未加星标

How I hacked Pornhub for fun and profit - 10,000$

字体大小 | |
[开发(php) 所属分类 开发(php) | 发布者 店小二03 | 时间 2016 | 作者 红领巾 ] 0人收藏点击收藏

A few months ago I was planning a long vacation and looked for some pocket money. Pornhub’s bug bounty program and its high rewards caught my attention.

In addition it is really cool to hack a site like Pornhub.

TL;DR

This is about how I managed to successfully execute code on www.pornhub.com.

I exploited the callback parameter on video upload and was able to perform an elaborate form of object injection in multiple Pornhub sites. By using the SimpleXMLElement class in a specific flow, I was able to perform an Out-Of-Band XXE attack and by so, fetch the full content of private, local files on the server.

In addition to the local file disclosure, by altering the created class slightly, I was also able to achieve the following core abilities on the server:

* SSRF

* Blind Sql execution (Execute query on every Pornhub’s DB without receiving the output of the command)

By utilizing the combination of all 3 flows, I was eventually entirely capable to execute arbitrary code on pornhub.com.

Full path disclosure and some unserialize

Pornhub is an account based service site, which entails uploading files to the server as an vital feature of the site. In the eyes of a hacker, file uploads are mostly weak spot, generally a potential lead towards an exploit.

I decided to research a feature in pornhub.com, allowing a registered user to upload an image file to be used as his profile image.

The server successfully revokes most of my trivial attempts to manipulate the upload. However - once the image is uploaded, pornhub crops the uploaded image to a valid size (in order to match the user page's template). Once I uploaded the image, and attempted to crop the image, I managed to cause the server to display the following exception:


{"success":"ERROR","message":"Unable to make handle from: \/home\/web1\/upload.pornhub.com\/htdocs\/temp\/images\/1517\/avatarOriginal158936891.png"}.


As you can clearly pick up from the highly-descriptive error message, the exception leaked a full path to my uploaded file:
/ home/web1/upload.pornhub.com/htdocs/temp/images/1517/avatarOriginal158936891.png

Now that I was able to leak the exact, physical path to my uploaded file, I had at my disposal a directory on the server that is writable. Unfortunately, after contacting Pornhub team regarding to this issue, they responded that an identical issue has been previously reported by another researcher.


After a further and deeper dive into pornhub's upload feature, I managed to detect that the server accepts a cookie as one of the upload parameters. This cookie parameter contains by default, a serialized php array of user cookies.

Apparently, the code responsible to process the upload eventually enumerates over the items in the list and adds an HTTP set-cookie header if a specific item does not exists in the Request's Cookie header.

Basing on the fact I am in a BlackBox exploit research - I obviously do not have the source code and thus - I'm not familiar with any php classes implemented by pornhub - so I am forced to use only native PHP built-in classes. Unfortunately, I was not able to find any class with an interesting __toString function,which does not require calling to the class's constructor - So I decided to abandon the flow, despite it's large potential.

Although the flow was partially-useless for me, those guys did find this highly useful https://www.evonide.com/how-we-broke-php-hacked-pornhub-and-earned-20000-dollar/

. Lucky for them I

couldn't leverage that so I didn't

report for "unserialize from user".

Upload video and interesting callback

As the next stage towards RCE, I decided to focus on the video uploading feature for the same reasons specified in the intro.

As in the previous file upload, all my attempts to exploit the uploading feature failed miserably - pornhub do know how to partially protect their server from user-uploaded files. However, during my attempts, I noticed one interesting parameter called "callbackUrl", and sure enough - this parameter contained a rather interesting URL. Naturally, I tried accessing this URL and got an exception specifying that a "job" is invalid. I decided to explore this "job" parameter further.

I changed the URL in " callbackUrl" to my own URL and hopedthis parameter is actually used and isn't a deprecated/white listed parameter left as legacy. Surprisingly, after changing the URL to my local server, I did get a connection:


How I hacked Pornhub for fun and profit - 10,000$
How I hacked Pornhub for fun and profit - 10,000$

This seems like a potential SSRF, but the origin of the request is a 3rd party server, not related to the Pornhub domain or in its IP scope. This means I would not be able to access internal pornhub services with it, and researching the 3rd party site is a little out of scope.

However this request did give me vital information about the expected structure of the "job" parameter. It appears that "job" is a very long JSON array specifying the uploaded file for further processing, probably encoding. My first attempt was to manipulate the json and by so - upload a php shell, but I failed and I was inches away from giving up on the hunt, until…

Object injection?

I began examining the "type" item in the JSON - Which appeared to be a class name. I changed it and sent the json into the original url and the result was rather surprising:

The response received specified that the class does not exist. That led me to the conclusion that it is a class name and I might be able to, once again, perform object injection. Unfortunately, a blind object injection at this point is virtually impossible...

Soapclient: Personally, SoapClient is my favorite choice when dealing with unserialize data: In most cases, it has the potential to expose critical information about the system behavior (i.e. function names, parameters) and often allows you return any value youwant, including inputs the programmer never intended to provide.

I used the SoapClient as my injected class and changed the parameters which I presumed were related to the original class. As a response,the server threw an unusual error:

"SoapClient::SoapClient(): $wsdl must be string or null"

This error is unusual since it is a constructor error which cannot be called from unserialize, probably leading to the fact that Pornhub implementedtheirown unserialize method .

I tried to comprehend how this unfamiliar unserialize mechanism works and after various attempts with some indicative errors, I discovered I could control all the arguments sent to the constructor. With this knowledge I was able to create a request with SoapClient set to my server instead of the original class.

The request:


How I hacked Pornhub for fun and profit - 10,000$

The SoapClient request as received on my server:


How I hacked Pornhub for fun and profit - 10,000$

Using SoapClient I now had the ability to :

make SSRF (Server-side request forgery) fetch the exact PHP version on the server (which turned out to be version 5.6.17) Use the function called on the original class (getResult, without p

本文开发(php)相关术语:php代码审计工具 php开发工程师 移动开发者大会 移动互联网开发 web开发工程师 软件开发流程 软件开发工程师

主题: PHPXML
分页:12
转载请注明
本文标题:How I hacked Pornhub for fun and profit - 10,000$
本站链接:http://www.codesec.net/view/480123.html
分享请点击:


1.凡CodeSecTeam转载的文章,均出自其它媒体或其他官网介绍,目的在于传递更多的信息,并不代表本站赞同其观点和其真实性负责;
2.转载的文章仅代表原创作者观点,与本站无关。其原创性以及文中陈述文字和内容未经本站证实,本站对该文以及其中全部或者部分内容、文字的真实性、完整性、及时性,不作出任何保证或承若;
3.如本站转载稿涉及版权等问题,请作者及时联系本站,我们会及时处理。
登录后可拥有收藏文章、关注作者等权限...
技术大类 技术大类 | 开发(php) | 评论(0) | 阅读(259)