- Joined
- 11 yrs. 6 mth. 27 days
- Messages
- 5,381
- Reaction score
- 18,380
- Age
- 45
- Wallet
- 11,590$
- [email protected]
0x01 - Introduction
[+] Who is this tutorial for?
Before we start I just want to state that I assume you have basic understanding about PHP, MySQL and some common vulnerabilities and how they work.
You don't have to be a professional programmer, but you need to be able to read and understand PHP code.
If you feel that you need to learn some more before getting in to this tutorial I'm going to redirect you to some tutorials below:
PHP tutorial:
MySQL tutorial:
Vulnerabilities wiki:
[+] Who am I?
Nobody. I don't take any responsibilities for your actions, if you find your ass in jail after exploiting 8000 vulnerable Wordpress blogs don't blame me for teaching you.
But if you have any questions feel free to hit me up with a mail to join7 [+at+] riseup.net
0x02 - Setting up an Audit Environment
[+] Why use an Audit Environment?
You could just download the code you wish to audit, open it in your systems default text editor and start looking for vulnerabilities.
This is not preferable since there are a very high chance of you missing things and it will surely take a lot more time than by using an Audit Environment.
[+] Web server
We want to set up a Web Server were we can upload and test PHP applications.
If you don't have any experience with hosting you might want to have a look at XAMPP:
If you wish to set it up on your own you should install PHP with MySQL.
Additional things as phpmyadmin and MySQL managers are of course useful too.
I'm not going to go into how to set up an Web Server, just google for it you're having problems.
Note: Since you're going to test possible vulnerable code on this web server I suggest you only use it on trusted networks and NEVER on a host that's public for the rest of the internet thugs out there.
[+] What are we auditing?
Now when we have our server set up we need to install additional stuff like WordPress, Joomla, MyBB or similar depending on what you're going to audit.
If you're going for a standalone CMS or just a PHP application you will of course not need any of the above but you'll probably some time in your career step into a WordPress blog or a MyBB forum.
Here are download links and some information on how to install them:
MyBB
Download:
Installing Guide:
Wordpress
Download:
Installing Guide: http://codex.wordpre...lling_WordPress
Joomla
Download:
Installing Guide: http://www.joomla.or...ng-started.html
SMF
Download:
Installing Guide: http://wiki.simplema.../smf/Installing
The list can go on...
0x03 - What to look for
[+] User input:
Most vulnerabilities are possible because the programmer forgets (or uses improper) Input Validation.
This true for SQL Injection, Cross-Site Scripting, File Inclusion, Server Side Include, Code Injection and File Upload vulnerabilities and a lot more.
[-] $_GET
Quote
An associative array of variables passed to the current script via the URL parameters.
[-] $_POST
Quote
An associative array of variables passed to the current script via the HTTP POST method.
[-] $_REQUEST
Quote
An associative array that by default contains the contents of $_GET, $_POST and $_COOKIE.
[-] $_COOKIE
Quote
An associative array of variables passed to the current script via HTTP Cookies.
[-] $_SERVER
$_SERVER -- $HTTP_SERVER_VARS [deprecated] — Server and execution environment information
[-] $_FILES
An associative array of items uploaded to the current script via the HTTP POST method.
[+] Possible vulnerable functions:
[-] SQL Injection:
Vulnerable Example:
There are alot of possibly vulnerables mysql_* functions.
Take a look at this reference for more information about MySQL functions:
Some common functions that is possibly vulnerable:
[-] File Inclusion:
Vulnerable Example:
If the application doesn't restrict how you include files you can read local files and possibly execute files from a remote server (if allow_url_fopen is enabled).
[-] Upload:
$_FILES[]
If the application does not restrict what and how files are uploaded, you can upload and execute on the server.
[-] Code Execution:
We could use a command like:
$ grep _GET app.php
Output:
$header = $_GET['header'];
$id = $_GET['id'];
Finding mysql_* functions:
grep mysql_ app.php
Output:
$news = mysql_query( "SELECT * FROM `news` WHERE `id` = $id ORDER BY `id` DESC LIMIT 0,3" );
Finding include() function:
grep include app.php
Output:
include("headers/$header");
include("headers/standard.php");
Now let's say we have 3 PHP applications in a folder and we wish to search for the include function in all of them, then we could do something like this:
grep include *.php
Output:
If we wish to output the line number we can use the -n argument like this:
grep include *.php -n
Output:
Now we wish to check if the words 'SELECT' and 'FROM' can be found:
grep 'SELECT\|FROM' app.php -n
Output:
13:$news = mysql_query( "SELECT * FROM `news` WHERE `id` = $id ORDER BY `id` DESC LIMIT 0,3" );
If we want to match a string and ignore case sensitivity we use the -i argument:
grep 'sEleCt\|FroM' app.php -n -i
output:
13:$news = mysql_query( "SELECT * FROM `news` WHERE `id` = $id ORDER BY `id` DESC LIMIT 0,3" );
[+] Automated tools and why you shouldn't use them
They suck.
