Real case of hacking with PHP rename() method.

In last week’s two posts, I showed you how it’s possible to perform an hack using the rename() method and how you can defend yourself from such attack.

If you haven’t read the articles yet, you can do it in the links below.

Hacking using PHP rename() method.

How can protect of attack using rename() method.

Ok, now it’s time to see a real case now.

The system is a WordPress plugin named SP Project & Document Manager with more than 3k active downloads.

The safe code developers sent the issue to the owner who was very quick to deploy a fix.

with more than 3k active downloads.

The safe code developers sent the issue to the owner who was very quick to deploy a fix.

First, it isn’t a big dangerous case, because you need high level access to perform an hack.

Before explaining the attack, please watch the video and I will explain better afterwards.

This system is responsible by management of files, versions and downloads.

Obs: I know that we have some other problems until we arrive at the rename() method, but for the purpose of this article we will focus solely on this method.

What were the steps?

First, we upload a file so we can perform an override like .htaccess, images of main page for example, but now, just upload to pattern folder.

In this case we used index.htm, because in many servers index.htm as an higher priority than index.php.

This means, in the presence of both, the server will render index.htm instead of index.php and can make deface or redirect.

And second, we change id number of the folder to ../../../ so we can traverse inside the folders and find the folder you want.

When we do this, the system will rename all files inside folder to new folder, including index.htm in this case to root folder.

Have a look at the code:

Get files inside folder:

$r = $wpdb->get_results($wpdb->prepare("SELECT *  FROM " . $wpdb->prefix . "sp_cu   where pid = %d",sanitize_text_field( $_POST['id'])), ARRAY_A);

This query is using a WordPress method, and works well to protect against sql injection but in this case is not important.

Use $r with all files that will be renamed in loop below.

The index.htm for example.

for ($i = 0; $i < count($r); $i++) {
...
}

And inside of loop the real problem we explained in the last post.

rename('' . SP_CDM_UPLOADS_DIR . ''.$r[$i]['uid'].'/'.$r[$i]['file'].'', '' . SP_CDM_UPLOADS_DIR . '' . sanitize_text_field($_POST['uid']) . '/'.$r[$i]['file'].'');

You can see that the program tries to safe code using sanitize_text_field, a WordPress method responsible by clear strings, but, as you’ll see in other articles, this method is a big problem and does not save from from everything.

Remember, a silver bullet solution doesn’t exist.

The attack then mounts a path value with file name got from $r and uses $_POST[‘uid’] to complete path.

Like this:

$_POST['uid'] = '../../../';
$r[$i]['file'] = 'index.htm';


rename('' . SP_CDM_UPLOADS_DIR . ''.$r[$i]['uid'].'/'.$r[$i]['file'].'', '' . SP_CDM_UPLOADS_DIR . '' . sanitize_text_field($_POST['uid']) . '/'.$r[$i]['file'].'');

to  

rename('' . SP_CDM_UPLOADS_DIR . ''.$r[$i]['uid'].'/'.$r[$i]['file'].'', '' . SP_CDM_UPLOADS_DIR . '../../..//index.htm');

The diference between this attack and the attack in the article about the rename hacking is that we used the first parameter to execute hacking, and this example uses the second.

But no worries I will show you an attack using the second parameter in this link..

We have more real cases with rename.

We are waiting for a fix, so they can be published.

See you folks,

Leave a Reply

Your email address will not be published. Required fields are marked *