Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Hacking ExpressionEngine

Hacking ExpressionEngine

lowell kitchen

October 16, 2012
Tweet

Other Decks in Technology

Transcript

  1. © 2012 Blue State Digital 1
    Hacking ExpressionEngine
    the good, the bad{ass}, and the ugly.
    @lowellkitchen, senior software engineer, blue state digital

    View Slide

  2. © 2012 Blue State Digital
    but first, a disclaimer*
    2
    |
    [root@eeciconf]$

    View Slide

  3. © 2012 Blue State Digital 3
    hack responsibly. don’t let stupid takeover!

    View Slide

  4. © 2012 Blue State Digital 4
    why hack the core?
    [root@eeciconf]$
    |

    View Slide

  5. © 2012 Blue State Digital 5
    5
    fix a critical bug
    [root@eeciconf]$

    [root@eeciconf]$

    [root@eeciconf]$

    |
    [root@eeciconf]$

    View Slide

  6. © 2012 Blue State Digital 6
    maintain the hack
    [root@eeciconf]$

    [root@eeciconf]$

    [root@eeciconf]$
    |

    View Slide

  7. © 2012 Blue State Digital 7
    a look at a few core hacks
    [root@eeciconf]$
    |

    View Slide

  8. © 2012 Blue State Digital 8
    8
    prior to version 1.6.6
    8
    [root@eeciconf]$

    [root@eeciconf]$

    [root@eeciconf]$

    |

    View Slide

  9. © 2012 Blue State Digital 9
    9
    mysql –u root change.gov
    9
    [root@eeciconf]$

    View Slide

  10. © 2012 Blue State Digital 10

    View Slide

  11. © 2012 Blue State Digital 11
    11
    11
    emacs core.template.php
    11
    [root@eeciconf]$

    View Slide

  12. © 2012 Blue State Digital 12
    $DB->query("UPDATE exp_templates SET hits = '".$this-
    >template_hits."' WHERE template_id = '".$DB-
    >escape_str($query->row['template_id'])."'");
    //

    View Slide

  13. © 2012 Blue State Digital 13

    View Slide

  14. © 2012 Blue State Digital 14
    14
    the post_parse_template hack
    14
    [root@eeciconf]$
    |

    View Slide

  15. © 2012 Blue State Digital 15
    15
    mv index.php ee.php
    15
    [root@eeciconf]$

    [root@eeciconf]$

    View Slide

  16. © 2012 Blue State Digital 16
    // include the core EE index.php file
    // and capture all output from EE
    // using output buffering
    require_once $_SERVER['DOCUMENT_ROOT'] . ”/ee.php”;
    $page = ob_get_contents();
    ob_end_clean();
    //$EE super object is also available
    //if you want to use it
    $EE =& get_instance();
    //add our stuff to the parsed EE page
    try{
    $pageRendererFactory = new Blue_PageRenderer_Factory();
    echo $pageRendererFactory->create($page)->render();
    } catch(Blue_Html_Exception $e){
    echo $page;
    }

    View Slide

  17. © 2012 Blue State Digital 17
    [root@eeciconf]$
    |

    View Slide

  18. © 2012 Blue State Digital 18
    18
    18
    emacs config.php
    18
    [root@eeciconf]$

    View Slide

  19. © 2012 Blue State Digital 19

    var $dateTime = new DateTime();
    $dateTime->setTimezone(new DateTimeZone(‘America/New_York’));
    $dateTime->setTimestamp(time());
    $isDst = (bool)$dateTime->format(‘I’) ? "y" : "n";
    $config['daylight_savings'] = $isDst;

    View Slide

  20. © 2012 Blue State Digital 20
    20
    20
    a few other notable hacks
    20
    [root@eeciconf]$

    View Slide

  21. © 2012 Blue State Digital 21
    [root@eeciconf]$

    [root@eeciconf]$

    [root@eeciconf]$

    View Slide

  22. © 2012 Blue State Digital 22
    attacking ExpressionEngine
    [root@eeciconf]$
    |

    View Slide

  23. © 2012 Blue State Digital 23
    23
    [root@eeciconf]$

    [root@eeciconf]$

    |
    [root@eeciconf]$

    View Slide

  24. © 2012 Blue State Digital 24
    sql injection
    [root@eeciconf]$

    “SQL injection attacks are a type of
    injection attack, in which SQL commands are
    injected into input in order to effect the
    execution of predefined SQL commands.”
    https://www.owasp.org/index.php/SQL_Injection

    View Slide

  25. © 2012 Blue State Digital 25
    SELECT * FROM exp2_channel_titles WHERE url_title=‘$url_title’
    $url_title= ”eeci2012'; DELETE FROM exp2_channel_titles;#”;
    SELECT * FROM exp2_channel_titles WHERE url_title=‘eeci2012';
    DELETE FROM exp2_channel_titles;#’

    View Slide

  26. © 2012 Blue State Digital 26
    [root@eeciconf]$

    View Slide

  27. © 2012 Blue State Digital 27
    [root@eeciconf]$

    View Slide

  28. © 2012 Blue State Digital 28
    28
    [root@eeciconf]$

    View Slide

  29. © 2012 Blue State Digital 29
    $url_title = ”eeci2012'''''''''''''union select username, password,
    salt, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21,
    22, 23, 24, 25, 26, 27 from exp2_members #";
    select * from exp2_channel_titles where url_title =
    'eeci2012'''''''''''''union select username, password, salt, 4, 5, 6,
    7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24,
    25, 26, 27 from exp2_members #’
    [root@eeciconf]$

