Check Order status | Verified Sales | Escrow Service | Advertise
westernunion carding gold carding
revolut carding electronics carding
paypal carding payoneer carding
advertise on cracking forums

PHP Audit - The art of finding 0days in webapps

Prince

[ Verified Seller ]
Staff member
Trusted Seller
Joined
10 yrs. 6 mth. 9 days
Messages
5,386
Reaction score
18,373
Age
44
Wallet
11,590$
0x01 - Introduction

[+] Who is this tutorial for?

Before we start I just want to state that I assume you have basic understanding about PHP, MySQL and some common vulnerabilities and how they work.
You don't have to be a professional programmer, but you need to be able to read and understand PHP code.

If you feel that you need to learn some more before getting in to this tutorial I'm going to redirect you to some tutorials below:

PHP tutorial:

Please, Log in or Register to view URLs content!



MySQL tutorial:

Please, Log in or Register to view URLs content!



Vulnerabilities wiki:

Please, Log in or Register to view URLs content!



[+] Who am I?

Nobody. I don't take any responsibilities for your actions, if you find your ass in jail after exploiting 8000 vulnerable Wordpress blogs don't blame me for teaching you.
But if you have any questions feel free to hit me up with a mail to join7 [+at+] riseup.net

0x02 - Setting up an Audit Environment

[+] Why use an Audit Environment?

You could just download the code you wish to audit, open it in your systems default text editor and start looking for vulnerabilities.
This is not preferable since there are a very high chance of you missing things and it will surely take a lot more time than by using an Audit Environment.

[+] Web server

We want to set up a Web Server were we can upload and test PHP applications.
If you don't have any experience with hosting you might want to have a look at XAMPP:

Please, Log in or Register to view URLs content!



If you wish to set it up on your own you should install PHP with MySQL.
Additional things as phpmyadmin and MySQL managers are of course useful too.

I'm not going to go into how to set up an Web Server, just google for it you're having problems.

Note: Since you're going to test possible vulnerable code on this web server I suggest you only use it on trusted networks and NEVER on a host that's public for the rest of the internet thugs out there.

[+] What are we auditing?

Now when we have our server set up we need to install additional stuff like WordPress, Joomla, MyBB or similar depending on what you're going to audit.
If you're going for a standalone CMS or just a PHP application you will of course not need any of the above but you'll probably some time in your career step into a WordPress blog or a MyBB forum.
Here are download links and some information on how to install them:

MyBB



Download:
Please, Log in or Register to view URLs content!

Installing Guide:
Please, Log in or Register to view URLs content!


Wordpress



Download:
Please, Log in or Register to view URLs content!

Installing Guide: http://codex.wordpre...lling_WordPress

Joomla



Download:
Please, Log in or Register to view URLs content!

Installing Guide: http://www.joomla.or...ng-started.html

SMF



Download:
Please, Log in or Register to view URLs content!

Installing Guide: http://wiki.simplema.../smf/Installing

The list can go on...

0x03 - What to look for

[+] User input:

Most vulnerabilities are possible because the programmer forgets (or uses improper) Input Validation.
This true for SQL Injection, Cross-Site Scripting, File Inclusion, Server Side Include, Code Injection and File Upload vulnerabilities and a lot more.


[-] $_GET

Quote
An associative array of variables passed to the current script via the URL parameters.

Please, Log in or Register to view URLs content!



[-] $_POST

Quote
An associative array of variables passed to the current script via the HTTP POST method.

Please, Log in or Register to view URLs content!



[-] $_REQUEST

Quote
An associative array that by default contains the contents of $_GET, $_POST and $_COOKIE.

Please, Log in or Register to view URLs content!



[-] $_COOKIE

Quote
An associative array of variables passed to the current script via HTTP Cookies.

Please, Log in or Register to view URLs content!



[-] $_SERVER


$_SERVER -- $HTTP_SERVER_VARS [deprecated] — Server and execution environment information

Please, Log in or Register to view URLs content!



[-] $_FILES


An associative array of items uploaded to the current script via the HTTP POST method.

Please, Log in or Register to view URLs content!



[+] Possible vulnerable functions:

[-] SQL Injection:

Vulnerable Example:

Code:
Please, Log in or Register to view codes content!

There are alot of possibly vulnerables mysql_* functions.
Take a look at this reference for more information about MySQL functions:

Please, Log in or Register to view URLs content!



Some common functions that is possibly vulnerable:

Code:
Please, Log in or Register to view codes content!

[-] File Inclusion:

Vulnerable Example:

Code:
Please, Log in or Register to view codes content!

If the application doesn't restrict how you include files you can read local files and possibly execute files from a remote server (if allow_url_fopen is enabled).

