Page 1 of 2

Hacked Site: Php source viewed?

Posted: Wed Feb 20, 2008 4:19 am
by ZxSpectrum
Hello, yesterday a hacker attacked a site where i am giving a hand to the owner. He got database access and he told us that he could see php source code.

How can one see the php code? Apache is interpreting it and if i right click on the web pages i see html.

Anyone can help me?

Thanks

Re: Hacked Site: Php source viewed?

Posted: Wed Feb 20, 2008 5:27 am
by hannnndy
i think there is no way to view the source code but the database is possible access mdb files are easily download able and readable via sql injection

for more on php source watch this viewtopic.php?f=1&t=78849

Re: Hacked Site: Php source viewed?

Posted: Wed Feb 20, 2008 1:47 pm
by Mordred
The most probable reason for the breach are vulnerabilities in the PHP code.
There's not much to tell if you don't give us more information, but in general - yes, there are classes of vulnerabilities allowing database access, file access and even code execution. Depending on the server configuration all of this can be done through SQL injection (which is also the most common server-side security hole), so without knowing more, I would bias on this.

_____
hannnndy, you are wrong in almost everything you say.

Re: Hacked Site: Php source viewed?

Posted: Wed Feb 20, 2008 2:02 pm
by ZxSpectrum
All the pages include a file where is the database configuration. The guy said that the database connection could be seen by clicking with the right button and looking at the source.

I am puzzled because apache shows html, but he really went in the db. In the access log i can see that he accessed phpsqlmyadmin so he managed to get the password.

I am on a shared server so i don't know how apache it's configured, i read today about all the forum and i saw that it's suggested to configure apache so it does not output raw php, and that if apache is stressed sometimes can output php...

Maybe he is not telling us the truth and he used php-injection or sql-injection...

BTW, i am sure not every input is filtered... i will look through the access log to see if i missed something.

What kind of information do you need?

Thanks

Re: Hacked Site: Php source viewed?

Posted: Thu Feb 21, 2008 1:11 am
by Mordred
Is the configuration file called something in the lines of "config.inc" (with no .php extension?)
What PHP software do you have installed - open source, custom written for the site, anything.
Try to follow the ip of the attacker in the access log - what were the URLs he hit.
Check the error log - did he raise any errors?
Do you have scripts that serve files, like download counters. Or an admin-only interface that can upload files or other funky stuff?
Publish a script - yor login script for example, so we can get an idea of your writing style.

Anyway, you seem to have a way to talk to the attacker - just ask him for more details :)

Or, you can send me a link to the site (privately), and give me permission to test it (publicly in the forum - and also put a file called permission-mordred.txt file on the site so I can know that you're a legitimate owner), and I'll see what I can do (when I have time, no hard promisses). I will ask you to publish the vulnerable source though, so others here can benefit from your mistakes ;)

Re: Hacked Site: Php source viewed?

Posted: Thu Feb 21, 2008 3:23 am
by ZxSpectrum
Mordred wrote:Is the configuration file called something in the lines of "config.inc" (with no .php extension?)
No, it's called [name].inc.php, it's currently under the public html directory though.
Mordred wrote: What PHP software do you have installed - open source, custom written for the site, anything.
custom written
Mordred wrote:Try to follow the ip of the attacker in the access log - what were the URLs he hit.Check the error log - did he raise any errors?
From the access log file, it seems he accessed directly phpsqladmin. Don't know if he prepared work days before with another ip address, i have still to browse the previous access logs.
Will check the error log.
Mordred wrote: Do you have scripts that serve files, like download counters. Or an admin-only interface that can upload files or other funky stuff?
Publish a script - yor login script for example, so we can get an idea of your writing style.
Source has been written by two coders, I don't know still exactly if there are some strange things around. I can publish of course a page that gives the idea of the framework they built.
Mordred wrote:Anyway, you seem to have a way to talk to the attacker - just ask him for more details :)
Hmm, i don't want to bother him as he saids it doesn't want to harm the site. Anyway, seems he does not want to tell much.
Mordred wrote: Or, you can send me a link to the site (privately), and give me permission to test it (publicly in the forum - and also put a file called permission-mordred.txt file on the site so I can know that you're a legitimate owner), and I'll see what I can do (when I have time, no hard promisses). I will ask you to publish the vulnerable source though, so others here can benefit from your mistakes ;)
Site it's not owned by me so i have to ask the owner...will let you know with PM. If i will find the hole i will post the code. I should note that the code was written by two previous coders, even if i admit that before yesterday i was producing code that was not really safe.

