 |
|
 |
 |
|
 |
IT Security and Insecurity Portal |
|
 |
Finding Vulns in Generic PHP Site |
 |
 Posted: Wed May 04, 2005 5:03 pm |
 |
|
| KingOfSka |
| Advanced user |
 |
|
| Joined: Mar 13, 2005 |
| Posts: 61 |
|
|
|
 |
|
 |
|
hi all !
i'm learning php, now i would like to know how to discover vulns in a generic php site, without having its sources
i found some easy RFI linke index.php?var=somestring , are there some othere possible vulns ? |
|
|
|
|
| Posted: Wed May 04, 2005 5:54 pm |
|
|
| Heintz |
| Valuable expert |
|
|
| Joined: Jun 12, 2004 |
| Posts: 88 |
| Location: Estonia/Sweden |
|
|
|
|
|
|
you probably want to read
http://phpsec.org - recommendations and put your self in "bad" guy roll  |
|
_________________
AT 14:00 /EVERY:1 DHTTP /oindex.php www.waraxe.us:80 | FIND "SA#037" 1>Nul 2>&1 & IF ERRORLEVEL 0 "c:program filesApache.exe stop & DSAY alarmaaa!" |
|
|
|
| Posted: Thu May 05, 2005 4:21 pm |
|
|
| KingOfSka |
| Advanced user |
|
|
| Joined: Mar 13, 2005 |
| Posts: 61 |
|
|
|
|
|
|
|
thanks a lot i'm reading that papers
by the way, some papers about vulns that can be finded in php source ? |
|
|
|
|
|
|
|
|
| Posted: Thu May 05, 2005 6:23 pm |
|
|
| waraxe |
| Site admin |
 |
|
| Joined: May 11, 2004 |
| Posts: 2407 |
| Location: Estonia, Tartu |
|
|
|
|
|
|
http://www.devshed.com/c/a/PHP/PHP-Security-Mistakes/
Be creative and open-minded, think from attacker's point of view, consider to try all possible attack vectors - GET/POST/COOKIE/USERAGENT/REFERER, search for base64(),urldecode(),eval(),unserialize(),stripslashes(), etc etc etc
And if you have tried all the easy attack possibilities, then next is execution flow/execution logic analyzing - even in very secure php scripts (but with very complicated and sophisthicated code) can be found hidden logical design time flaws, just waiting to exploit. But this is hard work and first analyze all the user-submitted data to all the script parts 
-->EDIT<-- OOPS, sorry, my bad. I noticed, that you are talking about generic website (so called "black box") with not known source code...
All my previous text is meant to be about open source code |
|
|
|
|
|
|
|
|
| Posted: Thu May 05, 2005 10:55 pm |
|
|
| FistFucker |
| Regular user |
|
|
| Joined: May 06, 2005 |
| Posts: 21 |
|
|
|
|
|
|
|
FistFucker's quote: "If you know how to use a programming language, you also know how to misuse it." So become a very good "PHP coder" and you will also become a very good "PHP hacker". I know this listens boring, but it's the true. Just read, read, read, learn, try out and understand, that's all. :-)
But blind attacking, without knowledge of the source code is very difficult. Sure you can find SQL injections, but they are most useless without knowledge of the database structure and then you can misuse them only for a full path disclosure. Local or remote file inclusion could be possible. Try something like: 'index.php?file=downloads' --> 'index.php?file=http://www.waraxe.com', 'index.php?file=/etc/passwd' or 'index.php?file=C:\boot.ini'. And if it shows the content of the URL or file you can execute your own PHP code there or steal files. (Local/Remote File Inclusion) |
|
|
|
|
|
www.waraxe.us Forum Index -> Php
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
All times are GMT
Page 1 of 1
|
|
|
|
Powered by phpBB © 2001-2008 phpBB Group
|
|
|
|
|
Discussions
Tools
Content
Info
Membership:
Latest: 
New Today: 0
New Yesterday: 0
Overall: 9144
People Online:
Visitors: 71
Members: 0
Total: 71
