PHP filter chains: How to use it
Action | Key |
---|---|
Play / Pause | K or space |
Mute / Unmute | M |
Toggle fullscreen mode | F |
Select next subtitles | C |
Select next audio track | A |
Show slide in full page or toggle automatic source change | V |
Seek 5s backward | left arrow |
Seek 5s forward | right arrow |
Seek 10s backward | shift + left arrow or J |
Seek 10s forward | shift + right arrow or L |
Seek 60s backward | control + left arrow |
Seek 60s forward | control + right arrow |
Decrease volume | shift + down arrow |
Increase volume | shift + up arrow |
Decrease playback rate | < |
Increase playback rate | > |
Seek to end | end |
Seek to beginning | beginning |
Share this media
HLS video stream
You can use an external player to play this stream (like VLC).
HLS video streamWhen subscribed to notifications, an email will be sent to you for all added annotations.
Your user account has no email address.
Information on this media
Local file inclusion methods in PHP evolved through time, there are 2 main objectives when exploiting them:
- Getting a remote code execution by including files containing PHP via include() or require() functions.
- Leak local files such as PHP sources or configuration files via file_get_contents() or file() functions for example.
In the past, the following requirements had to be met to exploit a local file inclusion.
To exploit a remote code execution you could inject information in log files and include them, or control a variable in your PHP session to poison the session file. But in most cases, you needed to be able to upload a file on the system.
To leak local files, it was required to either fully control the path pointing to the file to leak, or to have a path traversal to go up in the file tree. Most importantly, it was mandatory for the server to send you back its content in the response.
In both cases, the affected functions support several wrappers, the most iconic being file:// which is a prefix before a file path. Other wrappers such as php://filter can be passed on these methods and for example it was well known to allow leaking PHP sources by base64 encoding them (ex : php://filter/convert.base64-encode/resource=index.php).
In a 2021 CTF write-up by loknop , this wrapper was actually proven to be much more useful. Indeed, it allows setting the encoding of contents passing through it, and most importantly to chain an infinite number of encodings leading to the generation of arbitrary data at the start of a file. In this presentation, the full process will be explained with examples allowing, for instance, to generate interesting prefixes to a file content, such as '<?php system("id"); ?>', therefore removing the need to have a file upload when exploiting include() or require() functions to get remote code execution (if the full path is controlled).
In 2022, hash_kitten showed that it was also possible to use PHP filters chain as an error-base oracle when used in many built-in functions, such as file_get_contents(). Its method chains encodings that will make the content size of a file exponential, triggering a PHP memory_limit exhaustion. By using other filters, the first character of the file content can also be determined. By using other encodings it is also possible to rotate the chain order to retrieve characters that are located further away in the content.
Using this error-based oracle, it is therefore possible to leak the entire file content without having PHP to serve it in a server response.
This talk aims to explain in which cases PHP filter chains can be used and why these tricks can be useful during an audit with examples.
Along it, we will show vulnerable code samples and ways to patch them.
Two tools were developed to exploit it and will also be presented :
- https://github.com/synacktiv/php_filter_chain_generator
- https://github.com/synacktiv/php_filter_chains_oracle_exploit
Security Ninja @Synacktiv
Other media in the channel "2023"
- 107 views, 11 this year, 1 this monthWhy cyberoffense will never be regulatedJuly 5th, 2023
- 36 views, 13 this year, 3 this monthUsing Suricata to detect lateral movement in Windows environmentJuly 5th, 2023
- 126 views, 32 this year, 5 this monthDecrypt Kerberos/NTLM “encrypted stub data” in WiresharkJuly 5th, 2023
- 17 views, 2 this yearHow to survive to STIX parsing?July 5th, 2023
- 19 views, 6 this yearASN.1 templating for fun and profitJuly 5th, 2023
- 7 views, 2 this yearzekrom: an open-source library of arithmetization-oriented constructions for zkSNARK circuitsJuly 5th, 2023