About  Project Blog Resources

Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

RCE in CSV data import in Horde Groupware Webmail- 166

Andrea CardaciPosted 6 Years Ago
  • A good starting point is noticing the usage of an insecure (and now deprecated) function in PHP: create_function. This function performs an eval on the code being ran. The code would normally turn into something like this: create_function('$a', "return str_replace('\\quote', 'quote', \$a);");
  • The developers thought this might be a security issue. So, they were converting all single quotes (') into \' (escaping it). But, the clever man realized that they were not escaping the escape sequence! So, the "\' would be transformed into "\\'". Therefore, the string would be escaped!
  • Now, how to actually exploit this? Some PHP trickery was used in order to make the payload work. Here's the following payload: ).passthru("id").die();}//\
  • A few of these bypasses are interesting. Most of them are just trying to close about parts of the function, in order to make the code run properly.
    • The first ')' is terminating the str_replace function.
    • The '//' is a comment to stop all code after this from running (preventing a seg fault).
    • The '}' is required in order to keep the create_function from breaking.
    • The backslash, at the very end, escapes the quote being used.
  • Overall, the bug was a very subtle bug and the exploitation required a lot of toying around in order to get everything to work just right!

Maxwell DulinEmail me!TwitterGithubAdminBlog RSS FeedResources RSS Feed