I have one question: I think it's possible that in some places code can be sql-injected.
Yesterday, in a new code i am developing, i tried to not quote variables and not filtering anything, but i could not manage to sql-inject, mysql kept saying me there was an error in the sql script. Anyway I think with sql-injection you can make statement on the db, but it's seems impossible to me that by sql-injection you can get to know the db password...

Thanks

Re: Hacked Site: Php source viewed?

Posted: Thu Feb 21, 2008 4:26 am
by Mordred
ZxSpectrum wrote:mysql kept saying me there was an error in the sql script.
What error? It is possible that you didn't put the right injection syntax, most often being able to raise an error means that injection IS possible.

As for reading the db password, if the attacker has read access to the database, he doesn't need the password ;) Also it is possible to use injection to read files on the server, including your config files. Also, how is your phpMyAdmin protected from outsite access (and why do you have it on a production server anyway)

Re: Hacked Site: Php source viewed?

Posted: Thu Feb 21, 2008 5:16 am
by ZxSpectrum
Mordred wrote:What error? It is possible that you didn't put the right injection syntax, most often being able to raise an error means that injection IS possible.
It was a syntax error. I removed all sanitization and put the $_GET parameter without quotes in the mysql statement to try to understand how sql-injection works. Yes, probably i injected in an incorrect way.
Mordred wrote: As for reading the db password, if the attacker has read access to the database, he doesn't need the password ;)
I know, but i am interested to understand how the guy got the password of the db. I know that the site in some places can - most probably - be sql-injected.
Mordred wrote: Also it is possible to use injection to read files on the server, including your config files. Also, how is your phpMyAdmin protected from outsite access (and why do you have it on a production server anyway)
Really? So this is probably what he did. Will search around to understand how it's possible to do it. I noticed that is possible to access phpmysqladmin directly and bypassing control panel, i already warned the owner to contact provider support.

update: I checked the error file, no strange errors, i found only an error while the attacker
was trying to search for /cpanel

Thanks for the help, will update you

Re: Hacked Site: Php source viewed?

Posted: Sat Feb 23, 2008 6:29 am
by hannnndy
Mordred wrote:hannnndy, you are wrong in almost everything you say.
?

1.can't you download http://samplesite.com/db/admins.mdb ?
2.can't any one view the database content via sql injection?

the probability says that its possible

Re: Hacked Site: Php source viewed?

Posted: Sat Feb 23, 2008 7:02 am
by ZxSpectrum
Here is a code of one page, other pages have no statement in them but they just call
an included class method.

Code: Select all

 
<?php
    ******************************************************/
    session_start();
    
    require_once('includes/db.inc.php');
    require_once('includes/site.inc.php');
    
    $classDB = new DB;
    $classSite = new Site;
    
    $classSite->redirect('/home.php', 1);
    
    if($_POST or $_GET){
    header("Cache-Control: yes-store, yes-cache");
    header("Pragma: yes-cache");
    }
    
    if($_POST) {
        $status_message = $classSite->register();
    }
 
    $fill_form_value = "<p><input type=\"text\" size=\"6\" name=\"refid\" value=\"\" id=\"refid\" />&nbsp;<label for=\"refid\">Referral Account ID (Leave blank if none)</label></p>";
    if($_GET){
        $refid = $_GET['refid'];
        $refid = htmlentities($refid,ENT_QUOTES,"UTF-8");
 
