1 1 00:00:02,020 --> 00:00:04,080 Let's talk about how we can prevent 2 2 00:00:04,080 --> 00:00:06,270 these vulnerabilities now. 3 3 00:00:06,270 --> 00:00:09,080 The first thing is a lot of these vulnerabilities exist 4 4 00:00:09,080 --> 00:00:11,940 because of the functionality they provide. 5 5 00:00:11,940 --> 00:00:14,553 For example, the file upload problem we had, 6 6 00:00:14,553 --> 00:00:17,790 it allows the user to upload any file extension, 7 7 00:00:17,790 --> 00:00:20,440 any file type, this shouldn't happen, 8 8 00:00:20,440 --> 00:00:22,910 there shouldn't be a way for users to upload 9 9 00:00:22,910 --> 00:00:24,290 any files they want. 10 10 00:00:24,290 --> 00:00:26,070 Maybe if you want them to upload a picture, 11 11 00:00:26,070 --> 00:00:27,730 then make sure they're uploading the picture, 12 12 00:00:27,730 --> 00:00:28,910 check the file types. 13 13 00:00:28,910 --> 00:00:32,090 If you're expecting them to upload a song, an MP# file, 14 14 00:00:32,090 --> 00:00:34,520 make sure it's a media file, it's not a PHP 15 15 00:00:34,520 --> 00:00:36,120 or an executable code. 16 16 00:00:36,120 --> 00:00:38,240 Usually, you should never allow users 17 17 00:00:38,240 --> 00:00:40,770 to upload any executables. 18 18 00:00:40,770 --> 00:00:43,570 Filter's can be used to check whether, 19 19 00:00:43,570 --> 00:00:45,260 to check the extension and make sure 20 20 00:00:45,260 --> 00:00:48,660 that the file is being uploaded is a JPEG or whatever. 21 21 00:00:48,660 --> 00:00:49,900 But that's not a good way, 22 22 00:00:49,900 --> 00:00:52,720 the best way is to check the file type and make sure 23 23 00:00:52,720 --> 00:00:56,520 the file type is a picture, or is a media file, 24 24 00:00:56,520 --> 00:00:58,400 instead of checking the extension 25 25 00:00:58,400 --> 00:01:00,543 because that can be bypassed as well. 26 26 00:01:02,130 --> 00:01:04,620 The second type of vulnerabilities that we looked at 27 27 00:01:04,620 --> 00:01:07,630 was the code execution vulnerabilities. 28 28 00:01:07,630 --> 00:01:11,110 In these exploits, we were able to run any code we wanted 29 29 00:01:11,110 --> 00:01:12,780 on the target computer. 30 30 00:01:12,780 --> 00:01:15,100 Again this functionality should be avoided, 31 31 00:01:15,100 --> 00:01:18,720 you should avoid allowing users to run any sort of code 32 32 00:01:18,720 --> 00:01:20,420 on your server. 33 33 00:01:20,420 --> 00:01:22,070 Try to avoid all these functions 34 34 00:01:22,070 --> 00:01:23,660 such as the var pass through, 35 35 00:01:23,660 --> 00:01:26,410 and all these functions that allow a user 36 36 00:01:26,410 --> 00:01:29,750 to run operating system code on the server. 37 37 00:01:29,750 --> 00:01:32,490 If you absolutely had to use something like it, 38 38 00:01:32,490 --> 00:01:37,060 then make sure you analyze the input before you execute it. 39 39 00:01:37,060 --> 00:01:39,510 For example, in the example we seen 40 40 00:01:39,510 --> 00:01:42,700 where the code was doing a ping and it will ping anything 41 41 00:01:42,700 --> 00:01:43,890 we put in the text box. 42 42 00:01:43,890 --> 00:01:47,400 So I'm putting here /$textbox just to show 43 43 00:01:47,400 --> 00:01:50,880 that this is the input that we put in the text box. 44 44 00:01:50,880 --> 00:01:52,790 This is what the program actually looks like 45 45 00:01:52,790 --> 00:01:54,850 if it looks too complicated forget about it 46 46 00:01:54,850 --> 00:01:56,800 we're just talking about the concept here. 47 47 00:01:56,800 --> 00:01:58,733 So we're going to be talking about this here. 48 48 00:02:00,150 --> 00:02:02,750 So, say for example you put what we did 49 49 00:02:02,750 --> 00:02:04,803 is we put a normal IP, 50 50 00:02:06,670 --> 00:02:10,570 and then we put the semicolon, and then we put a command 51 51 00:02:10,570 --> 00:02:14,160 that we wanted to do so we just for example ls -la. 52 52 00:02:14,160 --> 00:02:17,220 The problem with this is the web application used 53 53 00:02:17,220 --> 00:02:21,510 to take this the way it is, copy it, and run it in here. 54 54 00:02:21,510 --> 00:02:24,538 Which will, when you execute this command, 55 55 00:02:24,538 --> 00:02:29,500 it will do the ping first, and then it will do the ls -la 56 56 00:02:29,500 --> 00:02:31,720 which is the command that we wanted. 