Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Hacking ExpressionEngine

Df40690d0b5dcb50296682356bc4a0e6?s=47 lowell kitchen
October 16, 2012
Technology
3
1.2k

Hacking ExpressionEngine

Df40690d0b5dcb50296682356bc4a0e6?s=128

lowell kitchen

October 16, 2012
Tweet

Other Decks in Technology

See All in Technology
SlackBotで あらゆる業務を自動化。問い合わせ〜DevOpsまで #CODT2022
384ef83de6b166677314f14f99aee1cd?s=48 kogatakanori
0
1k
Inside out - abusing archive file formats
261a01e1b07b7387b0d675322199fb58?s=48 ange
3
630
わたしを元気づける Botを作ることにした / JAWS-UG 福岡 20220626
E601ca8296c6ed8d1dc7ae0369b4c54a?s=48 eriasano
0
100
ZephyrRTOSのLongan Nanoへの移植
0c9a0a8d6b0bb70aab9546484e294be0?s=48 tokitahiroshi
0
110
フィンテック養成勉強会#23
525442fc70ca92f82ae503f826956137?s=48 finengine
0
200
ノーコードで Stripeを使いこなす3つの方法 / jp-stripes-online-vol-4
E77ca94266ffd3d69f8aee91f7468264?s=48 stripehideokamoto
0
320
The Fractal Geometry of Software Design
B90ab53ba7cf16ed1a4bb679cc6751d7?s=48 vladikk
1
1.4k
Target SDK Versionを上げない Notification runtime permission対応
0c5e92294cc0cfba620641c589db9378?s=48 napplecomputer
0
150
GeoLocationAnchor and MKTileOverlay
61a68b2172503ecdf7a7f7757df56071?s=48 toyship
0
110
データ分析基盤のはじめかた
69a81d6d4d66a348e72f7a28b265fdbe?s=48 chanyou0311
0
130
【toranoana.deno#7】Denoからwasmを呼び出す基礎
6ab47a68ee78e84c34731ce12333deff?s=48 toranoana
0
140
20220705-BASEDMM
Fe06c08a0de4da36003bfeb7b749cbf8?s=48 ryotaumebayashi
0
150

Featured

See All Featured
Why You Should Never Use an ORM
88bc30284c6a424b63a92aad27d0ba36?s=48 jnunemaker
PRO
47
7.6k
CoffeeScript is Beautiful & I Never Want to Write Plain JavaScript Again
5b9fe87ec1faa67a4599782930f45ec9?s=48 sstephenson
151
13k
Building an army of robots
5f2da528927a2ec9ba4fec2069cbc958?s=48 kneath
299
40k
実際に使うSQLの書き方 徹底解説 / pgcon21j-tutorial
88f4e84b94fe07cddbd9e6479d689192?s=48 soudai
39
13k
No one is an island. Learnings from fostering a developers community.
6bb82b13cda86d3b821fa44100335ddf?s=48 thoeni
9
1.3k
Creating an realtime collaboration tool: Agile Flush - .NET Oxford
Fd55de4174accaf3b4f030e43a8a70c6?s=48 marcduiker
5
510
Building Better People: How to give real-time feedback that sticks.
9952dfcd5d338f8a8e7175c8a8f65fb5?s=48 wjessup
344
17k
The Illustrated Children's Guide to Kubernetes
0438ae60cde4c7add6f9da48f28c15cc?s=48 chrisshort
15
36k
What the flash - Photography Introduction
5ce91fa49a613cbc3e20d5f96856473f?s=48 edds
62
10k
WebSockets: Embracing the real-time Web
E76911cbe088e5b850d966de3fc7435b?s=48 robhawkes
57
5.4k
Code Reviewing Like a Champion
C7393b7ba7ec9c8890dd77d209fbb3c9?s=48 maltzj
506
37k
Art, The Web, and Tiny UX
D67fff74178013024d833b3eec6cf27f?s=48 lynnandtonic
280
17k

Transcript

  1. © 2012 Blue State Digital 1 Hacking ExpressionEngine the good,

    the bad{ass}, and the ugly. @lowellkitchen, senior software engineer, blue state digital

  2. © 2012 Blue State Digital but first, a disclaimer* 2

    | [root@eeciconf]$

  3. © 2012 Blue State Digital 3 hack responsibly. don’t let

    stupid takeover!

  4. © 2012 Blue State Digital 4 why hack the core?

