Changes for page Application_PHP5

Summary

• Page properties (2 modified, 0 added, 0 removed)

Details

Page properties

Tags

...	...	@@ -1,1 +1,0 @@
1		-php|libxslt|code execution

Content

...	...	@@ -1,21 +1,17 @@
1		-{{toc/}}
	1	+Dixit [[Wikipedia>>http://en.wikipedia.org/wiki/PHP||rel="__blank"]] : "//PHP is a general-purpose server-side scripting language originally designed for web development to produce dynamic web pages. It is among one of the first developed server-side scripting languages that is embedded into a HTML source document, rather than calling an external file to process data. Ultimately, the code is interpreted by a web server with a PHP processor module which generates the resulting web page.//"
2	2
3		-= Introduction =
4	4
5		-Dixit [[Wikipedia>>http://en.wikipedia.org/wiki/PHP||rel="__blank"]] : "//PHP is a general-purpose server-side scripting language originally designed for web development to produce dynamic web pages. It is among one of the first developed server-side scripting languages that is embedded into a HTML source document, rather than calling an external file to process data. Ultimately, the code is interpreted by a web server with a PHP processor module which generates the resulting web page.//"
6	6
7		-= Creating files =
	5	+== Creating files ==
8	8
9		-Version 5 of the PHP language uses the [[libxslt>>Engine_libxslt]] engine to transform XML documents using XSLT. Prior to version 5.3.9, calls to libxslt were not restricted via xsltSetSecurityPrefs(). It was then possible to create or overwrite files on the engine side, typically for dropping a PHP Web Shell. This vulnerability ([[Bug #54446>>https://bugs.php.net/bug.php?id=54446||rel="__blank"]]) was patched in version 5.3.9 ([[ChangeLog>>http://php.net/ChangeLog-5.php#5.3.9||rel="__blank"]]).
	7	+Version 5 of the PHP language uses the [[libxslt>>Engine_libxslt]] engine to transform XML documents using XSLT. Prior to version 5.3.9, calls to libxslt were not restricted via xsltSetSecurityPrefs(). It was then possible to create or overwrite files on the engine side, typically for dropping a PHP Web Shell (cf [[Bug #54446>>https://bugs.php.net/bug.php?id=54446||rel="__blank"]]).
10	10
11		-The attached [[create-file-via-libxslt.php>>attach:create-file-via-libxslt.php]] PoC will drop a basic PHP script in /tmp/.
12	12
13		-= Executing PHP code =
	10	+The attached [[create-file-via-libxslt.php>>attach:create-file-via-libxslt.php]] PoC will drop a basic PHP script in /tmp/.
14	14
15		-A call to [[registerPHPFunctions()>>http://php.net/manual/en/xsltprocessor.registerphpfunctions.php]] allows to execute standard PHP functions directly from the XSLT stylesheet. I never came across this pattern in real-life engagements but Google Code search references [[several>>http://www.google.com/codesearch#search/&q=registerPHPFunctions%20lang:%5Ephp$&type=cs||rel="__blank"]] instances of it (dork: "registerPHPFunctions lang:^php$"). This isn't a bug and will not be patched.
	12	+== Executing PHP code ==
16	16
	14	+A call to [[registerPHPFunctions()>>http://php.net/manual/en/xsltprocessor.registerphpfunctions.php]] allows to execute standard PHP functions directly from the XSLT stylesheet. I never came across this pattern in real-life engagements but Google Code search references [[several>>http://www.google.com/codesearch#search/&q=registerPHPFunctions%20lang:%5Ephp$&type=cs||rel="__blank"]] instances of it (dork: "registerPHPFunctions lang:^php$").
17	17
18		-|=Namespace |=Extension function |=PoC |=Note
19		-| http:~/~/php.net/xsl| Any PHP function|[[execute-code-via-libxslt.php>>attach:execute-code-via-libxslt.php]]| A call to registerPHPFunctions() is needed
20	20
21	21	The attached [[execute-code-via-libxslt.php>>attach:execute-code-via-libxslt.php]] PoC will use the passthru() PHP function to execute "uname -a".