Intro to Penetration Testing using Burp Suite

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
and we call sarah-cat grey hat also gtlm night he was a former pen tester at Bishop Fox as well got a ton of experience comes out here in business law so zoom around applause cool all right are we good he is recording recording we're good sweet all right what's going on everybody my name is Chris Grayson yeah I used to be the president of grey hat a few years ago and have tried to stay involved as much as I can ever since real quick to what the student is saying the whole admin position if it's something that you just listen to and was like yeah that's not really for me I think you should reconsider really the only reason that I'm up here you're standing in front of you today is because I took the initiative and did it the only reason I got the job pen testing was because I was the president the only reason I've done a lot of things since then is because I got actively involved in this group if you want to break into things professionally for a living first off it's awesome second off it's super enjoyable third off the number one way that you can prepare yourself for that participating CTS do various things with this organization but the best way is to be one of the admins to be one of the ones that's pushing this Ford there's really no big Enterprise located in Atlanta that doesn't know the grey hat name if you're one of the admins here if they're hiring for security positions you will immediately make it to the top of that resume stack it really does shine on your resume so yeah please do it give back all the folks here that are admins that are putting this together is the food that you get the presentations that are coming in you have people that are working really hard to make that happen none of this happens without their effort and when they're gone if nobody else takes up that slack then this fails so please consider it so today I'm going to be giving a talk that I've given a number of times before and it's going to be on something called burps sweet who here knows what burp suite is and who here has used verbs sweet okay few people awesome and then by a show hand to here is a first year second year third year fourth four plus that's the way we do it cool so I'm going to try and aim this talk at so if you've never even worked with web applications before you've never built web applications before you've never taken a dive in here you know this is for you that's kind of the level that we're starting at and hopefully I'll bring you to a point that you know after we after we do this you can run burp suite on your own and you can go do this against vulnerable VMs in your own time so hopefully you'll be able to leave this talk with the ability to practice these skills on your own that being said and I prepped it's pretty much every single one of my talks with this do not do what I'm about to show you - anything that you do not own and that you do not have explicit permission to do to do these activities on because if you do you're breaking laws that not only is that a problem at the state and federal level but if any of the admins or any of the faculty members associated with this organization find you out they will be the first ones to report you they will be the first ones to tell the police what you're doing this is not a joke one of the things that I will show you is how you can do this responsibly with resources where you can go and do these activities and really if you want to start doing these doing this against production systems like stuff that other organizations own there's ways that you can do that legally as well so I'll finish the talk by by talking about some of those all those alternatives this application right here is my buddy Jose basically the red made to be vulnerable web application Joe is an incredible hacker incredible software developer if you ever get to the point that you're making challenges you'll find that it's really hard to design something securely it's even harder to design something to be insecure in a specific way and and through the through the course of giving the a few times we found that there are some other ways you can actually completely compromised but host that this application is running on if you don't have burp suite and you want to follow along grab it real quick it's free it's just the Java the jar just google burp suite download the free version pull it up yes ports we're ports were here is the company that builds it so let's start let's start something let's start with something simple I type a URL into my address bar in my browser and I hit the enter key what happens first thing that happens anybody always that resolve the name resolves the name unless it's an IP address yes so resolve a name what does that mean okay so tell me what DNS is why does it exist basically yes computers don't know where ww1 is that's not an address that they can route traffic to so unfortunately we're all humans so remembering the IP addresses that are associated with Google comm is kind of a pain so what DNS does is it takes the domain name like W google.com and it converts it to an IP address there's all sorts of other crazy stuff that you can do with DNS but for our purposes today just know that DNS when we hit enter if we have a domain name in the URL the first thing that's going to happen is we are going to our computer going to issue a DNS request and figure out where the IP address is or what the IP address is that is basically that that domain name is pointing to okay so we have the IP address associated with a domain or in this case we are entering in an actual IP address so we know where we're supposed to be talking to what none and we'll go by hands and if nobody raises their hands I'll start picking people then somehow absolutely absolutely what kind of requests we're we're skipping one step their handshake what sort of handshake tcp/ip sure yes so we establish a TCP connection to the remote service so we're not going to dig through the details and PCP but suffice it to say that now we have a tunnel that we can communicate very like the pseudo tunnel that we can communicate with the remote server across so now our computer has established a connection to the remote server at the given port what now in HTTP or HTTPS requests yes that is correct so basically you know if you've never dug in to the actual HTTP protocol there's a lot of kind of sloppy messy looking stuff that's going on behind the scenes that brings you this beautiful screen and that is what happens through a CTD requests so let's take a quick look at what that actually looks like so one thing that you should always keep in mind is that some of the best hacking tools are made for developers as developer tools case in point this so I'm going to reload this page so we just saw a bunch of stuff happen here turns out that when I hit enter multiple requests were sent why is that no go for it multiple resources getting load alone page but I only requested one page why would there be multiple resources oh that the page includes other resources and uses them absolutely so in the HTML spec there are various tags that have attributes that point to other resources that you need to request so let's take a look at what that might actually look like so we're going to come in here or we go to view page source so when I submitted that HTTP request and we'll look at what the actual body of