Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Hacking ExpressionEngine

lowell kitchen
October 16, 2012
Technology
3
1.4k

Hacking ExpressionEngine

lowell kitchen

October 16, 2012
Tweet

Other Decks in Technology

See All in Technology
型チェック 速度改善 奮闘記⌛
tocomi
1
140
SREが投資するAIOps ~ペアーズにおけるLLM for Developerへの取り組み~
takumiogawa
3
860
Taming you application's environments
salaboy
0
200
【Pycon mini 東海 2024】Google Colaboratoryで試すVLM
kazuhitotakahashi
2
580
100 名超が参加した日経グループ横断の競技型 AWS 学習イベント「Nikkei Group AWS GameDay」の紹介/mediajaws202411
nikkei_engineer_recruiting
1
170
B2B SaaSから見た最近のC#/.NETの進化
sansantech
PRO
0
960
マルチプロダクトな開発組織で 「開発生産性」に向き合うために試みたこと / Improving Multi-Product Dev Productivity
sugamasao
1
310
アジャイルでの品質の進化 Agile in Motion vol.1/20241118 Hiroyuki Sato
shift_evolve
0
190
Introduction to Works of ML Engineer in LY Corporation
lycorp_recruit_jp
0
150
Application Development WG Intro at AppDeveloperCon
salaboy
0
200
プロダクト活用度で見えた真実 ホリゾンタルSaaSでの顧客解像度の高め方
tadaken3
0
220
Chasing the White Whale of Open Source - ROI
mrbobbytables
0
110

Featured

See All Featured
Bootstrapping a Software Product
garrettdimon
PRO
305
110k
Making Projects Easy
brettharned
115
5.9k
Java REST API Framework Comparison - PWX 2021
mraible
PRO
28
8.2k
Build your cross-platform service in a week with App Engine
jlugia
229
18k
Typedesign – Prime Four
hannesfritz
40
2.4k
KATA
mclloyd
29
14k
Dealing with People You Can't Stand - Big Design 2015
cassininazir
364
24k
What's in a price? How to price your products and services
michaelherold
243
12k
Refactoring Trust on Your Teams (GOTO; Chicago 2020)
rmw
31
2.7k
Unsuck your backbone
ammeep
668
57k
A designer walks into a library…
pauljervisheath
204
24k
Fontdeck: Realign not Redesign
paulrobertlloyd
82
5.2k

Transcript

  1. © 2012 Blue State Digital 1 Hacking ExpressionEngine the good,

    the bad{ass}, and the ugly. @lowellkitchen, senior software engineer, blue state digital

  2. © 2012 Blue State Digital but first, a disclaimer* 2

    | [root@eeciconf]$

  3. © 2012 Blue State Digital 3 hack responsibly. don’t let

    stupid takeover!

  4. © 2012 Blue State Digital 4 why hack the core?

    [root@eeciconf]$ |

  5. © 2012 Blue State Digital 5 5 fix a critical

    bug [root@eeciconf]$ [root@eeciconf]$ [root@eeciconf]$ | [root@eeciconf]$

  6. © 2012 Blue State Digital 6 maintain the hack [root@eeciconf]$

    [root@eeciconf]$ [root@eeciconf]$ |

  7. © 2012 Blue State Digital 7 a look at a

    few core hacks [root@eeciconf]$ |

  8. © 2012 Blue State Digital 8 8 prior to version

    1.6.6 8 [root@eeciconf]$ [root@eeciconf]$ [root@eeciconf]$ |

  9. © 2012 Blue State Digital 9 9 mysql –u root

    change.gov 9 [root@eeciconf]$

  10. © 2012 Blue State Digital 10

  11. © 2012 Blue State Digital 11 11 11 emacs core.template.php

    11 [root@eeciconf]$

  12. © 2012 Blue State Digital 12 $DB->query("UPDATE exp_templates SET hits

    = '".$this- >template_hits."' WHERE template_id = '".$DB- >escape_str($query->row['template_id'])."'"); //