[-] Upload:

Code:
Please, Log in or Register to view codes content!

$_FILES[]

If the application does not restrict what and how files are uploaded, you can upload and execute on the server.

[-] Code Execution:

Code:
Please, Log in or Register to view codes content!


We could use a command like:

$ grep _GET app.php

Output:

$header = $_GET['header'];
$id = $_GET['id'];




Finding mysql_* functions:

grep mysql_ app.php

Output:

$news = mysql_query( "SELECT * FROM `news` WHERE `id` = $id ORDER BY `id` DESC LIMIT 0,3" );




Finding include() function:

grep include app.php

Output:

include("headers/$header");
include("headers/standard.php");



Now let's say we have 3 PHP applications in a folder and we wish to search for the include function in all of them, then we could do something like this:

grep include *.php

Output:

Code:
Please, Log in or Register to view codes content!




If we wish to output the line number we can use the -n argument like this:

grep include *.php -n

Output:

Code:
Please, Log in or Register to view codes content!


Now we wish to check if the words 'SELECT' and 'FROM' can be found:

grep 'SELECT\|FROM' app.php -n

Output:

13:$news = mysql_query( "SELECT * FROM `news` WHERE `id` = $id ORDER BY `id` DESC LIMIT 0,3" );




If we want to match a string and ignore case sensitivity we use the -i argument:

grep 'sEleCt\|FroM' app.php -n -i

output:

13:$news = mysql_query( "SELECT * FROM `news` WHERE `id` = $id ORDER BY `id` DESC LIMIT 0,3" );




[+] Automated tools and why you shouldn't use them

They suck.
Most of them use regex and pattern matching but they miss the logical understanding of an application.
You'll do just fine with a good text editor and grep.


0x05 - Let's Audit - Real world example

We're going to take a look at a real world example, a public exploit, and see if we can find the vulnerabilities:

[+] MyBB DyMy User Agent SQL Injection

Please, Log in or Register to view URLs content!



We'll download the vulnerable application and place it into our plugins folder.
The first thing we do is to open it in our Text Editor:

Posted Image

We'll now start out with some basic searching for possible vulnerable functions and similar stuff:

Code:
Please, Log in or Register to view codes content!

Output:

Nothing useful




Why doesn't it find anything? Are we doing something wrong? The answer is in the source code, let's take a look:

Code:
Please, Log in or Register to view codes content!




So when we audit MyBB Plugins we need to change our audit methods a bit.
We're going to search for $db->*, since that is used in MyBB Plugins for Database interactions.
Let's go back to the terminal and test some new stuff.

Code:
Please, Log in or Register to view codes content!


Since this isn't much we can tamper with, we'll go to line 127 and see what's up:

Code:
Please, Log in or Register to view codes content!

In this we notice something very nice, take a look at this:

Code:
Please, Log in or Register to view codes content!


We see here that the application inserts the user_agent without any kind of sanitization.
Let's fire up our MyBB forum on our localhost and try this shit out.

Activate the Plugin in your Admin Panel and then go to a thread and post something with Live HTTP Headers running.
We'll see this next to our post:


So now, we'll try some basic test to see if the SQL Injection vulnerability actually exists:


Ah, wonderful!
Now we'll play around with it until we get a nice query to inject.
I'm not going to teach you SQL Injection, that's your job.
After some testing and we'll come out with this query:

Code:
Please, Log in or Register to view codes content!




0x06 - Publish of a new 0day: MyFlags MyBB plugins SQL Injection (Merry Christmas faggots :3)

Before I leave you to your Auditing I'm going to publish a new 0day.
The SQL Injection vulnerability exists in the MyBB Plugin HM_My Country Flags:

Please, Log in or Register to view URLs content!



When this plugins is activated a user can go to his Control Panel and see this:
Posted Image

Whenever the user now posts the Nationalidad will show up next to his posts:
Posted Image

Start Live HTTP Headers and press the country, in HTTP Live Headers, copy the URL ('localhost/mybb/misc.php?action=hmflags&cnam=Belgium&pf=5') and paste this into a new tab.

Now put a ' after the country:

Please, Log in or Register to view URLs content!


Output:

MyBB has experienced an internal SQL error and cannot continue.

Code:
Please, Log in or Register to view codes content!
 
Paid adv. expire in 2 months
CLICK to buy Advertisement !
westernunion carding Verified & Trusted WesternUnion | MoneyGram | Bank - Transferring [299$ BTC for 2000$ WU]
electronics carding Verified & Trusted Electronics Carding, Carding iPhone, Samsung Carding, MacBook Carding, Laptops Carding
Top Bottom