Presentation is loading. Please wait.

Presentation is loading. Please wait.

©2009 Justin C. Klein Keane PHP Code Auditing Session 3 – Tools of the Trade & Crafting Malicious Input Justin C. Klein Keane

Similar presentations


Presentation on theme: "©2009 Justin C. Klein Keane PHP Code Auditing Session 3 – Tools of the Trade & Crafting Malicious Input Justin C. Klein Keane"— Presentation transcript:

1 ©2009 Justin C. Klein Keane PHP Code Auditing Session 3 – Tools of the Trade & Crafting Malicious Input Justin C. Klein Keane

2 ©2009 Justin C. Klein Keane Setting Up Environment Install VMWare workstation, or player  Fusion on the Mac Download the target host Unzip the host files then start the host in VMWare

3 ©2009 Justin C. Klein Keane Get VMWare Image Running If prompted, say you moved the image

4 ©2009 Justin C. Klein Keane CentOS Image Booting Once image boots log in with root/password

5 ©2009 Justin C. Klein Keane Find the IP Address Get the IP address of the virtual machine using # /sbin/ifconfig eth0

6 ©2009 Justin C. Klein Keane Ensure Apache is Running

7 ©2009 Justin C. Klein Keane Upload the Exercise

8 ©2009 Justin C. Klein Keane Extract the Exercise

9 ©2009 Justin C. Klein Keane Install the Database

10 ©2009 Justin C. Klein Keane Check the Application

11 ©2009 Justin C. Klein Keane Troubleshooting If you get a blank screen, check the web server and MySQL server:  # service httpd status  # service mysqld status If you need to start services use:  # /etc/rc.d/init.d/httpd restart  # /etc/rc.d/init.d/mysqld restart

12 ©2009 Justin C. Klein Keane Troubleshooting Cont. Check the log files:  # tail /var/log/httpd/error_log

13 ©2009 Justin C. Klein Keane Install Eclipse PDT Download PDT all in one from Alternatively install Eclipse from  Be sure to download “Eclipse IDE for Java Developers”

14 ©2009 Justin C. Klein Keane Install PDT if Necessary Use instructions at  Some platforms, such as Fedora, may have packages for PHP development, these may be more stable than a manual install of PDT

15 ©2009 Justin C. Klein Keane Install RSE Install the Remote System Explorer tools Help -> Software Updates Click the “Add Site” button Enter the URL  s/ Select Remote System Explorer Core, Remote System Explorer End-User Runtime, Remote System Explorer Extender SDK, and RSE SSH Service

16 ©2009 Justin C. Klein Keane Install the RSE Components Click “Install”

17 ©2009 Justin C. Klein Keane Open Eclipse Default “perspective” is dull and doesn't suit our purposes Click Window -> Show View -> Remote System In the new window right click and select “new connection”

18 ©2009 Justin C. Klein Keane Add New Connection Select “SSH Only”, click Next

19 ©2009 Justin C. Klein Keane Connection Details Fill in VMWare host information, click Finish

20 ©2009 Justin C. Klein Keane Connect to Remote Host Click the down arrow for the host, then “Sftp Files” then “Root” and enter credentials

21 ©2009 Justin C. Klein Keane View Source

22 ©2009 Justin C. Klein Keane Look for Potential SQL Injection

23 ©2009 Justin C. Klein Keane Testing the Injection First we'll try the injection using manual methods Next we'll use some tools to help us out Sometimes manual testing may be impossible

24 ©2009 Justin C. Klein Keane Manual Testing

25 ©2009 Justin C. Klein Keane Using Tamper Data To start Firefox Tamper Data plugin select  Tools -> Tamper Data Click “Start Tamper” in the upper left Fill in your test values again and submit When prompted click “Tamper”

26 ©2009 Justin C. Klein Keane That's Interesting

27 ©2009 Justin C. Klein Keane Tamper Fill in new values for Post Parameters Note that you can also tamper with Cookies and Referer Data Click “OK” when you're happy with your values

28 ©2009 Justin C. Klein Keane That's More Like It

29 ©2009 Justin C. Klein Keane Checking Cookies You can also view cookies using the Web Developer Plugin  select Cookies -> View Cookie Information

30 ©2009 Justin C. Klein Keane Using Web Developer

31 ©2009 Justin C. Klein Keane View Source View -> Source in Firefox Look for comments, JavaScript and the like Sometimes source will reveal information you may have missed

32 ©2009 Justin C. Klein Keane JavaScript in Source

33 ©2009 Justin C. Klein Keane Paros Download Paros from Paros is Java based, so if Eclipse can run on your machine, so can Paros Paros is a proxy, so it captures requests from your web browser to a server and responses from the server back to your browser You can use it to alter your requests quite easily

34 ©2009 Justin C. Klein Keane Start Up Paros

35 ©2009 Justin C. Klein Keane Configure Firefox You need to configure Firefox to use Paros as a proxy  Choose Edit -> Preferences, then Advanced - > Network -> Settings

36 ©2009 Justin C. Klein Keane Configure Settings

37 ©2009 Justin C. Klein Keane Create Request Once Firefox is configured to utilize Paros browse through the site normally Note how Paros records all your interactions Try submitting the login form Note that Paros records GET and POST requests

38 ©2009 Justin C. Klein Keane Paros in Action

39 ©2009 Justin C. Klein Keane Paros Records Details

40 ©2009 Justin C. Klein Keane Alter Requests To alter a request click on it in the bottom window Next right click and select “Resend” This opens a new window where you can alter any of the send requests Change any data and click the “Send” button

41 ©2009 Justin C. Klein Keane Paros Resend

42 ©2009 Justin C. Klein Keane Response is Raw

43 ©2009 Justin C. Klein Keane Bypassing the Login In our manual code analysis we found a SQL injection vulnerability in the login form A JavaScript check prevents easy manual testing We could disable JavaScript or use Paros or Tamper Data to alter the data we're submitting for the login form First let's examine the query

44 ©2009 Justin C. Klein Keane Our Target $sql = "select user_id from user where user_username = '". $_POST['username']. "' AND user_password = md5('". $_POST['password']. "')";

45 ©2009 Justin C. Klein Keane Target SQL select user_id from user where user_username = 'somename' and user_password = md5('somepass');

46 ©2009 Justin C. Klein Keane Possible Permutation select user_id from user where user_username = 'somename' or 1='1' and user_password = md5('somepass'); What is the proper input to create this statement?

47 ©2009 Justin C. Klein Keane Testing Your SQL

48 ©2009 Justin C. Klein Keane Bypassing Login with SQL Injection

49 ©2009 Justin C. Klein Keane We're In!

50 ©2009 Justin C. Klein Keane Chained Exploits Note that the exploitation of the authentication leads to access to new, potentially exploitable functionality Authentication leads to cookie granting Admin functions are often “trusted”

51 ©2009 Justin C. Klein Keane Steps to Remember Look for vulnerabilities  In the source code  In the functional front end Test your exploits in the “friendliest” environment possible Use tools to recreate attacks in the live environment.

52 ©2009 Justin C. Klein Keane For Next Time -Install Paros Proxy -Install Firefox and the Tamper Data and Web Developer plug ins -Download and install the sample SQL injection application on your VM -Identify at least 4 SQL injection vulnerabilities -Develop exploits for each vulnerability -Develop fixes for each vulnerability


Download ppt "©2009 Justin C. Klein Keane PHP Code Auditing Session 3 – Tools of the Trade & Crafting Malicious Input Justin C. Klein Keane"

Similar presentations


Ads by Google