the request looked like in a second this is this is what the server responded with this doesn't look very pretty this isn't very nice I don't really know what any of this means unless I know a lot about HTML so we have a head tag a meta tag a title tag link rel icon' href equals images favicon dot gif that href in this HTML is saying hey for the favicon which is which is the icon that you'll see in the browser bar go retrieve this image that is a relative URL path to another resource that is currently held on that server so basically what the browser does sends the request gets the response and it parses that response now in that response there are going to be various things that point to other resources that the browser then chews up for an additional request that's why that's why we're seeing oh come on yeah that's what we're seeing here so in this original h2 in the original HTML response they were actually references to a style.css file a CSS 3 dot CSS file jQuery this other one another Styles file so to reiterate the browser got the HTML it parsed the HTML it founded the other references that that HTML was linking to and then it loaded those as well so I should have asked this earlier quick show of hands who actually has web application backgrounds have done has done web development anything like that ok so about 50% so in a lot of cases that is going to be the case with this one the way that a web server works grossly oversimplifying things is that it maps part of a file system to a web server right so on the web server side when I request 192.168.1 36.1 30 slash course on photography slash what the web server is doing is it saying hey I'm configured to distribute content out of this directory all right so it's looking for a directory within that one entitled course on photography and if it finds that it serves content from that directory so when you're looking at the URL paths in URLs URL passing anything after the IP address or domain name that's in a lot of cases mapping specifically to a file path on the web server and it's giving you the file that's being requested does that make sense nobody following along so far cool that's not always the case there's lots of stuff you've ever worked with rails if you've ever worked with Django you've ever worked with a number of various frameworks it's not actually mapping a file system to the web server it's actually just parsing it's using these as variables that are being passed to the server and invoking some sort of functionality as far as security is concerned which one of those two might be better why that's right that's absolutely right and one of the things so for anybody that didn't hear one of the reasons that opting for the oh we're actually mapping URL passed to specific functionality instead of just retrieving files from the disk is what happens if you accidentally leave a file in one of the directories on the foot on the web server what if there's executable code in that file maybe it's not linked to maybe there's no you know links to it but if it's sitting there and somebody finds it what could possibly happen not would execute them whoever should be exactly exactly so it's uh you will find says so Joe same guy that authored this application that we're going to be looking at he calls PHP an API for remote code execution and I tend to agree with them because more often than not developers will leave debugging scripts they'll leave you know maybe you're making some edit to the production web server so you make a copy of the current file and name it old and then make your current edits make that it's to the actual one that's on the server well that dot old file is still there not only that but because it has a different file extension you're actually leaking source code now so going going one step further talking about how the web server works these ones that were that are mapping file systems to what you can request through the web server can somebody tell me what happens once the request is received internally by the web server what I'm looking for here is a comment on why file extensions matter all right so it's looking into file extensions to the hottest certify so what does it serve I mean I'm not too familiar with like if it's a dot HTML insert has a left right right right so with these with these configurations that are mapping file systems to web servers generally speaking what you will see is here's how the logic goes first it's going to see does this directory exists you know so if I stood course on photography / KU / bar / bang it's going to see hey does this directory actually exist if it doesn't 404 if it does what's the file that's being requested within that directory now right now there's no file of course after course on photography so I'm just requesting a directory apparently why then did I get HTML close it's not Chrome or Firefox it's actually the web server so basically when you request a directory the web server is typically configured to say hey if they didn't request a file here's the default file that they should be looking for you know the default configuration with these servers is it's going to be if there's an index that HTML page in this directory serve that or if it's PHP enabled if there's an index dot PHP file in this directory serve that instead okay so that's mostly how how web servers will handle the requests now that they know the file that you're requesting what the webserver is going to do next is a look at the extension of that file and what you can do in the web server is configure different file extensions to be handled by different things dot HTML the logic for it is oh you requested an HTML file read this file and send it back to them don't do any additional processing when you request the dot PHP file on the other hand it's along the lines of read this file take the file contents send it to the PHP interpreter have the PHP interpreter execute that file as PHP code take the results of that execution and send the results back right so when you basically different functionality can be invoked based on different file extensions so going back to my comment before when you took index dot PHP and you renamed it to index dot PHP that old that's no longer getting passed to the PHP interpreter if you've seen how PHP is written we'll look at it in a bit that means that all of the code that would have been executed to dynamically generate this page is not being executed it's just being returned so you're now seeing source code which is why I say when you rename something and you forget about it you have source code disclosure are there any questions so far good deal so like I said before this is an application that it's designed to be intentionally vulnerable and we are going to hack into it we can get a root shell on the systems that this application is running on if we do the right things I have no idea what this application does I've never logged into it before I've never seen it before this is the first time that we're even touching it what should I start doing I saw a finger was that it yes no no okay sequel injection sequel injection okay so I'm just going to throw a sequel injection at this webpage and a submission box interesting okay okay so I would need to find the submission box right right right right right right so we want to know now what we want to find out is where all the places that I control data this is not just for web applications this is anything that you're