    [root@eeciconf]$ |

  5. © 2012 Blue State Digital 5 5 fix a critical

    bug [root@eeciconf]$ [root@eeciconf]$ [root@eeciconf]$ | [root@eeciconf]$

  6. © 2012 Blue State Digital 6 maintain the hack [root@eeciconf]$

    [root@eeciconf]$ [root@eeciconf]$ |

  7. © 2012 Blue State Digital 7 a look at a

    few core hacks [root@eeciconf]$ |

  8. © 2012 Blue State Digital 8 8 prior to version

    1.6.6 8 [root@eeciconf]$ [root@eeciconf]$ [root@eeciconf]$ |

  9. © 2012 Blue State Digital 9 9 mysql –u root

    change.gov 9 [root@eeciconf]$

  10. © 2012 Blue State Digital 10

  11. © 2012 Blue State Digital 11 11 11 emacs core.template.php

    11 [root@eeciconf]$

  12. © 2012 Blue State Digital 12 $DB->query("UPDATE exp_templates SET hits

    = '".$this- >template_hits."' WHERE template_id = '".$DB- >escape_str($query->row['template_id'])."'"); //

  13. © 2012 Blue State Digital 13

  14. © 2012 Blue State Digital 14 14 the post_parse_template hack

    14 [root@eeciconf]$ |

  15. © 2012 Blue State Digital 15 15 mv index.php ee.php

    15 [root@eeciconf]$ [root@eeciconf]$

  16. © 2012 Blue State Digital 16 <?php // include the

    core EE index.php file // and capture all output from EE // using output buffering require_once $_SERVER['DOCUMENT_ROOT'] . ”/ee.php”; $page = ob_get_contents(); ob_end_clean(); //$EE super object is also available //if you want to use it $EE =& get_instance(); //add our stuff to the parsed EE page try{ $pageRendererFactory = new Blue_PageRenderer_Factory(); echo $pageRendererFactory->create($page)->render(); } catch(Blue_Html_Exception $e){ echo $page; }

  17. © 2012 Blue State Digital 17 [root@eeciconf]$ |

  18. © 2012 Blue State Digital 18 18 18 emacs config.php

    18 [root@eeciconf]$

  19. © 2012 Blue State Digital 19 <? var $dateTime =

    new DateTime(); $dateTime->setTimezone(new DateTimeZone(‘America/New_York’)); $dateTime->setTimestamp(time()); $isDst = (bool)$dateTime->format(‘I’) ? "y" : "n"; $config['daylight_savings'] = $isDst;

  20. © 2012 Blue State Digital 20 20 20 a few

    other notable hacks 20 [root@eeciconf]$

  21. © 2012 Blue State Digital 21 [root@eeciconf]$ [root@eeciconf]$ [root@eeciconf]$

  22. © 2012 Blue State Digital 22 attacking ExpressionEngine [root@eeciconf]$ |

  23. © 2012 Blue State Digital 23 23 [root@eeciconf]$ [root@eeciconf]$ |

    [root@eeciconf]$

  24. © 2012 Blue State Digital 24 sql injection [root@eeciconf]$ “SQL

    injection attacks are a type of injection attack, in which SQL commands are injected into input in order to effect the execution of predefined SQL commands.” https://www.owasp.org/index.php/SQL_Injection

  25. © 2012 Blue State Digital 25 SELECT * FROM exp2_channel_titles

    WHERE url_title=‘$url_title’ $url_title= ”eeci2012'; DELETE FROM exp2_channel_titles;#”; SELECT * FROM exp2_channel_titles WHERE url_title=‘eeci2012'; DELETE FROM exp2_channel_titles;#’

  26. © 2012 Blue State Digital 26 [root@eeciconf]$

  27. © 2012 Blue State Digital 27 [root@eeciconf]$

  28. © 2012 Blue State Digital 28 28 [root@eeciconf]$

  29. © 2012 Blue State Digital 29 $url_title = ”eeci2012'''''''''''''union select

    username, password, salt, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27 from exp2_members #"; select * from exp2_channel_titles where url_title = 'eeci2012'''''''''''''union select username, password, salt, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27 from exp2_members #’ [root@eeciconf]$

  30. © 2012 Blue State Digital 30 UPDATE exp_members set password

    = ‘$new_password’ WHERE username = ‘$username’ UPDATE exp_members set password = ‘$new_password’ WHERE 'lowell''''''''''''' or username like '%admin%' [root@eeciconf]$

  31. © 2012 Blue State Digital 31 [root@eeciconf]$ 31 31

  32. © 2012 Blue State Digital 32 SELECT * FROM exp_channel_titles

    where url_title LIKE ‘%$searchString’ SELECT * FROM exp_channel_titles where url_title LIKE ‘%47%’