    View Slide

  30. © 2012 Blue State Digital 30
    UPDATE exp_members set password = ‘$new_password’ WHERE username =
    ‘$username’
    UPDATE exp_members set password = ‘$new_password’ WHERE
    'lowell''''''''''''' or username like '%admin%'
    [root@eeciconf]$

    View Slide

  31. © 2012 Blue State Digital 31
    [root@eeciconf]$

    31
    31

    View Slide

  32. © 2012 Blue State Digital 32
    SELECT * FROM exp_channel_titles where url_title LIKE ‘%$searchString’
    SELECT * FROM exp_channel_titles where url_title LIKE ‘%47%’

    View Slide

  33. © 2012 Blue State Digital 33
    [root@eeciconf]$

    View Slide

  34. © 2012 Blue State Digital 34

    View Slide

  35. © 2012 Blue State Digital 35
    [root@eeciconf]$

    [root@eeciconf]$

    [root@eeciconf]$

    View Slide

  36. © 2012 Blue State Digital 36
    [root@eeciconf]$

    [root@eeciconf]$

    View Slide

  37. © 2012 Blue State Digital 37
    cross site scripting
    [root@eeciconf]$
    |
    “Cross-site scripting (XSS) attacks occur
    when an attacker uses a web application to
    send malicious code, generally in the form of
    a browser side script, to a different end
    user. Flaws that allow these attacks to
    succeed are quite widespread and occur
    anywhere a web application uses input from a
    user in the output it generates without
    validating or encoding it.”
    https://www.owasp.org/index.php/Cross-
    site_Scripting_(XSS)

    View Slide

  38. © 2012 Blue State Digital 38
    38
    stored xss attack
    [root@eeciconf]$

    Enter your comment:

    <br/> <br/>window.location = ‘http://4chan.org/something_terrible’ <br/> <br/>

    occurs when attack payload is
    stored on server
    [root@eeciconf]$

    used in the output of a web
    page
    [root@eeciconf]$

    View Slide

  39. © 2012 Blue State Digital 39
    39
    39
    reflected xss attack
    [root@eeciconf]$

    occurs when attack payload is
    sent via HTTP request &
    reflected back to user
    [root@eeciconf]$

    attack payload is not stored
    on the server.
    [root@eeciconf]$

    View Slide

  40. © 2012 Blue State Digital 40
    http://www.example.com/search?
    query=window.location=‘http://<br/>4chan.org/something_terrible’;
    Search:
    window.location=‘http://4chan.org/something_terrible’;

    Your search for returned no results.

    View Slide

  41. © 2012 Blue State Digital 41

    View Slide

  42. © 2012 Blue State Digital 42

    View Slide

  43. © 2012 Blue State Digital 43
    [root@eeciconf]$

    View Slide

  44. © 2012 Blue State Digital 44
    44
    [root@eeciconf]$

    $this->EE->security->xss_clean($str);

    View Slide

  45. © 2012 Blue State Digital 45
    [root@eeciconf]$

    $this->EE->load->library('typography');
    $this->EE->typography->initialize();
    $str = $this->EE->typography->parse_type ($str, $prefs)

    View Slide

  46. © 2012 Blue State Digital 46
    cross site request forgery
    [root@eeciconf]$
    |
    “CSRF is an attack which forces an end user to
    execute unwanted actions on a web application
    in which he/she is currently authenticated.”
    https://www.owasp.org/index.php/Cross-
    Site_Request_Forgery_(CSRF)

    View Slide

  47. © 2012 Blue State Digital 47
    user logs into target app
    [root@eeciconf]$

    while still logged in, visits
    evil web site
    [root@eeciconf]$

    View Slide

  48. © 2012 Blue State Digital 48
    48
    change your username and/or
    password
    [root@eeciconf]$

    evil web site silently
    performs actions on target
    [root@eeciconf]$

    alter or add entries or
    templates
    [root@eeciconf]$

    View Slide

  49. © 2012 Blue State Digital 49
    49
    [root@eeciconf]$

    View Slide

  50. © 2012 Blue State Digital 50
    50
    [root@eeciconf]$

    View Slide

  51. © 2012 Blue State Digital 51

    View Slide

  52. © 2012 Blue State Digital 52
    [root@eeciconf]$

    [root@eeciconf]$

    View Slide

  53. © 2012 Blue State Digital 53
    53
    53
    [root@eeciconf]$

    View Slide

  54. © 2012 Blue State Digital 54
    54
    54
    54
    $this->EE->functions->form_declaration()

    View Slide

  55. © 2012 Blue State Digital 55
    55
    55
    55
    $this->EE->security->secure_forms_check($this->EE-
    >input->post('XID'))

    View Slide

  56. © 2012 Blue State Digital 56
    56
    56
    [root@eeciconf]$

    View Slide

  57. © 2012 Blue State Digital 57

    View Slide

  58. © 2012 Blue State Digital 58
    [root@eeciconf]$

    [root@eeciconf]$

    [root@eeciconf]$

    View Slide

  59. © 2012 Blue State Digital 59
    59
    lol search
    [root@eeciconf]$

    View Slide

  60. © 2012 Blue State Digital 60
    60
    |
    is your password safe?
    [root@eeciconf]$

    View Slide

  61. © 2012 Blue State Digital 61
    NO

    View Slide

  62. © 2012 Blue State Digital 62
    thank you!
    @lowellkitchen

    View Slide

  63. © 2012 Blue State Digital 63
    • Open Web Application Security Project:
    www.owasp.org
    • ExpressionEngine add-on development
    security guidelines:
    http://expressionengine.com/user_guide/
    development/guidelines/security.html
    • MySQL Guide to PHP security:
    http://dev.mysql.com/tech-resources/
    articles/guide-to-php-security-ch3.pdf
    • sql injection tool: www.sqlmap.org

    View Slide