PHP Injection found.. but can I do anything useful?

Discuss the many weaknesses of browser security and ways to mitigate the threat

PHP Injection found.. but can I do anything useful?

Post by tommed on Tue Aug 02, 2011 6:18 pm
([msg=60472]see PHP Injection found.. but can I do anything useful?[/msg])

Been auditing a friend's PHP web site for security holes, and found that he is trusting the querystring and using it in a PHP include line.. The problem is that he appends the include line with ".txt" and I'm not sure if I can actually do anything malicious with this to be worth reporting it to him...

The site basically uses a querystring item to load text from a .txt file, eg:

Code: Select all
http://example.org/info.php?title=foobar


will load the txt file "files/foobar.txt" and display it inside the page.
I can load the robots.txt file into the page like so:

Code: Select all
http://example.org/info.php?title=../robots


I think the include code probably looks something like this:

Code: Select all
include("files/" . $_GET["title"] . ".txt");


Could anything malicious be done here, or am I barking up the wrong tree?

He also has a mailing list form on another page, this is obviously doing an insert SQL operation and I'm guessing it may be suseptable to SQL injection.. what kind of injection could be used within this insert statement that could cause problems for my friend?
tommed
New User
New User
 
Posts: 4
Joined: Tue Aug 02, 2011 6:04 pm
Blog: View Blog (0)


Re: PHP Injection found.. but can I do anything useful?

Post by mShred on Tue Aug 02, 2011 6:55 pm
([msg=60475]see Re: PHP Injection found.. but can I do anything useful?[/msg])

Ah just today i was scanning a friend of mine's website and came across something similar. A request that grabs an image and displays it on the screen. Of course i tested it for a RFI vulnerability. I could display an image from my website onto their site. If it was an invalid image, it would output the message "error: getimagesize failed". Well damn, i could only display images. After hours of testing, i finally concluded that i can not do anything with it due to the fact that it only displayed an image (yes i tried malicious image files). But your situation seems a little different.. Try opening files that aren't .txt and see what happens. Try loading a different site. Reply back with further results.
Image

For those about to rock.
User avatar
mShred
Administrator
Administrator
 
Posts: 1766
Joined: Tue Jun 22, 2010 4:22 pm
Blog: View Blog (2)


Re: PHP Injection found.. but can I do anything useful?

Post by pretentious on Tue Aug 02, 2011 7:45 pm
([msg=60476]see Re: PHP Injection found.. but can I do anything useful?[/msg])

tommed wrote:He also has a mailing list form on another page, this is obviously doing an insert SQL operation and I'm guessing it may be suseptable to SQL injection.. what kind of injection could be used within this insert statement that could cause problems for my friend?


If his query looks like this:
insert into mailingList values('','$email','$name');
you can make the name variable read:
"pretentious'); drop table mailingList; --"
I might have some syntax wrong, but i think the theory is right
Goatboy wrote:Oh, that's simple. All you need to do is dedicate many years of your life to studying security.

IF you feel like exchanging ASCII arrays, let me know ;)
pretentious wrote:Welcome to bat country
User avatar
pretentious
Contributor
Contributor
 
Posts: 690
Joined: Wed Mar 03, 2010 12:48 am
Blog: View Blog (0)


Re: PHP Injection found.. but can I do anything useful?

Post by tremor77 on Wed Aug 03, 2011 9:40 am
([msg=60490]see Re: PHP Injection found.. but can I do anything useful?[/msg])

1. The potential exists for directory traversal as you already noticed by loading the ROBOTS.TXT file already, outside the /files directory by using: ?title=../robots

2. The potential may exist to load something other than a text file by adding an extension and closing the query prematurely with an escape string or by adding spaces... consider: ?title=../index.php '

3. You may be able to get a directory listing in a similar fashion to #2 by using something like: ?title= '

It's hard for me to say how you could use the GET method to violate his mailing list form for an SQL injection without getting a good look at site layout and source code, but I think the potential exists. Additionally, depending on the web server's settings, using certain characters in the GET method for URL bar injection may or may not be limited. I know on my web server using ' and " in the url bar tend to get stripped. So that would be a matter of trial and error testing what escape methods you could pass to his code.
Image
User avatar
tremor77
Contributor
Contributor
 
Posts: 899
Joined: Wed Mar 31, 2010 12:00 pm
Location: New York
Blog: View Blog (0)


Re: PHP Injection found.. but can I do anything useful?

Post by tommed on Wed Aug 03, 2011 5:00 pm
([msg=60512]see Re: PHP Injection found.. but can I do anything useful?[/msg])

Thanks for the ideas and feedback guys/gals!

I can confirm that it is only possible to read .txt files. The include line must be using double quotes or escaping the querystring value first, there is no way of commenting out the .txt suffix that I have found (eg. '); / or whatever). However, it is possible to work on directories anywhere on the server that the Apache user can read.

I have been looking for the usual (TODO.txt, passwords.txt, clients.txt, ftp.txt etc..), but managed to do something slightly less interesting, but will probably be enough for the developer to admit he has a problem:

Code: Select all
showfile.php?title=../../../../../usr/share/doc/zip-2.31/algorith


This displays the file /usr/share/doc/zip-2.31/algorith.txt. I can't think of any really good txt files to try and read for Linux other than documentation in /usr/share, but hopefully this is enough!

@pretencious: I daren't run SQL drop code on my friend's site, but that is exactly the kind of thing I was after; I'm guessing your code snippet would indeed work and delete the entire contents of the mailing list (I wonder if he has a backup??) I will relay this to my friend for his developer to review!

Thanks guys! Keep up the good work! :)
tommed
New User
New User
 
Posts: 4
Joined: Tue Aug 02, 2011 6:04 pm
Blog: View Blog (0)



Return to Web

Who is online

Users browsing this forum: No registered users and 0 guests