  13. © 2012 Blue State Digital 13

  14. © 2012 Blue State Digital 14 14 the post_parse_template hack

    14 [root@eeciconf]$ |

  15. © 2012 Blue State Digital 15 15 mv index.php ee.php

    15 [root@eeciconf]$ [root@eeciconf]$

  16. © 2012 Blue State Digital 16 <?php // include the

    core EE index.php file // and capture all output from EE // using output buffering require_once $_SERVER['DOCUMENT_ROOT'] . ”/ee.php”; $page = ob_get_contents(); ob_end_clean(); //$EE super object is also available //if you want to use it $EE =& get_instance(); //add our stuff to the parsed EE page try{ $pageRendererFactory = new Blue_PageRenderer_Factory(); echo $pageRendererFactory->create($page)->render(); } catch(Blue_Html_Exception $e){ echo $page; }

  17. © 2012 Blue State Digital 17 [root@eeciconf]$ |

  18. © 2012 Blue State Digital 18 18 18 emacs config.php

    18 [root@eeciconf]$

  19. © 2012 Blue State Digital 19 <? var $dateTime =

    new DateTime(); $dateTime->setTimezone(new DateTimeZone(‘America/New_York’)); $dateTime->setTimestamp(time()); $isDst = (bool)$dateTime->format(‘I’) ? "y" : "n"; $config['daylight_savings'] = $isDst;

  20. © 2012 Blue State Digital 20 20 20 a few

    other notable hacks 20 [root@eeciconf]$

  21. © 2012 Blue State Digital 21 [root@eeciconf]$ [root@eeciconf]$ [root@eeciconf]$

  22. © 2012 Blue State Digital 22 attacking ExpressionEngine [root@eeciconf]$ |

  23. © 2012 Blue State Digital 23 23 [root@eeciconf]$ [root@eeciconf]$ |

    [root@eeciconf]$

  24. © 2012 Blue State Digital 24 sql injection [root@eeciconf]$ “SQL

    injection attacks are a type of injection attack, in which SQL commands are injected into input in order to effect the execution of predefined SQL commands.” https://www.owasp.org/index.php/SQL_Injection

  25. © 2012 Blue State Digital 25 SELECT * FROM exp2_channel_titles

    WHERE url_title=‘$url_title’ $url_title= ”eeci2012'; DELETE FROM exp2_channel_titles;#”; SELECT * FROM exp2_channel_titles WHERE url_title=‘eeci2012'; DELETE FROM exp2_channel_titles;#’

  26. © 2012 Blue State Digital 26 [root@eeciconf]$

  27. © 2012 Blue State Digital 27 [root@eeciconf]$

  28. © 2012 Blue State Digital 28 28 [root@eeciconf]$

  29. © 2012 Blue State Digital 29 $url_title = ”eeci2012'''''''''''''union select

    username, password, salt, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27 from exp2_members #"; select * from exp2_channel_titles where url_title = 'eeci2012'''''''''''''union select username, password, salt, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27 from exp2_members #’ [root@eeciconf]$

  30. © 2012 Blue State Digital 30 UPDATE exp_members set password

    = ‘$new_password’ WHERE username = ‘$username’ UPDATE exp_members set password = ‘$new_password’ WHERE 'lowell''''''''''''' or username like '%admin%' [root@eeciconf]$

  31. © 2012 Blue State Digital 31 [root@eeciconf]$ 31 31

  32. © 2012 Blue State Digital 32 SELECT * FROM exp_channel_titles

    where url_title LIKE ‘%$searchString’ SELECT * FROM exp_channel_titles where url_title LIKE ‘%47%’

  33. © 2012 Blue State Digital 33 [root@eeciconf]$

  34. © 2012 Blue State Digital 34

  35. © 2012 Blue State Digital 35 [root@eeciconf]$ [root@eeciconf]$ [root@eeciconf]$

