  2. © 2012 Blue State Digital but first, a disclaimer* 2

    | [root@eeciconf]$

  3. © 2012 Blue State Digital 3 hack responsibly. don’t let

    stupid takeover!

  4. © 2012 Blue State Digital 4 why hack the core?

    [root@eeciconf]$ |

  5. © 2012 Blue State Digital 5 5 fix a critical

    bug [root@eeciconf]$ [root@eeciconf]$ [root@eeciconf]$ | [root@eeciconf]$

  6. © 2012 Blue State Digital 6 maintain the hack [root@eeciconf]$

    [root@eeciconf]$ [root@eeciconf]$ |

  7. © 2012 Blue State Digital 7 a look at a

    few core hacks [root@eeciconf]$ |

  8. © 2012 Blue State Digital 8 8 prior to version

    1.6.6 8 [root@eeciconf]$ [root@eeciconf]$ [root@eeciconf]$ |

  9. © 2012 Blue State Digital 9 9 mysql –u root

    change.gov 9 [root@eeciconf]$

  10. © 2012 Blue State Digital 10

  11. © 2012 Blue State Digital 11 11 11 emacs core.template.php

    11 [root@eeciconf]$

  12. © 2012 Blue State Digital 12 $DB->query("UPDATE exp_templates SET hits

    = '".$this- >template_hits."' WHERE template_id = '".$DB- >escape_str($query->row['template_id'])."'"); //

  13. © 2012 Blue State Digital 13

  14. © 2012 Blue State Digital 14 14 the post_parse_template hack

    14 [root@eeciconf]$ |

  15. © 2012 Blue State Digital 15 15 mv index.php ee.php

    15 [root@eeciconf]$ [root@eeciconf]$

  16. © 2012 Blue State Digital 16 <?php // include the

    core EE index.php file // and capture all output from EE // using output buffering require_once $_SERVER['DOCUMENT_ROOT'] . ”/ee.php”; $page = ob_get_contents(); ob_end_clean(); //$EE super object is also available //if you want to use it $EE =& get_instance(); //add our stuff to the parsed EE page try{ $pageRendererFactory = new Blue_PageRenderer_Factory(); echo $pageRendererFactory->create($page)->render(); } catch(Blue_Html_Exception $e){ echo $page; }

  17. © 2012 Blue State Digital 17 [root@eeciconf]$ |

  18. © 2012 Blue State Digital 18 18 18 emacs config.php

    18 [root@eeciconf]$

  19. © 2012 Blue State Digital 19 <? var $dateTime =

    new DateTime(); $dateTime->setTimezone(new DateTimeZone(‘America/New_York’)); $dateTime->setTimestamp(time()); $isDst = (bool)$dateTime->format(‘I’) ? "y" : "n"; $config['daylight_savings'] = $isDst;

  20. © 2012 Blue State Digital 20 20 20 a few

    other notable hacks 20 [root@eeciconf]$

  21. © 2012 Blue State Digital 21 [root@eeciconf]$ [root@eeciconf]$ [root@eeciconf]$

  22. © 2012 Blue State Digital 22 attacking ExpressionEngine [root@eeciconf]$ |

  23. © 2012 Blue State Digital 23 23 [root@eeciconf]$ [root@eeciconf]$ |

    [root@eeciconf]$

  24. © 2012 Blue State Digital 24 sql injection [root@eeciconf]$ “SQL

    injection attacks are a type of injection attack, in which SQL commands are injected into input in order to effect the execution of predefined SQL commands.” https://www.owasp.org/index.php/SQL_Injection

  25. © 2012 Blue State Digital 25 SELECT * FROM exp2_channel_titles

    WHERE url_title=‘$url_title’ $url_title= ”eeci2012'; DELETE FROM exp2_channel_titles;#”; SELECT * FROM exp2_channel_titles WHERE url_title=‘eeci2012'; DELETE FROM exp2_channel_titles;#’

  26. © 2012 Blue State Digital 26 [root@eeciconf]$

  27. © 2012 Blue State Digital 27 [root@eeciconf]$

  28. © 2012 Blue State Digital 28 28 [root@eeciconf]$

  29. © 2012 Blue State Digital 29 $url_title = ”eeci2012'''''''''''''union select

    username, password, salt, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27 from exp2_members #"; select * from exp2_channel_titles where url_title = 'eeci2012'''''''''''''union select username, password, salt, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27 from exp2_members #’ [root@eeciconf]$

  30. © 2012 Blue State Digital 30 UPDATE exp_members set password

    = ‘$new_password’ WHERE username = ‘$username’ UPDATE exp_members set password = ‘$new_password’ WHERE 'lowell''''''''''''' or username like '%admin%' [root@eeciconf]$