Most of them use regex and pattern matching but they miss the logical understanding of an application.
You'll do just fine with a good text editor and grep.
0x05 - Let's Audit - Real world example
We're going to take a look at a real world example, a public exploit, and see if we can find the vulnerabilities:
[+] MyBB DyMy User Agent SQL Injection
We'll download the vulnerable application and place it into our plugins folder.
The first thing we do is to open it in our Text Editor:
Posted Image
We'll now start out with some basic searching for possible vulnerable functions and similar stuff:
Output:
Nothing useful
Why doesn't it find anything? Are we doing something wrong? The answer is in the source code, let's take a look:
So when we audit MyBB Plugins we need to change our audit methods a bit.
We're going to search for $db->*, since that is used in MyBB Plugins for Database interactions.
Let's go back to the terminal and test some new stuff.
Since this isn't much we can tamper with, we'll go to line 127 and see what's up:
In this we notice something very nice, take a look at this:
We see here that the application inserts the user_agent without any kind of sanitization.
Let's fire up our MyBB forum on our localhost and try this shit out.
Activate the Plugin in your Admin Panel and then go to a thread and post something with Live HTTP Headers running.
We'll see this next to our post:
So now, we'll try some basic test to see if the SQL Injection vulnerability actually exists:
Ah, wonderful!
Now we'll play around with it until we get a nice query to inject.
I'm not going to teach you SQL Injection, that's your job.
After some testing and we'll come out with this query:
0x06 - Publish of a new 0day: MyFlags MyBB plugins SQL Injection (Merry Christmas faggots :3)
Before I leave you to your Auditing I'm going to publish a new 0day.
The SQL Injection vulnerability exists in the MyBB Plugin HM_My Country Flags:
When this plugins is activated a user can go to his Control Panel and see this:
Posted Image
Whenever the user now posts the Nationalidad will show up next to his posts:
Posted Image
Start Live HTTP Headers and press the country, in HTTP Live Headers, copy the URL ('localhost/mybb/misc.php?action=hmflags&cnam=Belgium&pf=5') and paste this into a new tab.
Now put a ' after the country:
Output:
MyBB has experienced an internal SQL error and cannot continue.
[+] Who is this tutorial for?
Before we start I just want to state that I assume you have basic understanding about PHP, MySQL and some common vulnerabilities and how they work.
You don't have to be a professional programmer, but you need to be able to read and understand PHP code.
If you feel that you need to learn some more before getting in to this tutorial I'm going to redirect you to some tutorials below:
PHP tutorial:
MySQL tutorial:
Vulnerabilities wiki:
[+] Who am I?
Nobody. I don't take any responsibilities for your actions, if you find your ass in jail after exploiting 8000 vulnerable Wordpress blogs don't blame me for teaching you.
But if you have any questions feel free to hit me up with a mail to join7 [+at+] riseup.net
0x02 - Setting up an Audit Environment
[+] Why use an Audit Environment?
You could just download the code you wish to audit, open it in your systems default text editor and start looking for vulnerabilities.
This is not preferable since there are a very high chance of you missing things and it will surely take a lot more time than by using an Audit Environment.
[+] Web server
We want to set up a Web Server were we can upload and test PHP applications.
If you don't have any experience with hosting you might want to have a look at XAMPP:
If you wish to set it up on your own you should install PHP with MySQL.
Additional things as phpmyadmin and MySQL managers are of course useful too.
I'm not going to go into how to set up an Web Server, just google for it you're having problems.
Note: Since you're going to test possible vulnerable code on this web server I suggest you only use it on trusted networks and NEVER on a host that's public for the rest of the internet thugs out there.
[+] What are we auditing?
Now when we have our server set up we need to install additional stuff like WordPress, Joomla, MyBB or similar depending on what you're going to audit.
If you're going for a standalone CMS or just a PHP application you will of course not need any of the above but you'll probably some time in your career step into a WordPress blog or a MyBB forum.
Here are download links and some information on how to install them:
MyBB
Download:
Installing Guide:
Wordpress
Download:
Installing Guide: http://codex.wordpre...lling_WordPress
Joomla
Download:
Installing Guide: http://www.joomla.or...ng-started.html
SMF
Download:
Installing Guide: http://wiki.simplema.../smf/Installing
The list can go on...
0x03 - What to look for
[+] User input:
Most vulnerabilities are possible because the programmer forgets (or uses improper) Input Validation.
This true for SQL Injection, Cross-Site Scripting, File Inclusion, Server Side Include, Code Injection and File Upload vulnerabilities and a lot more.
