Hacking ExpressionEngine

Transcript

1. © 2012 Blue State Digital 1 Hacking ExpressionEngine the good,

   the bad{ass}, and the ugly. @lowellkitchen, senior software engineer, blue state digital

2. © 2012 Blue State Digital but first, a disclaimer* 2

   | [root@eeciconf]$

3. © 2012 Blue State Digital 3 hack responsibly. don’t let

   stupid takeover!

4. © 2012 Blue State Digital 4 why hack the core?

   [root@eeciconf]$ |

5. © 2012 Blue State Digital 5 5 fix a critical

   bug [root@eeciconf]$ [root@eeciconf]$ [root@eeciconf]$ | [root@eeciconf]$

6. © 2012 Blue State Digital 6 maintain the hack [root@eeciconf]$

   [root@eeciconf]$ [root@eeciconf]$ |

7. © 2012 Blue State Digital 7 a look at a

   few core hacks [root@eeciconf]$ |

8. © 2012 Blue State Digital 8 8 prior to version

   1.6.6 8 [root@eeciconf]$ [root@eeciconf]$ [root@eeciconf]$ |

9. © 2012 Blue State Digital 9 9 mysql –u root

   change.gov 9 [root@eeciconf]$

10. © 2012 Blue State Digital 10

11. © 2012 Blue State Digital 11 11 11 emacs core.template.php

    11 [root@eeciconf]$

12. © 2012 Blue State Digital 12 $DB->query("UPDATE exp_templates SET hits

    = '".$this- >template_hits."' WHERE template_id = '".$DB- >escape_str($query->row['template_id'])."'"); //

13. © 2012 Blue State Digital 13

14. © 2012 Blue State Digital 14 14 the post_parse_template hack

    14 [root@eeciconf]$ |

15. © 2012 Blue State Digital 15 15 mv index.php ee.php

    15 [root@eeciconf]$ [root@eeciconf]$

16. © 2012 Blue State Digital 16 <?php // include the

    core EE index.php file // and capture all output from EE // using output buffering require_once $_SERVER['DOCUMENT_ROOT'] . ”/ee.php”; $page = ob_get_contents(); ob_end_clean(); //$EE super object is also available //if you want to use it $EE =& get_instance(); //add our stuff to the parsed EE page try{ $pageRendererFactory = new Blue_PageRenderer_Factory(); echo $pageRendererFactory->create($page)->render(); } catch(Blue_Html_Exception $e){ echo $page; }

17. © 2012 Blue State Digital 17 [root@eeciconf]$ |

18. © 2012 Blue State Digital 18 18 18 emacs config.php

    18 [root@eeciconf]$

19. © 2012 Blue State Digital 19 <? var $dateTime =

    new DateTime(); $dateTime->setTimezone(new DateTimeZone(‘America/New_York’)); $dateTime->setTimestamp(time()); $isDst = (bool)$dateTime->format(‘I’) ? "y" : "n"; $config['daylight_savings'] = $isDst;

20. © 2012 Blue State Digital 20 20 20 a few

    other notable hacks 20 [root@eeciconf]$

21. © 2012 Blue State Digital 21 [root@eeciconf]$ [root@eeciconf]$ [root@eeciconf]$

22. © 2012 Blue State Digital 22 attacking ExpressionEngine [root@eeciconf]$ |

23. © 2012 Blue State Digital 23 23 [root@eeciconf]$ [root@eeciconf]$ |

    [root@eeciconf]$

24. © 2012 Blue State Digital 24 sql injection [root@eeciconf]$ “SQL

    injection attacks are a type of injection attack, in which SQL commands are injected into input in order to effect the execution of predefined SQL commands.” https://www.owasp.org/index.php/SQL_Injection

25. © 2012 Blue State Digital 25 SELECT * FROM exp2_channel_titles

    WHERE url_title=‘$url_title’ $url_title= ”eeci2012'; DELETE FROM exp2_channel_titles;#”; SELECT * FROM exp2_channel_titles WHERE url_title=‘eeci2012'; DELETE FROM exp2_channel_titles;#’

26. © 2012 Blue State Digital 26 [root@eeciconf]$

27. © 2012 Blue State Digital 27 [root@eeciconf]$

28. © 2012 Blue State Digital 28 28 [root@eeciconf]$

29. © 2012 Blue State Digital 29 $url_title = ”eeci2012'''''''''''''union select

    username, password, salt, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27 from exp2_members #"; select * from exp2_channel_titles where url_title = 'eeci2012'''''''''''''union select username, password, salt, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27 from exp2_members #’ [root@eeciconf]$

