Classify types of exploits, based on trace results

[HarryR]

With results of the traces we should be able to determine which category of bug it is. A classifier needs to match function calls and parameters, then output appropriate Tags. e.g.

• str_replace = FilterStrReplace
• mysql_real_escape = SqlEscape
• stat/open = LocalFile
• system = CmdExecution
• connect/send = Network

This fits into the project because it will form the basis of the analyser and exploiter in the level above, e.g. 'LocalFile+CodeExecution' - RCE. The tags will be used to determine what modifications to make to the input parameters to verify the level of control over them, see if there's filtering etc.

[HarryR]

Interesting tricks for PHP (to be expanded):

• Array parameters, e.g. id vs id[] - try variations of parameters, rather than just their values
• str_replace, this can be evaded in many cases, can the evasion be automated? (e.g. str_replace("'", "'", $var...);
• RE expression = PHP's equivalent to C's format string exploits.

Other interesting classifiers - what type is the value? From functions that the value passes through can we determine what it's expected to be? This could reduce the scope of a brute-force phuzz attack. - https://recalll.co/app/?q=smarty%20-%20un-exploitable%20php%20functions%20(whitelist)

Related links:

• http://stackoverflow.com/questions/3115559/exploitable-php-functions
• https://github.com/Dionach/magicmapping
• https://blog.php-dev.info/downloads/Assault_on_PHP_Applications.pdf
• http://php-security.org/MOPB/

TODO: research hackerone, collect trends on PHP vulns to find a good starting point for writing classifiers.

High-level categories:

• Evade/Avoid (bypass filtering, anti-exploitation methods, null bytes, unicode hax)
• Reflect (exploit trust when passing info, e.g. XSS)
• Local (machine that executes the code)
• Remote (machine that code communicates with)
• Control (over syscalls... code execution etc.)
• Expose (e.g. LFD, errors, info leaks, reveal IP addresses)