  33. © 2012 Blue State Digital 33 [root@eeciconf]$

  34. © 2012 Blue State Digital 34

  35. © 2012 Blue State Digital 35 [root@eeciconf]$ [root@eeciconf]$ [root@eeciconf]$

  36. © 2012 Blue State Digital 36 [root@eeciconf]$ [root@eeciconf]$

  37. © 2012 Blue State Digital 37 cross site scripting [root@eeciconf]$

    | “Cross-site scripting (XSS) attacks occur when an attacker uses a web application to send malicious code, generally in the form of a browser side script, to a different end user. Flaws that allow these attacks to succeed are quite widespread and occur anywhere a web application uses input from a user in the output it generates without validating or encoding it.” https://www.owasp.org/index.php/Cross- site_Scripting_(XSS)

  38. © 2012 Blue State Digital 38 38 stored xss attack

    [root@eeciconf]$ Enter your comment: <script> window.location = ‘http://4chan.org/something_terrible’ </script> occurs when attack payload is stored on server [root@eeciconf]$ used in the output of a web page [root@eeciconf]$

  39. © 2012 Blue State Digital 39 39 39 reflected xss

    attack [root@eeciconf]$ occurs when attack payload is sent via HTTP request & reflected back to user [root@eeciconf]$ attack payload is not stored on the server. [root@eeciconf]$

  40. © 2012 Blue State Digital 40 http://www.example.com/search? query=<script>window.location=‘http:// 4chan.org/something_terrible’;</script> Search:

    <script>window.location=‘http://4chan.org/something_terrible’;</script> Your search for <your search phrase> returned no results.

  41. © 2012 Blue State Digital 41

  42. © 2012 Blue State Digital 42

  43. © 2012 Blue State Digital 43 [root@eeciconf]$

  44. © 2012 Blue State Digital 44 44 [root@eeciconf]$ $this->EE->security->xss_clean($str);

  45. © 2012 Blue State Digital 45 [root@eeciconf]$ $this->EE->load->library('typography'); $this->EE->typography->initialize(); $str

    = $this->EE->typography->parse_type ($str, $prefs)

  46. © 2012 Blue State Digital 46 cross site request forgery

    [root@eeciconf]$ | “CSRF is an attack which forces an end user to execute unwanted actions on a web application in which he/she is currently authenticated.” https://www.owasp.org/index.php/Cross- Site_Request_Forgery_(CSRF)

  47. © 2012 Blue State Digital 47 user logs into target

    app [root@eeciconf]$ while still logged in, visits evil web site [root@eeciconf]$

  48. © 2012 Blue State Digital 48 48 change your username

    and/or password [root@eeciconf]$ evil web site silently performs actions on target [root@eeciconf]$ alter or add entries or templates [root@eeciconf]$

  49. © 2012 Blue State Digital 49 49 [root@eeciconf]$

  50. © 2012 Blue State Digital 50 50 [root@eeciconf]$

  51. © 2012 Blue State Digital 51

  52. © 2012 Blue State Digital 52 [root@eeciconf]$ [root@eeciconf]$

  53. © 2012 Blue State Digital 53 53 53 [root@eeciconf]$

  54. © 2012 Blue State Digital 54 54 54 54 $this->EE->functions->form_declaration()

  55. © 2012 Blue State Digital 55 55 55 55 $this->EE->security->secure_forms_check($this->EE-

    >input->post('XID'))

  56. © 2012 Blue State Digital 56 56 56 [root@eeciconf]$

  57. © 2012 Blue State Digital 57

  58. © 2012 Blue State Digital 58 [root@eeciconf]$ [root@eeciconf]$ [root@eeciconf]$

  59. © 2012 Blue State Digital 59 59 lol search [root@eeciconf]$

  60. © 2012 Blue State Digital 60 60 | is your

    password safe? [root@eeciconf]$

  61. © 2012 Blue State Digital 61 NO

  62. © 2012 Blue State Digital 62 thank you! @lowellkitchen

  63. © 2012 Blue State Digital 63 • Open Web Application Security

    Project: www.owasp.org • ExpressionEngine add-on development security guidelines: http://expressionengine.com/user_guide/ development/guidelines/security.html • MySQL Guide to PHP security: http://dev.mysql.com/tech-resources/ articles/guide-to-php-security-ch3.pdf • sql injection tool: www.sqlmap.org