interacting with nine times out of ten when you're abusing abusing a system like this it's based on the developer wrote software expecting the input to be these things but they also did not put any protections in place to restrict that input to only these things so you can pass it input that is not expected and depending on what's being done with that input depending on the functionality behind the scenes that can invoke functionality that it's not supposed to that can read files that it's not supposed to maybe you can write to a file if I was able to write to an arbitrary location on the file system where this web server is running what could I do with that probably write your own PHP code and execute it to like write exactly so if I was to have something that you know seems fairly harmless I'm able to write files to the disk ok cool maybe I'll fill up your disk whatever it's actually kind of worse because if again if I can write a file with a dot PHP file extension and I can put that file in one of the directories that is being served by this web server that means that I can run arbitrary PHP code does it make sense so we want to find input boxes we want fondant want to find places that there's user interaction how do you usually do that when you're talking about a website if I'm just gonna click on everything huh login page sure but again do I want to do this manually so I want to click on every single button maybe there's stuff in the HTML that is not even being rendered on the page maybe it's in a comment tag maybe it's commented out so what is the method huh hey there we go so now we're going to start looking at burp sweep but before I open it up can anybody tell me what an HTTP proxy is and property exactly exactly so to reiterate what was said when you send your HTTP request if there's no proxy you're literally just connecting to the remote server and you're sending up the HTTP request and getting the response when you configure a proxy you're actually connecting to the proxy telling the proxy hey this is who I'm trying to talk to you and this is what I'm trying to say and the proxy will then submit that HTTP request it will get the response and it will feed the response back to you so that's why burp suite is a proxy the proxy doesn't have to be a remote server it doesn't have to be anywhere else we can have a proxy on our local machine so when you're using verbs suite what you do is you configure Firefox that have burp suite as a proxy so instead of sending the request straight through the web server it's actually sending it the burp suite and burp suite is then sending it out now if burp suite is a man-in-the-middle in this connection think about all the crazy stuff that you can do with that one of the other things that you will commonly see as in error on the behalf of front-end developers is they think oh well you know there's a there's a drop-down here that only has these three values therefore there's no way a user can submit any values other than the three in the drop-down exactly so Firebug is one way that you can do this but HTTP that this is this is just HTML this is just rendering this is a browser this is part of the actual like whole HTTP HTML suite but at the same time you don't have to be interacting with the web server through a browser you just have to be able to talk HTTP to it and if you can talk HTTP to it good you can do all sorts of arbitrary stuff so if nothing else have one big takeaway for this for this meeting be front-end security controls don't mean anything unless you're trying to protect your clients all right unless you're trying to protect the browser of somebody that is using your site front-end security controls do nothing for the security posture of your web application so this is a pretty great little plugin that I use for firefox called foxy proxy it enables you to very quickly switch between various proxies that you're using I have it configured here you'll notice that the proxy is pointing to 127 0.1 on port 8080 that's because that's where my burp suite proxy listener is they see when you fire up burp suite it actually fires up a network service that you can communicate with and that's your proxy so I have it configured and I'm going to load this one more time there's a lot of stuff in burp suite we're going to cover most of what you need to know we won't cover everything but we'll start over here in the target tab so as I've been talking it as these things have been loading what burp suite has been doing is you know it's man-in-the-middle in all these connections and it's keeping track of all of the requests and responses that have flown through it in this first view that you see here in the targets tab we see every single endpoint that is actually been communicated with so it's pretty crazy to see that by only loading to only loading two pages in Firefox my browser has sent requests to what is it's over 30 different domains pulling various resources but we care about this one so here we can dig in to the web server on 192.168 and we see that there's this course on photography directory now a lot of this stuff is grayed out in there the reason that it's grayed out is because basically a link to that resource has been observed and one of the responses but it hasn't been requested yet so now we'll do one of the most basic things that you can do in burp suite which is crawl so you right-click and you hit spider this branch and you add it to the scope and now as this is running it's going to prompt to say hey do you want me to submit these forms do whichever boom burps we just went and found every single every single link that it could across all of the HTML across all the pages that it found and it requested everything it tried to find every single resource that it possibly could on the send point and you'll notice there's quite a few there so we have a ballot blog create index login portfolio upload anytime you see the word upload you should be happy not oh man so so as an aside I have my own company that I'm building where I have to write this functionality I rather complicated but suffice it to say that you know in the HTML spec there's various tags like an image tag like an anchor tag like a link tag like we saw that say you know they are specifically meant to reference other files so what burp suite is doing is it's looking at all the HTML it's already seen and it's looking at all the references that are pointing to other resources on this server and then it's requesting that and then parsing the response as well and it does that until okay I've every single link that I can find i party requested hey that's a good point well how I mean how would we how do we do that though this is a great question and this is this is something that a lot of pen testers miss amiss and if you basically whether or not it pays dividends it strongly depends on kind of how good your approach to doing this is but do you know what the word for it is so they call it content discovery and this is a tool that will request arbitrary files on the web server basically just brute force guessing random file names the more complicated ones like the one in burp suite will actually take all the resources that it has seen and try appending various extensions to like old back zip that it does like you know if you've ever been editing a file in vim and then you did an LS on the directory where the file is well vim is still open you'll see that there's a copy of that