This was the premise of a talk by James Kettle that I saw at Black Hat, much of which seems to be repeated in his own notes here. RCE takes shape in shoving server-side code into template engines and getting it to run in lieu of pushing sinister JavaScript comparably into online forms to have it ultimately do wacky frontend manipulations. In both circumstances, the data entered by the user will bubble back up to the screen elsewhere in the application and when it does... lookout! The JavaScript can cause a certain set of problems for anyone visiting the content, but the RCE approach will run code against the server itself not necessarily with any end goal of affecting the page it is run at as it is displayed. (It has its eye on bigger things.) RCE is also not SQL injection where one is trying to have at the database. No, one is trying to have at the server. If you can sense that an app is running the Smarty template engine for PHP and you can hack it, you can run your own PHP scripts at the same place the scripts to run the web site are run. That will ultimately let you mess with the database and so much more. In other examples that were harder for me to follow James was able to get a shell running at the server when hacking against different template engines. To start with in hacking try entering ${7*7} and {{7*7}} and a handful of other markup-escapes-out-of-markup-and-into-code that I wasn't smart enough to write down in my notes during the talk into template content to see if you can get a 49 back wherever the markup bubbles back up to the web site. When you have narrowed in on which variant actually gives the 49 you have also narrowed in on which particular popular template engine is being used under the hood at the hosting you are trying to break into. Smarty is pretty ease to break/hack once you know it's Smarty. There is also Smarty (Secure) which is less ghetto, but it too has holes. James found Smarty_Internal_Write_File as a part of Smarty (Secure) and this allowed him to write PHP files to the server and execute code and that was that. He has told the Smarty (Secure) keepers about this particular loophole and it is now fixed but... other exploitable virgin territory beckons.
No comments:
Post a Comment