List,
I've been reading this [0] excellent blog article on how somebody
hacked phpbb.com (thanks Daily Dave) and they say that the exploit was
possible because of this [1] local file include vulnerability; which
basically is exploited like:
http://www.example.com/lists/admin/index.php?_SERVER[ConfigFile]=../.htaccess
The problem here is the ugly foreach loop:
foreach ($_REQUEST as $key => $val) {
$$key = $val;
}
That works like a register_globals on anabolics. After some
thinking on how we could detect this in an automated way, I realized
that this kind of vulnerability is too specific and it wasn't even
worth trying to "overwrite" the values in _SERVER (or _REQUEST or
_GET) trying to guess names like:
http://www.example.com/lists/admin/index.php?_SERVER[Config_File]=../.htaccess
http://www.example.com/lists/admin/index.php?_SERVER[ConfigFile]=../.htaccess
http://www.example.com/lists/admin/index.php?_SERVER[Config]=../.htaccess
http://www.example.com/lists/admin/index.php?_SERVER[config]=../.htaccess
And checking if the response was different; but... all this
thinking wasn't in useles! What I want to do now is to create a new
plugin, that tries to find new parameters for a given php/asp/etc
script. In some pentests I've performed, you find a script named
"upload.php" using nikto or something, but you don't know what
parameters to pass to it in order to really upload the file, so... you
start trying with file, filename, filecontent, f, upload, etc. What I
want to do is to automate all this process, and for every URL that
w3af finds, try a combination of thousands of parameters and check if
the response changes; this can be performed in a fast way like this:
1) Perform two GETs to the original URL,
http://www.example.com/index.php?id=1 and save the two responses. We
perform this step in order to make sure that the result of the URL
doesn't change randomly, and if it changes we know how much it
changes.
2) We should have a list of common variable names, and we should test
them all... but testing them one per request would be painfully slow,
so we could do something like this:
GET
http://www.example.com/index.php?a=<rand_value>&b=<rand_value>....&z=<rand_value>
GET
http://www.example.com/index.php?aa=<rand_value>&bb=<rand_value>....&zz=<rand_value>
GET
http://www.example.com/index.php?aaa=<rand_value>&bbb=<rand_value>....&zzz=<rand_value>
GET
http://www.example.com/index.php?admin=<rand_value>&login=<rand_value>....&request=<rand_value>
The performance is incremented a lot, because in one request we
are testing more than 20 variables. There is a length limit in the
query string that we should take care of, but it would still be 20 to
50 times faster that one variable per request. Well... once we get all
the results, we compare them with the original ones, and if something
changes then we know that one of the variables is used for something.
Then a simple "binary search algorithm" will find which variable was
the lucky one.
This method isn't perfect, because variables could be used but
they might not impact on the HTTP body result, but... it's the best we
can do =)
What do you guys think? Anyone interested in coding it?
Cheers,
[0] http://hackedphpbb.blogspot.com/
[1] http://www.milw0rm.com/exploits/7778
Cheers,
--
Andres Riancho
http://w3af.sourceforge.net/
Web Application Attack and Audit Framework
------------------------------------------------------------------------------
Create and Deploy Rich Internet Apps outside the browser with Adobe(R)AIR(TM)
software. With Adobe AIR, Ajax developers can use existing skills and code to
build responsive, highly engaging applications that combine the power of local
resources and data with the reach of the web. Download the Adobe AIR SDK and
Ajax docs to start building applications today-http://p.sf.net/sfu/adobe-com
_______________________________________________
W3af-develop mailing list
W3af-develop@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/w3af-develop