[-] $_GET
Quote
An associative array of variables passed to the current script via the URL parameters.
[-] $_POST
Quote
An associative array of variables passed to the current script via the HTTP POST method.
[-] $_REQUEST
Quote
An associative array that by default contains the contents of $_GET, $_POST and $_COOKIE.
[-] $_COOKIE
Quote
An associative array of variables passed to the current script via HTTP Cookies.
[-] $_SERVER
$_SERVER -- $HTTP_SERVER_VARS [deprecated] — Server and execution environment information
[-] $_FILES
An associative array of items uploaded to the current script via the HTTP POST method.
[+] Possible vulnerable functions:
[-] SQL Injection:
Vulnerable Example:
There are alot of possibly vulnerables mysql_* functions.
Take a look at this reference for more information about MySQL functions:
Some common functions that is possibly vulnerable:
[-] File Inclusion:
Vulnerable Example:
If the application doesn't restrict how you include files you can read local files and possibly execute files from a remote server (if allow_url_fopen is enabled).
[-] Upload:
$_FILES[]
If the application does not restrict what and how files are uploaded, you can upload and execute on the server.
[-] Code Execution:
We could use a command like:
$ grep _GET app.php
Output:
$header = $_GET['header'];
$id = $_GET['id'];
Finding mysql_* functions:
grep mysql_ app.php
Output:
$news = mysql_query( "SELECT * FROM `news` WHERE `id` = $id ORDER BY `id` DESC LIMIT 0,3" );
Finding include() function:
grep include app.php
Output:
include("headers/$header");
include("headers/standard.php");
Now let's say we have 3 PHP applications in a folder and we wish to search for the include function in all of them, then we could do something like this:
grep include *.php
Output:
If we wish to output the line number we can use the -n argument like this:
grep include *.php -n
Output:
Now we wish to check if the words 'SELECT' and 'FROM' can be found:
grep 'SELECT\|FROM' app.php -n
Output:
13:$news = mysql_query( "SELECT * FROM `news` WHERE `id` = $id ORDER BY `id` DESC LIMIT 0,3" );
If we want to match a string and ignore case sensitivity we use the -i argument:
grep 'sEleCt\|FroM' app.php -n -i
output:
13:$news = mysql_query( "SELECT * FROM `news` WHERE `id` = $id ORDER BY `id` DESC LIMIT 0,3" );
[+] Automated tools and why you shouldn't use them
They suck.
Most of them use regex and pattern matching but they miss the logical understanding of an application.
You'll do just fine with a good text editor and grep.
0x05 - Let's Audit - Real world example
We're going to take a look at a real world example, a public exploit, and see if we can find the vulnerabilities:
[+] MyBB DyMy User Agent SQL Injection
We'll download the vulnerable application and place it into our plugins folder.
The first thing we do is to open it in our Text Editor:
Posted Image
We'll now start out with some basic searching for possible vulnerable functions and similar stuff:
Output:
Nothing useful
Why doesn't it find anything? Are we doing something wrong? The answer is in the source code, let's take a look:
So when we audit MyBB Plugins we need to change our audit methods a bit.
We're going to search for $db->*, since that is used in MyBB Plugins for Database interactions.
Let's go back to the terminal and test some new stuff.
Since this isn't much we can tamper with, we'll go to line 127 and see what's up:
In this we notice something very nice, take a look at this:
We see here that the application inserts the user_agent without any kind of sanitization.
Let's fire up our MyBB forum on our localhost and try this shit out.
Activate the Plugin in your Admin Panel and then go to a thread and post something with Live HTTP Headers running.
We'll see this next to our post:
So now, we'll try some basic test to see if the SQL Injection vulnerability actually exists:
Ah, wonderful!
Now we'll play around with it until we get a nice query to inject.
I'm not going to teach you SQL Injection, that's your job.
After some testing and we'll come out with this query:
0x06 - Publish of a new 0day: MyFlags MyBB plugins SQL Injection (Merry Christmas faggots :3)
Before I leave you to your Auditing I'm going to publish a new 0day.
The SQL Injection vulnerability exists in the MyBB Plugin HM_My Country Flags:
When this plugins is activated a user can go to his Control Panel and see this:
Posted Image
Whenever the user now posts the Nationalidad will show up next to his posts:
Posted Image
Start Live HTTP Headers and press the country, in HTTP Live Headers, copy the URL ('localhost/mybb/misc.php?action=hmflags&cnam=Belgium&pf=5') and paste this into a new tab.
Now put a ' after the country:
Output:
MyBB has experienced an internal SQL error and cannot continue.
Verified & Trusted WesternUnion | MoneyGram | Bank - Transferring [299$ BTC for 2000$ WU]
Verified & Trusted Electronics Carding, Carding iPhone, Samsung Carding, MacBook Carding, Laptops Carding