Setup PHP Debugger with Sublime in Kali(Debian)

1. Install Sublime
# wget "http://c758482.r82.cf2.rackcdn.com/sublime-text_build-3065_amd64.deb"
# dpkg -i sublime-text_build-3065_amd64.deb

2. Run sublime
# cd /opt/sublime_text
# ./sublime_text

3. Install package control plugin. Open View -> Show Console
If you use Sublime2
"import urllib2,os,hashlib; h = '7183a2d3e96f11eeadd761d777e62404' + 'e330c659d4bb41d3bdf022e94cab3cd0'; pf = 'Package Control.sublime-package'; ipp = sublime.installed_packages_path(); os.makedirs( ipp ) if not os.path.exists(ipp) else None; urllib2.install_opener( urllib2.build_opener( urllib2.ProxyHandler()) ); by = urllib2.urlopen( 'http://packagecontrol.io/' + pf.replace(' ', '%20')).read(); dh = hashlib.sha256(by).hexdigest(); open( os.path.join( ipp, pf), 'wb' ).write(by) if dh == h else None; print('Error validating download (got %s instead of %s), please try manual install' % (dh, h) if dh != h else 'Please restart Sublime Text to finish installation')"

If you use Sublime3(in this post, we use this version)
Place this code and enter
"import urllib.request,os,hashlib; h = '7183a2d3e96f11eeadd761d777e62404' + 'e330c659d4bb41d3bdf022e94cab3cd0'; pf = 'Package Control.sublime-package'; ipp = sublime.installed_packages_path(); urllib.request.install_opener( urllib.request.build_opener( urllib.request.ProxyHandler()) ); by = urllib.request.urlopen( 'http://packagecontrol.io/' + pf.replace(' ', '%20')).read(); dh = hashlib.sha256(by).hexdigest(); print('Error validating download (got %s instead of %s), please try manual install' % (dh, h)) if dh != h else open(os.path.join( ipp, pf), 'wb' ).write(by) "

4. Restart Sublime

5. Go to Preference -> Package Control to Install Package(Plugin)

6. Type xdebug and install it

7. Install LAMP(Linux + Apache2 + MySQL + PHP) and requirement software
#  apt-get install apache2 php5 php5-gd mysql-server php5-mysql php5-dev php-pear make python

8. Install Xdebug module for PHP5
# apt-get install php5-xdebug

Configure xdebug module in /etc/php5/conf.d/20-xdebug.ini, and fill with this options
zend_extension=/usr/lib/php5/20100525/xdebug.so
xdebug.remote_enable=on
xdebug.remote_handler=dbgp
xdebug.remote_host=localhost
xdebug.remote_port=9000 

9. Restart Apache2
# /etc/init.d/apache2 restart

9. Create example loop php file in sublime
    $arr = array(1, 2, 3, 4);

    foreach ($arr as &$value)
    {
            $value = $value * 2;
            print $value;
    }
?>
 
10. In Sublime, create some  break point with right click and Xdebug -> Add/Remove Break Point.

11. In Sublime menu, Go to "Tools -> Xdebug -> Start Debugging"
(You can see the config of Sublime from "Tools -> Xdebug -> Settings Default(Or Settings User)")

12. Open Firefox

13. Install "The easiest Xdebug 2.0" addon

14. Restart Firefox

15.  Go to "Tools -> Addon", Open Preference of The easiest Xdebug 2.0

16. Input "sublime.xdebug" into IDE key for remote debugging.

17. Visit the page that we want to debug(same page of step#9). Click the bug in the right side

18. Try to refresh it in web browser, the debug was begin and in sublime will control the output page.

List of PHP Exploitation Code

Command Execution

exec           - Returns last line of commands outputpassthru       - Passes commands output directly to the browsersystem         - Passes commands output directly to the browser and returns last lineshell_exec     - Returns commands output`` (backticks) - Same as shell_exec()popen          - Opens read or write pipe to process of a commandproc_open      - Similar to popen() but greater degree of controlpcntl_exec     - Executes a program