57 57 00:02:31,720 --> 00:02:34,670 What you need to do is, for example, if you had to do it, 58 58 00:02:34,670 --> 00:02:37,690 what I advise is you just don't use these functions. 59 59 00:02:37,690 --> 00:02:40,600 If you had to use a function like this, 60 60 00:02:40,600 --> 00:02:43,940 then what you should do is check that the input 61 61 00:02:43,940 --> 00:02:44,960 is what you're expecting, 62 62 00:02:44,960 --> 00:02:47,270 for example, you expecting an IP address 63 63 00:02:47,270 --> 00:02:49,788 and nothing else, so you can use regex 64 64 00:02:49,788 --> 00:02:52,270 to make sure, now I'm not gonna talk about regex 65 65 00:02:52,270 --> 00:02:53,830 or what regex is, 66 66 00:02:53,830 --> 00:02:55,500 regex is basically a rule 67 67 00:02:55,500 --> 00:02:57,170 that'll make sure that the input looks 68 68 00:02:57,170 --> 00:02:58,210 on the following format. 69 69 00:02:58,210 --> 00:03:00,080 So it takes a digit, digit 70 70 00:03:00,080 --> 00:03:03,490 dot digit digit dot digit digit dot digit digit 71 71 00:03:03,490 --> 00:03:05,580 which if I put anything else, 72 72 00:03:05,580 --> 00:03:07,803 then the web application should refuse it. 73 73 00:03:09,220 --> 00:03:11,450 You can also make sure that there is no semicolons 74 74 00:03:11,450 --> 00:03:13,390 and that there is no spaces, 75 75 00:03:13,390 --> 00:03:15,900 so everything comes in as one thing 76 76 00:03:15,900 --> 00:03:17,710 and then it gets executed. 77 77 00:03:17,710 --> 00:03:20,480 Again, this is a way of making it more secure 78 78 00:03:20,480 --> 00:03:23,080 but the best thing is just to avoid these functions. 79 79 00:03:24,960 --> 00:03:26,520 The third type of vulnerability 80 80 00:03:26,520 --> 00:03:28,650 that we looked at was the file inclusion 81 81 00:03:28,650 --> 00:03:30,090 and we looked at two types. 82 82 00:03:30,090 --> 00:03:31,450 The local file inclusion 83 83 00:03:31,450 --> 00:03:34,270 which allowed us to include any file on the system 84 84 00:03:34,270 --> 00:03:35,810 and then read files 85 85 00:03:35,810 --> 00:03:38,960 which will cause a file disclosure vulnerability 86 86 00:03:38,960 --> 00:03:41,670 and then you'd be able to read any file on the server 87 87 00:03:41,670 --> 00:03:43,960 and then we looked at the remote file inclusion 88 88 00:03:43,960 --> 00:03:45,350 which is very dangerous 89 89 00:03:45,350 --> 00:03:48,490 which allowed us to include any file 90 90 00:03:48,490 --> 00:03:52,180 from any web server so we were able to include PHP shells 91 91 00:03:52,180 --> 00:03:54,983 and then get connection from the target computer. 92 92 00:03:56,560 --> 00:03:57,840 To prevent these, first of all, 93 93 00:03:57,840 --> 00:04:00,550 make sure you prevent the remote file inclusion. 94 94 00:04:00,550 --> 00:04:02,330 So just in case anything goes wrong, 95 95 00:04:02,330 --> 00:04:05,910 people can't include files from outside your server 96 96 00:04:05,910 --> 00:04:08,070 and you can do that the same way we enabled it 97 97 00:04:08,070 --> 00:04:09,700 using the PHP ini 98 98 00:04:09,700 --> 00:04:12,220 by disabling the allow_url_fopen 99 99 00:04:12,220 --> 00:04:14,270 and allow_url-include. 100 100 00:04:14,270 --> 00:04:16,390 And if we go here to our Metasploitable, 101 101 00:04:16,390 --> 00:04:18,090 I'll just show you very quick, 102 102 00:04:18,090 --> 00:04:22,340 so if we do sudo nano 103 103 00:04:22,340 --> 00:04:26,130 which is the text editor /etc/PHP/cgi/php.ini, 104 104 00:04:26,130 --> 00:04:27,530 the same file that we used, 105 105 00:04:27,530 --> 00:04:30,140 this is the file for the PHP settings. 