file with a tilde the end because it's currently being edited so maybe somebody's currently editing a file in the server anything like that this is I'm currently using the free version of verb suite so it's going to be it's actually not going to be in here I don't think yeah so burp suite comes with discovery a content discovery functionality generally speaking you should first crawl a web server and then run content discovery but you have to have the pro version to have that package than burb suite there's other tools that will do it one of them is called Olas with der Buster don't ever use that tool don't ever touch it it needs to be burned with fire I would recommend more strongly a tool called der search it's a little Python script you can find it on github and instead of an e it's a three because they're hackers so you'd want one content discovery for it for four today we don't really need to do that that's not something we need to do on this server so we crawled there but you know it let's let's just let's also just kind of click around and see what's here so you have a services page we have a portfolio page testimonials also all of the text on this website is hilarious unfortunately not gonna be looking at very much of it so you can get like read more its login anytime you see login you always want to try ya know admin admin yeah yeah I don't know how many of you guys have actually done work in the real world yet but everybody's oh man Edmund Edmund that probably never works no that works all the time unbelievable so all this stuff that's great I'm going to come back over here to Burke suite so you notice that there's some different icons next to these files right so we have what looks like a folder we have there's different planes pages and then we have these like gears these gear icons and what these gear icons represent is that this endpoint takes input takes some amount of user input whichever and when you go and come over here and you click on one of these arrows you can actually see various requests that have been submitted with different functionality in there so you get a view dot php' all this and so we see that there's been three requests to view dot PHP with different parameters all right let's take a look at view dot PHP who can tell me what that question mark up in the URLs to get perimeter what is it called what is that part of the URL called query string that's right so one of the ways that you can submit data to a web application is through the query string the query string is defined as anything that follows the URL path after a question mark so when you see a question mark and a bunch of stuff after it that's data that is probably being consumed by the web application and something is being done with it generally speaking it follows the notion of you will see a key name all right well you'll see a key followed by an equal sign followed by a value and then if there's more arguments that are being passed there'll be an ampersand and then another key equals value ampersand key equals value so on and so forth there's no real limit to how many arguments you can pass I want to say there's a limit to the length of URLs that will be per there's definitely limit to the length of the URLs that will be processed but I want to say that there's even a limit in the RFC - this is the maximum length that you are will be but anyways so that's what's up there one of the other things that you will see especially in modern times in single page applications is a I found out that it's called a shebang I usually call it hash tag but a shebang followed by stuff and this is another way that you can provide data to the application however anything that you see after that shebang is never submitted to the webserver it is only data that is being used and manipulated by the front-end client so if we're trying to attack the server any data that we see after a shebang really not doing much again it's never being submitted to the server and by default we can pipe we can put a shebang in here and type of a bunch of stuff after it and look at the actual HTTP requests and you'll see that none of the data that we types is included in the request I realize that we haven't actually looked at what a get request looks like yet so when your computer's send a request this is what it's actually sending right here so the first thing it's a HTTP verb which in this case is get there's a number of HTTP verbs there's get post put connect delete trace options unknown for a patch I know I'm forgetting some of them in there but you have the verb followed by the URL path including the query string followed by the version of HTTP that's being queried and then a number of HTTP request headers these are automatically being populated by your browser every single time that your question don't have to touch it this is just all behind the scenes in this case none of this is very important but one of the things that we don't see here that you'll see all the time is cookies will be populated here so if you've ever heard of like cookie stealing attacks or you know don't disclose your cookies it's because the content of those cookies is being submitted alongside the HTTP requests and those cookies in a lot of cases especially with session identifiers are how the web server identifies hey who are you that's trying to talk to me are you authenticated what privileges do you have it's mapping your request to access controls and privileges on the server side so this is this is it this is all that's being sent and in response we have the first line which is the HTTP version followed by the status followed by the status message so HTTP 200 is great everything's cool here's your file followed by a number of headers followed by two HTTP followed by two I control a carriage return line feeds followed by the contents of the resource that are actually being served so here we see the HTML that we just saw in the browser but we didn't see when we were looking at the source where the response headers that came with it so here we see the date we have the server we have X powered by and then these are the ones you'll see in pretty much everything that the mime type of the content that's being served so on and so forth can anybody tell me learning issues up here is that like a hand raise or a neck scratch that was a half thousand a stretch right yeah yep why would you want to tell it to anybody what benefit do you get from them knowing more about your application than the need to this follows the principle of least privilege which is kind of a core tenant of information security you only give people what they need to do what you need them to do and nothing less here we can say Oh Apache 2 dot 4 dot 7 it's running on Ubuntu and the PHP version is 5.5 dot nine with this specific you buncee spec now this particular version is not vulnerable to any publicly known exploits but if it is if it was this would be all I would need to exploit it now because I know exactly what version it is now I can go that's that's one of the first things I do when I see a weird version is simply just copy paste that version and then put the word exploit after it in Google and sometimes like Metasploit pops up it's great so that's a nation to be request in response and with that being said we're going to come back over here so it's talking about query string talking about how this is one of the ways that you can supply data it's to a web server the other