  36. © 2012 Blue State Digital 36 [root@eeciconf]$ [root@eeciconf]$

  37. © 2012 Blue State Digital 37 cross site scripting [root@eeciconf]$

    | “Cross-site scripting (XSS) attacks occur when an attacker uses a web application to send malicious code, generally in the form of a browser side script, to a different end user. Flaws that allow these attacks to succeed are quite widespread and occur anywhere a web application uses input from a user in the output it generates without validating or encoding it.” https://www.owasp.org/index.php/Cross- site_Scripting_(XSS)

  38. © 2012 Blue State Digital 38 38 stored xss attack

    [root@eeciconf]$ Enter your comment: <script> window.location = ‘http://4chan.org/something_terrible’ </script> occurs when attack payload is stored on server [root@eeciconf]$ used in the output of a web page [root@eeciconf]$

  39. © 2012 Blue State Digital 39 39 39 reflected xss

    attack [root@eeciconf]$ occurs when attack payload is sent via HTTP request & reflected back to user [root@eeciconf]$ attack payload is not stored on the server. [root@eeciconf]$

  40. © 2012 Blue State Digital 40 http://www.example.com/search? query=<script>window.location=‘http:// 4chan.org/something_terrible’;</script> Search:

    <script>window.location=‘http://4chan.org/something_terrible’;</script> Your search for <your search phrase> returned no results.

  41. © 2012 Blue State Digital 41

  42. © 2012 Blue State Digital 42

  43. © 2012 Blue State Digital 43 [root@eeciconf]$

  44. © 2012 Blue State Digital 44 44 [root@eeciconf]$ $this->EE->security->xss_clean($str);

  45. © 2012 Blue State Digital 45 [root@eeciconf]$ $this->EE->load->library('typography'); $this->EE->typography->initialize(); $str

    = $this->EE->typography->parse_type ($str, $prefs)

  46. © 2012 Blue State Digital 46 cross site request forgery

    [root@eeciconf]$ | “CSRF is an attack which forces an end user to execute unwanted actions on a web application in which he/she is currently authenticated.” https://www.owasp.org/index.php/Cross- Site_Request_Forgery_(CSRF)

  47. © 2012 Blue State Digital 47 user logs into target

    app [root@eeciconf]$ while still logged in, visits evil web site [root@eeciconf]$

  48. © 2012 Blue State Digital 48 48 change your username

    and/or password [root@eeciconf]$ evil web site silently performs actions on target [root@eeciconf]$ alter or add entries or templates [root@eeciconf]$

  49. © 2012 Blue State Digital 49 49 [root@eeciconf]$

  50. © 2012 Blue State Digital 50 50 [root@eeciconf]$

  51. © 2012 Blue State Digital 51

  52. © 2012 Blue State Digital 52 [root@eeciconf]$ [root@eeciconf]$

  53. © 2012 Blue State Digital 53 53 53 [root@eeciconf]$

  54. © 2012 Blue State Digital 54 54 54 54 $this->EE->functions->form_declaration()

  55. © 2012 Blue State Digital 55 55 55 55 $this->EE->security->secure_forms_check($this->EE-

    >input->post('XID'))

  56. © 2012 Blue State Digital 56 56 56 [root@eeciconf]$

  57. © 2012 Blue State Digital 57

  58. © 2012 Blue State Digital 58 [root@eeciconf]$ [root@eeciconf]$ [root@eeciconf]$

  59. © 2012 Blue State Digital 59 59 lol search [root@eeciconf]$

  60. © 2012 Blue State Digital 60 60 | is your

    password safe? [root@eeciconf]$

  61. © 2012 Blue State Digital 61 NO

  62. © 2012 Blue State Digital 62 thank you! @lowellkitchen

  63. © 2012 Blue State Digital 63 • Open Web Application Security

    Project: www.owasp.org • ExpressionEngine add-on development security guidelines: http://expressionengine.com/user_guide/ development/guidelines/security.html • MySQL Guide to PHP security: http://dev.mysql.com/tech-resources/ articles/guide-to-php-security-ch3.pdf • sql injection tool: www.sqlmap.org