He began to practice [red] team of PHP-Audit-Labs code audit Day1
link: https://github.com/hongriSec/PHP-Audit-Labs
interested students can go to Exercise
Prior knowledge:
content title comes from PHP SECURITY 2017 CALENDAR
Day 1 - Wish List code is as follows:
class Challenge {
const UPLOAD_DIRECTORY = './solutions/';
private $file;
private $whitelist;
public function __construct($file) {
$this->file = $file;
$this->whitelist = range(1, 24);
}
public function __destruct() {
if (in_array($this->file['name'], $this->whitelist)) {
move_uploaded_file(
$this->file['tmp_name'],
self::UPLOAD_DIRECTORY . $this->file['name']
);
}
}
}
$challenge = new Challenge($_FILES['solution']);
Vulnerability Analysis:
This level of inspection is an arbitrary file upload vulnerability, which led to the occurrence of this vulnerability is unsafe to use in_array () function to detect upload the file name, that
if (in_array($this->file['name'], $this->whitelist)) {
Since this function does not set the third argument true, which could lead to an attacker to bypass testing services by the end of the file name structure, such as the file name 7shell.php. Because PHP using in_array()a function to determine, will be 7shell.phpcast into numbers 7, and the number 7in range(1,24)the array, and ultimately bypass in_array()function to determine, lead to arbitrary file upload vulnerability. ( ps:这里之所以会发生强制类型转换,是因为目标数组中的元素为数字类型)
the in_array () function is defined:
(PHP 4, PHP 5, PHP 7)
Function: in_array - check whether there is a value in the array
Description:
in_array ( mixed $needle , array $haystack [, bool $strict = FALSE ] ) : bool
Haystack, the sea (of haystack) searching a needle (Needle), if no strict comparison is used loosely.
Another explanation:
search $ needle in $ haystack, if strict $ third parameter is TRUE, then the in_array () function will be strong checks, check whether the same type and $ needle of $ haystack. If found $ haystack, then returns TRUE, otherwise returns FALSE.
| parameter | description |
|---|---|
| needle | essential. It provides for an array of value in the search. |
| haystack | essential. Specifies an array to be searched. |
| strict | Optional. If this parameter is set to TRUE, then the in_array () array data type value of a function to check whether the same search. |
technical details:
| return value | If you find the value in the array returns TRUE, otherwise it returns FALSE. |
|---|---|
| PHP version | 4+ |
| Update Log | Since PHP 4.2 onwards, search parameter can be an array. |
Case Analysis:
The case study, we selected a piwigo2.7.1 version. This version due SQL statements directly spliced $ rate variable, the variable is only $ rate is
a function of simple processing in_array (), the third parameter is not used strictly match, eventually leading to sql injection vulnerabilities occur.
Vulnerability Details:
Piwigo is one of the world's most famous album free, open source systems, the PHP + MySQL architecture. Since the framework set up convenient, favored by domestic and foreign developers, recently, Piwigo
<= v2.6.0 broke important 0day vulnerabilities.Causes of vulnerability, /piwigo/picture.php albums page Piwigo system, no complete jQuery validation parameters. An attacker who successfully exploited this vulnerability, you can get all the information in the database, vulnerabilities and simple violence.
The vulnerability affects the scope, Piwigo <= v2.6.0.
Vulnerability POC site to provide security tools, procedures (methods) may carry offensive, only for safety research and teaching purposes at your own risk!
Vulnerability Analysis:
Vulnerability analysis looks relatively simple, is due to functions_rate.inc.phpfile rate_picturefunction has no incoming $ratefiltering variables, spliced directly into the SQL execution:
the code is as follows:
pwg_query($query);
$query = '
INSERT
INTO '.RATE_TABLE.'
(user_id,anonymous_id,element_id,rate,date)
VALUES
('
.$user['id'].','
.'\''.$anonymous_id.'\','
.$image_id.','
.$rate
.',NOW())
;';
pwg_query($query);
The key to the rate_picturefact that there is a beginning of the function to filter $ rate variables. as follows
function rate_picture($image_id, $rate)
{
global $conf, $user;
if (!isset($rate) or !$conf['rate'] or !in_array($rate, $conf['rate_items']))
{
return false;
}
Determine $ratewhether the $conf['rate_items']item. And the value behind this array configuration file is written to die.
$conf['rate_items']The content can be include\config_default.inc.phpfound, in order to
$conf['rate_items'] = array(0,1,2,3,4,5);
Sentence function appears to be to set up a ratewhite list of variables. Only 0,1,2,3,4,5one of them.
Like this should be safe fishes. Of course, it turns out like this write is unsafe. When $rate = "5'aaaaaaaaaaaaaaaaa "the time,
in_array($rate, $conf['rate_items'])the determination is returned Trueto. This is a characteristic of different types of variables in php relatively time.
Therefore, use of this feature, the equivalent of a complete bypass in_arrayfilter. You can enter any data spliced into the SQL statement,
as long as the array starts with a number on it. Further in php switch there are similar characteristics.
Since if (!isset($rate) or !$conf['rate'] or !in_array($rate, $conf['rate_items']))not the in_array()third parameter of the function is set true
it will be a weak comparison can be bypassed. For example, we will $rateset the value to
1,1 and if(ascii(substr((select database()),1,1))=112,1,sleep(3)));# then SQL statement becomes:
INSERT INTO piwigo_rate (user_id,anonymous_id,element_id,rate,date) VALUES (2,'192.168.2',1,1,1 and if(ascii(substr((select database()),1,1))=112,1,sleep(3)));#,NOW()) ;
This may be blind, if the above code you see more chaos, you can look at the code simplified to the following:
Exploit:
Next we verify directly with sqlmap, payload as follows:
Here I use sqlmap physical machine has been fixed sweep. . Kali's changed sqlmap on it
ps: here need to upload a picture of yourself
sqlmap -u "http://192.168.1.139/PHPcode/piwigo/picture.php?/1/category/1&action=rate" --data "rate=1" --dbs --batch
Advice:
Can see this type of vulnerability is relatively weak problem, then we can use a strong match for repair. For example, the in_array () function of the third parameter is set to true, or by using the intval () function into digital variable intensity, or use a regular matching process variables. Here I the in_array () function of the third parameter is set to true, the code and protective effect are as follows:
Epilogue
After reading the above analysis, we do not know whether in_array () function with a deeper understanding
here to thank [Red team]