way there's a number of ways that you can do it but query string is one of them and when you're working with HTTP POST requests you're not going to see the data that you're submitting in the URL where will you see it well what part of the request is it called and the post it's called the request body so for instance I saw it is a post yeah so here we have another request that was submitted by burp suite and this is an HTTP POST request you'll notice the verb right here says post you'll also notice there's no query string and lastly you may have noticed that there's some stuff down here this is how data is supplied to servers in a post request that's not to say that when a response is header when a request is handled that it's not going to take data from both the query string and the response body but all of the other all the other Kage TTP verbs that intend to put information and give information to the server you're going to see the data you're submitting in the request body all right now for the third time I'm going to come back here now we're actually going to talk about it so query string what's in the query string up there see article equals and then a bunch of garbage what is that unique identifier okay yeah let's try that so it's a unique identifier which you know if that's unique identifier and there's a few pages that have unique identifiers that it's pulling from then how would i how how would i verify that some unique identifiers give me an idea for how to do that so we know that there's different values in this field so we know that that part changes but if our hypothesis is this is a unique identifier what would be you know apply the scientific method to this we have a control what is the experiment you change it so if it's a unique identifier and it's how you know maybe on the server side it you know let's let's think about you know you should always be doing this whenever you're doing any sort of assessment think about what the code is doing here oh I've got a parameter it's named article and it has a bunch of values if our hypothesis is this is a unique identifier what does that code look like oh I'm gonna take the unique identifier I'm gonna do a database query and if you know if a row matches then I'm going to serve up content based on whatever that matches right so that is our hypothesis we could say let's give it an identifier that you know doesn't exist age has changed the page has changed but there's nothing on it so we changed what we thought may have been a unique identifier to an identifier that doesn't exist and we didn't get anything from the page so okay maybe it is unique identifier here knows about different formats of encoding attention to the light that light good yes yes you could decode it so can anybody tell me what base64 encoding is why ha ha ha ha almost almost yeah ah actually when you basically for encode something the string it's longer in most cases acts I'm pretty sure all cases huh principal getting closer the reason that basics before was actually invented was because it encodes things into a sequence of characters that does not include anything that would be a control character now a control character is something is a carriage return is the line speed it's something that is telling whoever is consuming it to do something and the origin is basically for it we're basically when networks we're far less complicated than they are now oh well we need to transmit this data between two endpoints but it turns out that that data actually has a control character that the intermediate hops basically when they're processing the data instead of understanding that hey this whole all this data needs to be sent it starts consuming that data hits that control character it's like oh that's it hops out so by taking the data that you want to submit and encoding it in basic before encoding you are able to pretty much guarantee that you're not going to run into one of those issues that's at least the origin of basics before encoding it's used for myriad things but that's that's at least where it came from so let's go back for a second one of the ways and this is this is something that the more you do this stuff the more the more obvious it becomes various kinds of encoding there they kind of like pop out to you once you get suitably familiar with them so I see this and I immediately didn't think that basics before encoded one of the things that is a dead giveaway of basic before encoding is I'll take this one another really cool feature of burp suite when you click on any request you can just say copy URL and then automatically just copy the URL for you it makes it really easy to hop between the two so in this case what's the last character that we see in that argument equal sign if you ever see an equal sign or two equal signs at the end of what looks like a bunch of gobbledygook that's pretty much guaranteed to be basically four encoded that's just an artifact of the encoding scheme if during the encoding process you hit a specific boundary in some cases you don't get the equal signs it's basically just an indication of padding for the algorithm so with this this is very obviously basically for encoding so let's see another cool little piece of functionality that burp suite has and it's called the decoder super simple you paste whatever you want and it has a number of different ways that you can decode or encode that data so for our purposes we're going to say decode to basic from basic support ah so what did it just a co2 if you can't read that it's ep-1 dot html' somebody walked me through what they think might be going on here again this is an argument supplied to the web server via query string it's basically four encoded and when we basics before decoded it looks a lot like a filename right right right right yes that's on the front end yes so let's let's again let's put ourselves back in the developers shoes I'm a developer I want to write a blog I want to I want to build a blog and I want to make it so that people here we go there we go there we go so that's some logic that's some logic that sounds like an amateur web developer would build we're basically like oh yeah well you know we're gonna we need to we need to make it so that you can just write new blog posts in HTML format and then you just drop them in this folder and then whenever you want to put a link to a new blog post you just basically for encode the name of it and then that's the link you put it up there in the URL lock impossible to go wrong let's confirm our suspicions before we go any further so we'll come back here and we'll take this ah yet again when we decode it it decodes to what looks like a file name quick caveat in PHP there's basically two different ways that you can read files in PHP there's more than two functions that will do this but one of them is hey just read the contents of this file and give them to me the other is hey process the contents of this file as PHP and give me the results those are two very different things because one of them is executing code the other one just reading file contents so all of that being said we've got this functionality what we do what we do here Reeth files yeah okay so yeah yeah yeah so this is a this is a vulnerability called directory traversal where basically the intent of the web application is we're going to let you you know we're going to let you specify a file for some some form of functionality maybe it's like we let you