        $u_qr = mysql_query("SELECT * FROM user WHERE user_id = '".$refid."'");
        $u_count = mysql_num_rows($u_qr);
        $u_assoc = mysql_fetch_assoc($u_qr);
 
    if($u_count == 1){
        $time = (time()+(60*60*24*365));
        setcookie ("Refid", $refid, $time);
    /* expires in 1 year */
    $fill_form_value = "<p><input type=\"text\" size=\"6\" name=\"refid\" value=\"".$refid."\" id=\"refid\" />&nbsp;<label for=\"refid\">Referral Account ID</label></p>";
    }
}
                  
?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
 
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html lang="en">
<head>
    <title>Register - <?php $classSite->title_pre(); ?></title>
    <link rel="stylesheet" type="text/css" href="styles/master_screen.css" />
    <meta http-equiv="Content-Type" content="text/html;charset=utf-8" />
</head>
<body>
    <div id="container">
        <div id="header">
            <?php
                $classSite->header();
            ?>
        </div>
        <div id="left_col">
            <div id="main_nav">
                <?php
                    $classSite->navigation();
                ?>
            </div>
        </div>
        <div id="mid_col">
            <div id="content">
                <?php
                    if(isset($status_message)) {
                        echo $status_message[0]. "\r\n";
                        echo $status_message[1]. "\r\n";
                        echo $status_message[2]. "\r\n";
                    }
                 ?>
                <form action="<?php echo $_SERVER['PHP_SELF']; ?>" method="post">
                    <fieldset>
                        <legend>Registration Information</legend>
                        <p><input type="text" name="charname" id="charname" value="<?php echo $_POST['charname']; ?>" />&nbsp;<label for="charname">Character Name</label></p>
                        <p><input type="text" name="userfname" id="userfname" value="<?php echo $_POST['userfname']; ?>" />&nbsp;<label for="userfname">Your First Name</label></p>
                        <p><input type="text" name="email" id="email" value="<?php echo $_POST['email']; ?>" />&nbsp;<label for="email">Email Address</label></p>
                        <p><input type="password" name="password1" id="password1" />&nbsp;<label for="password1">Password (Must be at least 6 characters)</label></p>
                        <p><input type="password" name="password2" id="password2" />&nbsp;<label for="password2">Confirm Password</label></p>
                        <p><select name="charsex" id="charsex">
                        <option value="0" <?php if($_POST['charsex'] == 0) { echo "selected=\"selected\""; } ?>>Male</option>
                        <option value="1" <?php if($_POST['charsex'] == 1) { echo "selected=\"selected\""; } ?>>Female</option>
                        </select>&nbsp;<label for="charsex">Character Sex</label></p>
                        <?php echo $fill_form_value ?>
 
                    </fieldset>
                    <p><input type="checkbox" name="agree" id="agree" value="1" />&nbsp;<label for="agree">Yes, I am at least 15 years of age and I agree to the <a href="/tos.php" title="Terms of Service">Terms of Service</a>.</label></p>
                    <p><button type="submit">Submit</button></p>
                </form>
            </div>
        </div>
        <div id="footer">
            <?php
                $classSite->footer();
            ?>
        </div>
    </div>
<?php echo $classSite->analytics_code(); ?>
</body>
</html>
 

Re: Hacked Site: Php source viewed?

Posted: Sun Feb 24, 2008 4:10 am
by Mordred
The page in question is not itself vulnerable, but it betrays that the programmer doesn't know how to properly protect against MySQL injection - so my guess is that yes, ultimately you have a vulnerable script somewhere.


@hannnndy:
1.can't you download http://samplesite.com/db/admins.mdb

Only if:
1.1 Microsoft JET database is used
1.2 The server is misconfigured to serve .mdb-s (I admit, an alarmingly high percent of ms servers do, iirc)
1.3 The .mdb is in a http-accessible folder
1.4 You know where the file is

In short, while the OP didn't say what database they used, the chance of getting this with PHP is minimal. I would look for this with ASP though.