106 106 00:04:30,140 --> 00:04:31,323 If you open that file, 107 107 00:04:33,760 --> 00:04:35,543 and now I'm gonna do Control + W, 108 108 00:04:37,670 --> 00:04:39,457 and look for allow_url. 109 109 00:04:48,243 --> 00:04:50,150 And you wanna make sure that the allow_url_fopen 110 110 00:04:50,150 --> 00:04:51,990 is set to Off 111 111 00:04:53,600 --> 00:04:56,643 and allow_url_include is set to Off as well. 112 112 00:04:59,140 --> 00:05:01,360 Control + X + Y and enter 113 113 00:05:01,360 --> 00:05:02,783 and that'll save it for you. 114 114 00:05:06,530 --> 00:05:08,268 The other way to prevent these exploits 115 115 00:05:08,268 --> 00:05:10,970 is to use static file inclusion 116 116 00:05:10,970 --> 00:05:13,180 so instead of using dynamic file inclusion 117 117 00:05:13,180 --> 00:05:16,610 which we've seen, you can hard code the files 118 118 00:05:16,610 --> 00:05:18,360 that you want to include in the code 119 119 00:05:18,360 --> 00:05:21,040 and not get them using GET or POST. 120 120 00:05:21,040 --> 00:05:23,220 For example, what's happening in the examples 121 121 00:05:23,220 --> 00:05:25,180 we see in the vulnerability examples 122 122 00:05:25,180 --> 00:05:28,537 is we have a page called page or index.php. 123 123 00:05:30,340 --> 00:05:33,870 And then this index.php takes a parameter called page 124 124 00:05:33,870 --> 00:05:35,090 and then it takes another page, 125 125 00:05:35,090 --> 00:05:37,240 for example, news.php. 126 126 00:05:37,240 --> 00:05:40,500 And it includes this news.php in the code. 127 127 00:05:40,500 --> 00:05:42,163 So what's the code look like? 128 128 00:05:43,080 --> 00:05:46,293 In the PHP code, you'll see something like include. 129 129 00:05:55,100 --> 00:05:56,930 So what this will do basically, 130 130 00:05:56,930 --> 00:06:00,400 and that looks like this, I believe, 131 131 00:06:00,400 --> 00:06:02,400 what this do, it includes 132 132 00:06:03,450 --> 00:06:06,323 whatever comes after the page parameter. 133 133 00:06:07,450 --> 00:06:11,630 So the code will dynamically takes whatever that comes in 134 134 00:06:11,630 --> 00:06:14,980 after the page parameter and includes it in the current page 135 135 00:06:14,980 --> 00:06:18,253 so this will be in the index.php page. 136 136 00:06:19,527 --> 00:06:20,760 Okay, this is very bad 137 137 00:06:20,760 --> 00:06:22,770 because even if it's not GET, 138 138 00:06:22,770 --> 00:06:24,160 sometimes people use POST 139 139 00:06:24,160 --> 00:06:25,800 and in POST you won't see this 140 140 00:06:25,800 --> 00:06:28,700 so it'll be posted but you can use a proxy 141 141 00:06:28,700 --> 00:06:30,470 such as Burp proxy 142 142 00:06:30,470 --> 00:06:31,980 and this will look like that 143 143 00:06:31,980 --> 00:06:33,810 and then you can modify it 144 144 00:06:33,810 --> 00:06:36,810 and get it to include anything you want 145 145 00:06:36,810 --> 00:06:39,460 and then it's displayed on the page. 146 146 00:06:39,460 --> 00:06:43,090 What we really want to do is we want the user not to be able 147 147 00:06:43,090 --> 00:06:45,800 to manipulate with what's gonna be included, 148 148 00:06:45,800 --> 00:06:49,948 so if you wanted to include a page called news.php, 149 149 00:06:49,948 --> 00:06:52,010 just include it inside this 150 150 00:06:52,010 --> 00:06:53,940 without giving the user the ability 151 151 00:06:53,940 --> 00:06:55,266 to change it. 152 152 00:06:55,266 --> 00:06:56,870 I know you're gonna program your code 153 153 00:06:56,870 --> 00:07:00,420 to just have it looking like this 154 154 00:07:00,420 --> 00:07:02,750 but the users, we know, we've seen how users 155 155 00:07:02,750 --> 00:07:04,760 can play with this and just get it 156 156 00:07:04,760 --> 00:07:06,630 to include anything they want. 157 157 00:07:06,630 --> 00:07:08,070 The best way to do it 158 158 00:07:08,070 --> 00:07:10,183 is just to get it to include page.php 159 159 00:07:10,183 --> 00:07:13,644 so your code is not using any variables. 160 160 00:07:13,644 --> 00:07:16,663 It's hard coded, it might make your code longer 161 161 00:07:16,663 --> 00:07:18,713 but it's much more secure.