download files we don't use this to do that or the other thing about directory traversal is where that input is not being correctly sanitized and you can put various file paths in it so if that's what this is doing what's the next step how do we verify if that's the case because keep in mind that the hola yeah from that directory okay yeah sure let's try that ah nothing read view dot php' okay so how would I do that okay let's try that all right does look like a did anything let's double check oh what's that no man stuff in comments yeah this is why crawling programmatically beats crawling visually because this is commented meaning you are not going to see it in the browser but if all you're doing is processing HTML that doesn't matter you can find us no problem so it doesn't look like anything was placed into this HTML so view dot PHP did not work what else do we do again let's think about the scientific method here we need to control for as many variables as we possibly can so that we can kind of isolate what's going on here what are some reasons that could have fairly fail keep in mind that when we requested that HTML file we got a 404 yeah okay okay so it's in a different directory it's in a different directory do we know what directory it's in no we don't know what directory it's in what happens when you request the directory on a web server if I just request slash course on photography what happens we already talked about it gives you the index page okay what can we do with that information maybe maybe I would say that all right let's have a control we know that there's an index dot PHP file not only that but of all the different files that we could possibly pick it's the best bet because it is the most common file to find we know it exists in the web root we know that it exists and it's probably going to be in other directories if there's other directories that are running PHP code so let's go with index dot PHP that you know I'm actually gonna come over here because this will be easier still nothing okay where do we go from here we are computer yeah let's try that same well if we give it weird characters same where do we go from here haha yes so web service permissions on Linux file systems on all file systems I mean if you lock this down correctly the only files that the web server are going to be able to act is going to be able to access our files within its web root and various log files configuration files so that means that those HTML files that are potentially being included here are somewhere in the web root maybe they're not in the root directory maybe they're in a subdirectory maybe they're in a subdirectory of that but we know that they're at least in a subdirectory within the root directory that's being served by the web server yeah does that make sense so let's try this instead of requesting index.php let's do dot dot slash index dot PHP oh that's different so what does it tell you we're in a directory that we're in a directory huge character every hazard yes yes and in this case basically those HTML files are within a subdirectory from the web root so it's one directory deeper than the web root so we went ahead and said you know instead of an HTML file load dot dot slash index dot PHP and then we got this cool cool what was I saying before about flour reads read or execute so what do you think we should figure out now other executing files exactly how do we do that ah not quite I wish I wish it was that easy lots of times it is that easy but not in this case we want to be able to again scientific method we want to be able to control for something what's the difference between the execution and the file reading if we take one file with PHP and HTML in it and we execute it with the PHP interpreter to take the results and we just take the file content what's the difference between those two files extension not quite what is going to be different about the content of those two files maybe I need to actually show you what PHP does so this is how PHP works if I was to pass this file to the PHP interpreter what it starts doing is it starts reading the file byte by byte if it's not in PHP mode if it's not in I'm currently executing code mode it just spits out the bytes so what this is going to do is it's going to start reading through the file and start spitting out hello world now that stops as soon as you get to an open PHP tag which is what you see here when you hit that open PHP tag the interpreter switches from oh I'm just reading bytes out to now interpret whatever is coming in as PHP code and execute it and then any of the results that are returned by that code embed them in the page it continues to operate in that mode until you hit the close PHP tag at which point it returns to just spitting out content so what would the difference in this file be if I passed it to the PHP interpreter or if I just read it like this yes yes right and it back there here [Music] it is it possible to have a CHP Engelbrecht if well we'll put it this way they certainly won't exist in files that have been executed because again yeah yes they won't exist in files that have been executed so if whatever the response returned by the server looks like contains any PHP code that indicates that it was not executed if it doesn't contain any PHP code then indicates one of two things either there is no PHP code in that file or there is PHP code in that file and it was executed it definitely has PHP code so we're going to come back here and view the page source Hey look at that that's source code so this is a file read that's somewhat disappointing because if it's a file execute this is usually so one of the really cool things that you can do one of the great ways to pop these is the web server is automatically you're going to have well in the vast majority of cases going to have read access to the log files that it's generating one of the things that it logs is the user agents of whoever is communicating with it the user agent is one of the request headers that is automatically populated by the browser that contains information about what this browser is is in a mobile browser is it a Mac browser whatever that's data that you control so if I control my user agent and there's a log file readable by the web server that's automatically writing my user agent into it I can just set my user agent to executable PHP code and then include the log file and because of the way that PHP works it will see the PHP open tag execute the code that I wanted to and then spit out the rest of the log file to me so that's a really cool way to do it that's a lot of fun this is not that so so we have file reads we can read arbitrary files whatever I mean that's that's cool but I'm not I'm not super psyched about it yet but let's go back to what we were what we saw before I guess I can even have it right here so this says admin only and it's an upload page file uploads super difficult to get right very very easy to get wrong and if you get it wrong if I can upload arbitrary files to your web server that's bad news this is admin only though and because we're you know for the sake of time we want to have access to this upload functionality not only that but in order to do that we need to be an administrative user so let's go back here and I'll skip ahead a bit so I'll come to login and I'll create an account sweet alright so create an account and now I'm going to log in with this account alright so I am successfully