30. © 2012 Blue State Digital 30 UPDATE exp_members set password

    = ‘$new_password’ WHERE username = ‘$username’ UPDATE exp_members set password = ‘$new_password’ WHERE 'lowell''''''''''''' or username like '%admin%' [root@eeciconf]$

31. © 2012 Blue State Digital 31 [root@eeciconf]$ 31 31

32. © 2012 Blue State Digital 32 SELECT * FROM exp_channel_titles

    where url_title LIKE ‘%$searchString’ SELECT * FROM exp_channel_titles where url_title LIKE ‘%47%’

33. © 2012 Blue State Digital 33 [root@eeciconf]$

34. © 2012 Blue State Digital 34

35. © 2012 Blue State Digital 35 [root@eeciconf]$ [root@eeciconf]$ [root@eeciconf]$

36. © 2012 Blue State Digital 36 [root@eeciconf]$ [root@eeciconf]$

37. © 2012 Blue State Digital 37 cross site scripting [root@eeciconf]$

    | “Cross-site scripting (XSS) attacks occur when an attacker uses a web application to send malicious code, generally in the form of a browser side script, to a different end user. Flaws that allow these attacks to succeed are quite widespread and occur anywhere a web application uses input from a user in the output it generates without validating or encoding it.” https://www.owasp.org/index.php/Cross- site_Scripting_(XSS)

38. © 2012 Blue State Digital 38 38 stored xss attack

    [root@eeciconf]$ Enter your comment: <script> window.location = ‘http://4chan.org/something_terrible’ </script> occurs when attack payload is stored on server [root@eeciconf]$ used in the output of a web page [root@eeciconf]$

39. © 2012 Blue State Digital 39 39 39 reflected xss

    attack [root@eeciconf]$ occurs when attack payload is sent via HTTP request & reflected back to user [root@eeciconf]$ attack payload is not stored on the server. [root@eeciconf]$

40. © 2012 Blue State Digital 40 http://www.example.com/search? query=<script>window.location=‘http:// 4chan.org/something_terrible’;</script> Search:

    <script>window.location=‘http://4chan.org/something_terrible’;</script> Your search for <your search phrase> returned no results.

41. © 2012 Blue State Digital 41

42. © 2012 Blue State Digital 42

43. © 2012 Blue State Digital 43 [root@eeciconf]$

44. © 2012 Blue State Digital 44 44 [root@eeciconf]$ $this->EE->security->xss_clean($str);

45. © 2012 Blue State Digital 45 [root@eeciconf]$ $this->EE->load->library('typography'); $this->EE->typography->initialize(); $str

    = $this->EE->typography->parse_type ($str, $prefs)

46. © 2012 Blue State Digital 46 cross site request forgery

    [root@eeciconf]$ | “CSRF is an attack which forces an end user to execute unwanted actions on a web application in which he/she is currently authenticated.” https://www.owasp.org/index.php/Cross- Site_Request_Forgery_(CSRF)

47. © 2012 Blue State Digital 47 user logs into target

    app [root@eeciconf]$ while still logged in, visits evil web site [root@eeciconf]$

48. © 2012 Blue State Digital 48 48 change your username

    and/or password [root@eeciconf]$ evil web site silently performs actions on target [root@eeciconf]$ alter or add entries or templates [root@eeciconf]$

49. © 2012 Blue State Digital 49 49 [root@eeciconf]$

50. © 2012 Blue State Digital 50 50 [root@eeciconf]$

51. © 2012 Blue State Digital 51

52. © 2012 Blue State Digital 52 [root@eeciconf]$ [root@eeciconf]$

53. © 2012 Blue State Digital 53 53 53 [root@eeciconf]$

54. © 2012 Blue State Digital 54 54 54 54 $this->EE->functions->form_declaration()

55. © 2012 Blue State Digital 55 55 55 55 $this->EE->security->secure_forms_check($this->EE-

    >input->post('XID'))

56. © 2012 Blue State Digital 56 56 56 [root@eeciconf]$

57. © 2012 Blue State Digital 57

58. © 2012 Blue State Digital 58 [root@eeciconf]$ [root@eeciconf]$ [root@eeciconf]$

59. © 2012 Blue State Digital 59 59 lol search [root@eeciconf]$

60. © 2012 Blue State Digital 60 60 | is your

    password safe? [root@eeciconf]$

61. © 2012 Blue State Digital 61 NO

62. © 2012 Blue State Digital 62 thank you! @lowellkitchen

63. © 2012 Blue State Digital 63 • Open Web Application Security

    Project: www.owasp.org • ExpressionEngine add-on development security guidelines: http://expressionengine.com/user_guide/ development/guidelines/security.html • MySQL Guide to PHP security: http://dev.mysql.com/tech-resources/ articles/guide-to-php-security-ch3.pdf • sql injection tool: www.sqlmap.org