I wouldn't call this "easily" for an unknown app (you know how the database files are called with open source applications, but it's not so with closed source ones. You can guess - and you will guess correctly sometimes - but not "easily")

2.can't any one view the database content via sql injection?

Yes, that's what the vulnerability generally causes. You were mixing .mdb file access with sql injection though, these two completely different things.

I was also refering about you being wrong regarding the other thread you listed, about source code disclosure. There are several classes of vulnerabilities allowing for source code disclosure (including - depending on configuration and environment - SQL injection)

Re: Hacked Site: Php source viewed?

Posted: Mon Feb 25, 2008 2:11 am
by matthijs

Code: Select all

 
<?php
        $refid = $_GET['refid'];
        $refid = htmlentities($refid,ENT_QUOTES,"UTF-8");
 
        $u_qr = mysql_query("SELECT * FROM user WHERE user_id = '".$refid."'");                
?>
 
The code above is open for sql injection, $refid is not escaped. Search for mysql_rel_escape_string()

Code: Select all

 
              <form action="<?php echo $_SERVER['PHP_SELF']; ?>" method="post">
                    <fieldset>
                        <legend>Registration Information</legend>
                        <p><input type="text" name="charname" id="charname" value="<?php echo $_POST['charname']; ?>" />&nbsp;<label for="charname">Character Name</label></p>
 
The code above is vulnerable for cross site scripting, using SERVER['PHP_SELF'] unescaped and echoing all the POST vars without escaping.

Re: Hacked Site: Php source viewed?

Posted: Mon Feb 25, 2008 2:38 am
by Mordred
matthijs wrote:

Code: Select all

 
<?php
        $refid = $_GET['refid'];
        $refid = htmlentities($refid,ENT_QUOTES,"UTF-8");
 
        $u_qr = mysql_query("SELECT * FROM user WHERE user_id = '".$refid."'");                
?>
 
The code above is open for sql injection, $refid is not escaped. Search for mysql_rel_escape_string()
You will find that, funny as it seems, the code is not actually vulnerable - the query is well-quoted, and htmlentities is called with ENT_QUOTES, which would effectively stop quote injection. This doesn't make it CORRECT though, hence my speculation that coding like this is bound to leave a hole somewhere else.

You're right about the XSS, but it is not 'interesting' here - we're looking for ways to compromise the server. It is another sign of being not-quite security-aware though, so well spotted.

Re: Hacked Site: Php source viewed?

Posted: Mon Feb 25, 2008 2:49 am
by ZxSpectrum
I have two questions:

1)
It is said that

Code: Select all

htmlentities($refid,ENT_QUOTES,"UTF-8")
protects against sql-injection but it's still not enough. For being relatively safe, do i have to use mysql_real_escape_string on each inputed variable. Right?

2) apart from escaping $_POST variables (but i think those variables were escaped in the script),
what i should do for $_PHP_SELFin the form action? i should set the action in an explicit way? (example: "/filename.php"???

Thank you very much for the help, This is a very useful forum.

Re: Hacked Site: Php source viewed?

Posted: Mon Feb 25, 2008 8:14 am
by matthijs
ZxSpectrum wrote: 1)
It is said that

Code: Select all

htmlentities($refid,ENT_QUOTES,"UTF-8")
protects against sql-injection but it's still not enough. For being relatively safe, do i have to use mysql_real_escape_string on each inputed variable. Right?
You have to understand the purposes of those functions. Each one has it's own, very specific function. htmlentities() has the purpose of escaping data for output to HTML. That's something else then the function mysql_real_escape_string(), which has the purpose of escaping data for use in a query for mysql. It's best to use those functions as they are meant to be used.

So when you have some input, don't use htmlentities before a db query, but use mysql_real_escape_string() instead. Everything that is outputted to html should be escaped by using htmlentities. So even php_self can be escaped using that function.

It's probably also wise to implement some input validation. That's the validation/filtering of data coming from outside and making sure it's the format you expect.