logged in now let's take a look at what those requests actually did so here we have the login request this is the HTTP POST request that resulted in me logging in now because I knew the correct username and password i authenticated successfully and because i authenticated successfully now the web server wants to be able to say okay now when you continue to communicate with me I know who you are I can assign a user identity to you in order for it to do that it sets a cookie in your browser we see that in one of the response headers here it says set cookie UID and then this number right here now if anybody else knows that number they can now impersonate me this is how the server knows who you are which is why you know if you've ever opened up developer tools while you're browsing Facebook if you haven't do it right now it's pretty funny it's a big message in big red bold letters saying do not type anything into this box people will hack your account because that's one way you can very easily access the contents of the cookies you currently have in your facebook session so if anybody knows that value that is bad they can log in as me so what does that mean if I want to authenticate as an admin if I knew that value for the administrative user then I could very well impersonate the administrative user read the log in and upload pages what would that do for me absolutely absolutely so now that we have a file read it we want to start looking into what this source code does again if we have the user ID or if we have this UID value for the administrative user then fantastic we are authenticated as that user so I'm going to come back over here and because we know when we do dot dot slash we're in the web root then we know that all of these other files we can pull down so let's check out login dot PHP hey check it out so this is the code that is being executed whenever you try logging in so let's read through this code real quick so these require once function calls what I was saying before when you pass a file path in to require require once include or include once that is saying hey take this file pass it to the PHP interpreter execute it and take all that code and put it in the current context so I now have access to all the functions that are defined in that file all the content of that file it's all now in the things that I that I care about so it's doing a few requires to include slash config dot PHP in the interest of time we're not going to grab that but always pull config files this one has credentials in it this one has credentials to the database in it that doesn't do us any good because the database is found on a local port so we can't access it but password reuse is a huge problem any time that you get credentials you should use those credentials everywhere that you possibly can to see if they work for anything but we're going to skip that config file require once include slash common dot PHP that's probably functionality that is common across various pages so you got this right head create page header start container and then if is set username and password authenticate users username password and then if it's authenticated do this name equals to get username by UID cookie you ID already logged in blah blah blah blah blah and then we have some other functions down here we actually have the authenticated user function so reading through it we have its connecting to a database if it can't connect it dies with an error its selects a database it does some sanitization on the input that's being passed with that my sequel real escape string which so funny note about PHP there's my sequel real escape string and there's my sequel escape string this is a great indication of how terrible PHP is you should only be using my sequel real escape string because the my sequel escape string is insecure but it's still there I think I think it's still there and PHP versions so then it's generating a query and and performing the query on the database and then retrieving the results and then if there are results it's setting a cookie ooh okay so not only is it sending a cookie but it's setting the cookie that we care about and it's sending it to this UID value this UID value is being populated from what is returned by the database which is to say that this value exists in the database so what should we do that try reading the database that is the method that was not intended that you can do this through is that depending on depending on how the database is structured the penny if it's local there are particular settings there are particular setups with my sequel where you can just read the database file and a lot of it is just binary data but any of the strings and either the VAR cars that are in there it will just pop out so we can read the database to get this but we're going to take the detour we're going to take the the scenic route on this one I mean it's it's it's like generating a sequel query here through string concatenation yes awesome I was hoping somebody's gonna fall for that yeah so this would be sequel injection if they did not have this my sequel real escape string wherever it is that's basically taking out all the potentially bad characters from the string that was supplied by the user and then generating a sequel command we know that there is such a thing as a port of PHP and we do compute that but we're still missing part of that chain still missing part of that chain getting there though so the user ID value is in the database we created an account that account clearly generated that value because when we logged in it was that as our cookie where should we look now yeah exactly how is that value made how is that value made if we know how that values made can we make it ourselves so let's try that I believe that can create a PHP yes hey check that out right huh temps create user attempts create user okay is that function here ah okay so here's the code that is being run when we create a user let's run through what it does so you need 2 equals get seed creates a connection it doesn't connect it dies selects the database s Rand int valve seed UID equals Rand is there any problem with that what do you what is this doing tell me what this is doing right so to reiterate when you're creating an account it's taken the username that you're signing up with it's passing it to this get seed function and whatever value is being returned by this get seed function it is seeding the random number generator that PHP is using if you don't know what that means basically random number generators are not actually random in most cases they're not even pseudo-random cryptographically speaking they're actually just like kind of random and if you say if I have two entirely separate instances on separate computers of PHP and I seed the random number generators on both of them with the exact same value and then get the next random value they'll be the same so if you know the seed value for a random number generator that means that it's not actually random so the only thing left now is well what does that seed there's no function here where where's where's the function is it in another PHP file which PHP file should we look in mean is common about PHP there we go let's see what's in the content of common dot PHP and now remember it's in include slash comma dot PHP when we're doing this directory traversal we're currently in the root directory so we need to go we need to add the include directory this is n1 