Wiki source code of Application_PHP5

Last modified by Nicolas Gregoire on 2012/02/02 17:29
Hide last authors
Nicolas Gregoire 12.1 1 {{toc/}}
2
Nicolas Gregoire 13.1 3 = Introduction =
Nicolas Gregoire 12.1 4
Nicolas Gregoire 1.1 5 Dixit [[Wikipedia>>http://en.wikipedia.org/wiki/PHP||rel="__blank"]] : "//PHP is a general-purpose server-side scripting language originally designed for web development to produce dynamic web pages. It is among one of the first developed server-side scripting languages that is embedded into a HTML source document, rather than calling an external file to process data. Ultimately, the code is interpreted by a web server with a PHP processor module which generates the resulting web page.//"
6
Nicolas Gregoire 12.1 7 = Creating files =
Nicolas Gregoire 1.1 8
Nicolas Gregoire 19.1 9 Version 5 of the PHP language uses the [[libxslt>>Engine_libxslt]] engine to transform XML documents using XSLT. Prior to version 5.3.9, calls to libxslt were not restricted via xsltSetSecurityPrefs(). It was then possible to create or overwrite files on the engine side, typically for dropping a PHP Web Shell. This vulnerability ([[Bug #54446>>https://bugs.php.net/bug.php?id=54446||rel="__blank"]] / [[CVE-2012-0057>>http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0057||rel="__blank" title="CVE-2012-0057"]]) was patched in version 5.3.9 ([[ChangeLog>>http://php.net/ChangeLog-5.php#5.3.9||rel="__blank"]]).
Nicolas Gregoire 4.1 10
Nicolas Gregoire 15.1 11 == Simple PoC ==
12
Nicolas Gregoire 14.1 13 The attached [[create-file-via-libxslt.php>>attach:create-file-via-libxslt.php]] PoC will drop a basic PHP script in /tmp/.
Nicolas Gregoire 11.1 14
Nicolas Gregoire 15.1 15 == PoC with crypto ==
Nicolas Gregoire 14.1 16
Nicolas Gregoire 17.1 17 A better script was later posted on [[OSS-Security>>http://seclists.org/oss-sec/2012/q1/157]] at RedHat request. This PHP script ([[attach:php539-xslt.php]]) will by default display a pre-filled HTML form including XML data, XSLT code and RC4-encrypted malicious PHP code. When the form is submitted, the user-controlled XML data is transformed using the user-controlled XSLT code. Then, the output of this transformation is displayed in the browser. Meanwhile, the malicious PHP code is decrypted using a static key ("simple_demo") and saved to "/var/www/xxx/backdoor.php".
Nicolas Gregoire 14.1 18
Nicolas Gregoire 12.1 19 = Executing PHP code =
Nicolas Gregoire 7.1 20
Nicolas Gregoire 11.1 21 A call to [[registerPHPFunctions()>>http://php.net/manual/en/xsltprocessor.registerphpfunctions.php]] allows to execute standard PHP functions directly from the XSLT stylesheet. I never came across this pattern in real-life engagements but Google Code search references [[several>>http://www.google.com/codesearch#search/&q=registerPHPFunctions%20lang:%5Ephp$&type=cs||rel="__blank"]] instances of it (dork: "registerPHPFunctions lang:^php$"). This isn't a bug and will not be patched.
Nicolas Gregoire 7.1 22
23
Nicolas Gregoire 10.1 24 |=Namespace |=Extension function |=PoC |=Note
Nicolas Gregoire 11.1 25 | http:~/~/php.net/xsl| Any PHP function|[[execute-code-via-libxslt.php>>attach:execute-code-via-libxslt.php]]| A call to registerPHPFunctions() is needed
Nicolas Gregoire 10.1 26
Nicolas Gregoire 9.1 27 The attached [[execute-code-via-libxslt.php>>attach:execute-code-via-libxslt.php]] PoC will use the passthru() PHP function to execute "uname -a".
Nicolas Gregoire 20.1 28
29 = Reading binary files via PHP filters =
30
31 {{warning}}
32 Untested : could we read binary files too ?
33 {{/warning}}
34
35 <!DOCTYPE scan [<!ENTITY test SYSTEM "php://filter/read=convert.base64-encode/resource=/etc/passwd">]>
36 <scan>&test;</scan>
37 Source : http://www.idontplaydarts.com/2011/02/scanning-the-internal-network-using-simplexml/
38
39 = Anti XEE =
40
41 http://www.php.net/manual/en/function.libxml-disable-entity-loader.php