PHP Code Execution

Apart from eval there are other ways to execute PHP code: include/require can be used for remote code execution in the form of Local File Include and Remote File Includevulnerabilities.

eval()assert()  - identical to eval()preg_replace('/.*/e',...) - /e does an eval() on the matchcreate_function()include()include_once()require()require_once()$_GET['func_name']($_GET['argument']);$func = new ReflectionFunction($_GET['func_name']); $func->invoke(); or $func->invokeArgs(array());

List of functions which accept callbacks

These functions accept a string parameter which could be used to call a function of the attacker's choice. Depending on the function the attacker may or may not have the ability to pass a parameter. In that case an Information Disclosure function like phpinfo() could be used.

Function                     => Position of callback arguments'ob_start'                   =>  0,'array_diff_uassoc'          => -1,'array_diff_ukey'            => -1,'array_filter'               =>  1,'array_intersect_uassoc'     => -1,'array_intersect_ukey'       => -1,'array_map'                  =>  0,'array_reduce'               =>  1,'array_udiff_assoc'          => -1,'array_udiff_uassoc'         => array(-1, -2),'array_udiff'                => -1,'array_uintersect_assoc'     => -1,'array_uintersect_uassoc'    => array(-1, -2),'array_uintersect'           => -1,'array_walk_recursive'       =>  1,'array_walk'                 =>  1,'assert_options'             =>  1,'uasort'                     =>  1,'uksort'                     =>  1,'usort'                      =>  1,'preg_replace_callback'      =>  1,'spl_autoload_register'      =>  0,'iterator_apply'             =>  1,'call_user_func'             =>  0,'call_user_func_array'       =>  0,'register_shutdown_function' =>  0,'register_tick_function'     =>  0,'set_error_handler'          =>  0,'set_exception_handler'      =>  0,'session_set_save_handler'   => array(0, 1, 2, 3, 4, 5),'sqlite_create_aggregate'    => array(2, 3),'sqlite_create_function'     =>  2,

Information Disclosure

Most of these function calls are not sinks. But rather it maybe a vulnerability if any of the data returned is viewable to an attacker. If an attacker can see phpinfo() it is definitely a vulnerability.

phpinfoposix_mkfifoposix_getloginposix_ttynamegetenvget_current_userproc_get_statusget_cfg_vardisk_free_spacedisk_total_spacediskfreespacegetcwdgetlastmogetmygidgetmyinodegetmypidgetmyuid

Other

extract - Opens the door for register_globals attacks (see study in scarlet).parse_str -  works like extract if only one argument is given.  putenvini_setmail - has CRLF injection in the 3rd parameter, opens the door for spam. header - on old systems CRLF injection could be used for xss or other purposes, now it is still a problem if they do a header("location: ..."); and they do not die();. The script keeps executing after a call to header(), and will still print output normally. This is nasty if you are trying to protect an administrative area. proc_niceproc_terminateproc_closepfsockopenfsockopenapache_child_terminateposix_killposix_mkfifoposix_setpgidposix_setsidposix_setuid

Filesystem Functions

According to RATS all filesystem functions in php are nasty. Some of these don't seem very useful to the attacker. Others are more useful than you might think. For instance ifallow_url_fopen=On then a url can be used as a file path, so a call to copy($_GET['s'], $_GET['d']); can be used to upload a PHP script anywhere on the system. Also if a site is vulnerable to a request send via GET everyone of those file system functions can be abused to channel and attack to another host through your server.

// open filesystem handlerfopentmpfilebzopengzopenSplFileObject->__construct// write to filesystem (partially in combination with reading)chgrpchmodchowncopyfile_put_contentslchgrplchownlinkmkdirmove_uploaded_filerenamermdirsymlinktempnamtouchunlinkimagepng   - 2nd parameter is a path.imagewbmp  - 2nd parameter is a path. image2wbmp - 2nd parameter is a path. imagejpeg  - 2nd parameter is a path.imagexbm   - 2nd parameter is a path.imagegif   - 2nd parameter is a path.imagegd    - 2nd parameter is a path.imagegd2   - 2nd parameter is a path.iptcembedftp_getftp_nb_get