  31. © 2012 Blue State Digital 31 [root@eeciconf]$ 31 31

  32. © 2012 Blue State Digital 32 SELECT * FROM exp_channel_titles

    where url_title LIKE ‘%$searchString’ SELECT * FROM exp_channel_titles where url_title LIKE ‘%47%’

  33. © 2012 Blue State Digital 33 [root@eeciconf]$

  34. © 2012 Blue State Digital 34

  35. © 2012 Blue State Digital 35 [root@eeciconf]$ [root@eeciconf]$ [root@eeciconf]$

  36. © 2012 Blue State Digital 36 [root@eeciconf]$ [root@eeciconf]$

  37. © 2012 Blue State Digital 37 cross site scripting [root@eeciconf]$

    | “Cross-site scripting (XSS) attacks occur when an attacker uses a web application to send malicious code, generally in the form of a browser side script, to a different end user. Flaws that allow these attacks to succeed are quite widespread and occur anywhere a web application uses input from a user in the output it generates without validating or encoding it.” https://www.owasp.org/index.php/Cross- site_Scripting_(XSS)

  38. © 2012 Blue State Digital 38 38 stored xss attack

    [root@eeciconf]$ Enter your comment: <script> window.location = ‘http://4chan.org/something_terrible’ </script> occurs when attack payload is stored on server [root@eeciconf]$ used in the output of a web page [root@eeciconf]$

  39. © 2012 Blue State Digital 39 39 39 reflected xss

    attack [root@eeciconf]$ occurs when attack payload is sent via HTTP request & reflected back to user [root@eeciconf]$ attack payload is not stored on the server. [root@eeciconf]$

  40. © 2012 Blue State Digital 40 http://www.example.com/search? query=<script>window.location=‘http:// 4chan.org/something_terrible’;</script> Search:

    <script>window.location=‘http://4chan.org/something_terrible’;</script> Your search for <your search phrase> returned no results.

  41. © 2012 Blue State Digital 41

  42. © 2012 Blue State Digital 42

  43. © 2012 Blue State Digital 43 [root@eeciconf]$

  44. © 2012 Blue State Digital 44 44 [root@eeciconf]$ $this->EE->security->xss_clean($str);

  45. © 2012 Blue State Digital 45 [root@eeciconf]$ $this->EE->load->library('typography'); $this->EE->typography->initialize(); $str

    = $this->EE->typography->parse_type ($str, $prefs)

  46. © 2012 Blue State Digital 46 cross site request forgery

    [root@eeciconf]$ | “CSRF is an attack which forces an end user to execute unwanted actions on a web application in which he/she is currently authenticated.” https://www.owasp.org/index.php/Cross- Site_Request_Forgery_(CSRF)

  47. © 2012 Blue State Digital 47 user logs into target

    app [root@eeciconf]$ while still logged in, visits evil web site [root@eeciconf]$

  48. © 2012 Blue State Digital 48 48 change your username

    and/or password [root@eeciconf]$ evil web site silently performs actions on target [root@eeciconf]$ alter or add entries or templates [root@eeciconf]$

  49. © 2012 Blue State Digital 49 49 [root@eeciconf]$

  50. © 2012 Blue State Digital 50 50 [root@eeciconf]$

  51. © 2012 Blue State Digital 51

  52. © 2012 Blue State Digital 52 [root@eeciconf]$ [root@eeciconf]$

  53. © 2012 Blue State Digital 53 53 53 [root@eeciconf]$

  54. © 2012 Blue State Digital 54 54 54 54 $this->EE->functions->form_declaration()

  55. © 2012 Blue State Digital 55 55 55 55 $this->EE->security->secure_forms_check($this->EE-

    >input->post('XID'))

  56. © 2012 Blue State Digital 56 56 56 [root@eeciconf]$

  57. © 2012 Blue State Digital 57

  58. © 2012 Blue State Digital 58 [root@eeciconf]$ [root@eeciconf]$ [root@eeciconf]$

  59. © 2012 Blue State Digital 59 59 lol search [root@eeciconf]$

  60. © 2012 Blue State Digital 60 60 | is your

    password safe? [root@eeciconf]$

  61. © 2012 Blue State Digital 61 NO

  62. © 2012 Blue State Digital 62 thank you! @lowellkitchen

  63. © 2012 Blue State Digital 63 • Open Web Application Security

    Project: www.owasp.org • ExpressionEngine add-on development security guidelines: http://expressionengine.com/user_guide/ development/guidelines/security.html • MySQL Guide to PHP security: http://dev.mysql.com/tech-resources/ articles/guide-to-php-security-ch3.pdf • sql injection tool: www.sqlmap.org