I'll come back over here ah sure enough there's our get seed value and get seed function now we could spend some time figuring out what this does we could do that we could write our own version what I really like doing is stealing the code so I'm going to take this code come back over here and we're going to create our own little PHP file actually let's see I'll do it in vim okay so now we have taken their their function so let's take a look back at what the code looks like not a code right where is it here we go so this was the attempt to create user ok attempt create user so first it's calling this and what do you think the admins username is okay okay so it's setting that seed it's getting that seed and then it's calling this and then it's setting the UID to this value okay so if you don't know PHP syntax don't worry about it this is basically we've stolen their function we're reproducing the same stuff that they're doing in their application we're just doing it on our own okay that looks very similar to that UID so we're going to come back here already logged in is test one we're going to come here the console now whenever JavaScript is accessing cookies it's stored here so I'm just going to set that value make sure that it was set okay and I'm going to reload the page Oh check that out we are logged in as admin not only that but it looks like there's another page up here that I can barely click on okay aha and it's uploading pictures now I know we're running we're running short on time here so generally speaking file uploads are a terrible idea I try to avoid them as much as possible if you are uploading files using like it using a file server that's not even on the web server doing strong strong input validation like it is really really difficult to validate file contents one way that you can address this without much headache is using something like Amazon s3 where it's just a file store that you can store arbitrary data on and then even if it's bad data it's not something that currently exists on your web server but we're going to do another let's see so this is just a quick and dirty you should never do this this is like this is script Kitty 101 if you do this you will get caught immediately like there's plenty of other really cool stealthy ways to embed PHP code and what you're doing what this is doing is basically saying hey take the query string parameter C pass it to shell exec which is just hey execute this in - and echo the results so and I don't know I don't know where I'll have to unplug this real quick all right all right so I have selected that and we're going to say the picture name is shelled up th P as well and then we're gonna hit upload picture uploaded completed what's great about this is you can actually see that they're not even checking the content type that is automatically filled out in the request when you upload a file there's something called mime which depicts like this is that this is the cut this is the type of content in this file and if it's an image file it'll be like image slash PNG or image slash JPEG this is just text slash PHP if you really want to be able to say like that it's also you can you can modify it you can make it arbitrary things but even the lowest level of security checks against this sort of stuff should be checking the mime type so we uploaded that file and in the interest of time I know where it is it's right here okay so this is the file that we just uploaded and remember we said basically take the C query string parameter take the contents of it execute it and show me the results and there we go yeah it seemed nice and formatted if you look at in source so we have the ability to execute arbitrary commands on this on this machine now one of the things you should always do check out Who am I that's the user you're currently running as unfortunately this is w w data if we add more time we could take this and then do like Linux exploitation and escalate privileges up to root but we don't have enough time that's for another another session so yeah we just went from never having seen this before never having such burp suite before to find injection points test them out see if anything sticks file a directory traversal reading to the reading source code figuring out how stuff works using that to bypass authentication functionality uploading a file and having that file contain executable PHP code and that's how this works every single time that's honestly more complicated than it is in a lot of cases so and then lastly I know that I was added I would leave you guys with some places that you can do this and and not get in trouble my number one recommendation for you is to check out this website this website don't hack lon that's not at all what I meant No who said that who said that don't hack one and that's not even funny okay that's okay I commented like that all the time but I am dead serious if you do this I know exactly who's going to catch you and he is going to have no mercy and that's key there was one time when I was president that one of our members posted some stuff on our bulletin boards because we threw him all up in like short amount of time and it was vulnerable to cross-site scripting Keith went on a rampage he found that he found the dorm that this person was in he found the IP address that they were coming from and he was about to go knock on the door Yahoo they were there's like I know that's one of our members they were just demonstrating that you know we need to fix some things so seriously don't do it this is called Vaughn hub but Vaughn hub is is a repository of images of software that is made specifically it could be vulnerable in specific ways there are a ton of awesome web applications images here all you got to do get VMware or get VirtualBox pull down an ISO install it and then get going it's on your local machine you're not messing with anybody else you're good to go that is a great way to cut your teeth here you want to take it one step further and a good friend of mine if you get if you get okay if you get good at this you can make a lot of money doing it when I say good at this you have to be like top 1% or better this is probably one of the best in the world but hacker one is great this is a site that kind of manages bug bounty programs and what a bug bounty program is is when a company says look yes you are allowed to hack us if you follow these rules these are the things you're allowed to tax these are the things that you aren't these are this is how you disclose to us you don't tell anybody else let's closure and if you do that we reward you sometimes it's with shirts sometimes it's a swag sometimes it's with money the guy that I know has made over half of the last full-time salary that I had in six months doing this that's in addition to his full-time job so this is a great way to do it and this is actually you will be breaking into real like real companies there are hundreds and hundreds and hundreds of companies that have bug bounty programs on here so check this out check out bone hub and be responsible with this stuff and I'll leave it there [Applause]
Info
Channel: GreyhatGT
Views: 19,579
Rating: undefined out of 5
Keywords: Burp Suite, Chris Grayson, GreyHat, Georgia Tech, Information Security, Penetration Testing, Website, Hacking
Id: WAzgHzlfEDs
Channel Id: undefined
Length: 77min 19sec (4639 seconds)
Published: Tue May 09 2017
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.