Grep and web vulnerability Mining

Text/superhei _ [at] _ ph4nt0m.org 2006-03-08

[A. grep below (http://www.interlog.com /~ Tcharron/grep.html) does not support the-R parameter. You can use the following format: grep-in "/(include/| require/)" C:/test /*. php c:/test/admin /*. PHP can also use cygwin porting to grep (http://zhouzhen.eviloctal.org/Look.asp? Logid = 814) B. multiple keywords or mode |. If and mode is used, use the following pipeline mode: grep-in "/select/| $ aid" C:/test/read. PHP | grep-I "from"]

1. include Vulnerability keywords: Include require C:/> grep-in "/(include/| require/)" C:/test /*. PHP config. PHP: 10: Include 'forbid. PHP '; Conn. inc. PHP: 10: Include 'forbid. PHP '; Conn. PHP: 10: Include 'forbid. php'; Global. PHP: 10: Include 'forbid. php'; Global. PHP: 16: require_once ('conn. inc. PHP '); Global. PHP: 17: require_once ('conn. PHP ');

2. SQL Injection

Keywords: Select variable name

Find.-Name '*. php' | xargs grep-NIW "select" -- color-5

Find. -name '*. php' | xargs grep-liw "select" -- color-5 C:/> grep-in "/select" C:/test/read. PHP 15: $ query = $ db-> query ("select * from ". $ tablepre. "content where aid = $ aid ");

C:/> grep-in "/select/| $ aid" C:/test/read. PHP 13: $ aid = $ _ Get ['aid ']; 14: $ db-> query ("Update ". $ tablepre. "content set hits = hits + 1 where aid = '$ aid'"); 15: $ query = $ db-> query ("select * from ". $ tablepre. "content where aid = $ aid ");

3. CMD Injection

Keywords: exec system popen passthru proc_open

C:/> grep-in "/(exec/| System/| popen/| passthru/| proc_open/)" C:/test/phpspy. PHP 413: $ A = $ shell-> ShellExecute ($ _ post ['program '], $ _ post ['prog']); 602: $ program = isset ($ _ post ['prop'])? $ _ Post ['program ']: "C:/wi NNT/system32/cmd.exe"; 613: $ execfuncs = (substr (php_ OS, 0, 3) = 'win ')? Array ('system' => 'system', 'passthru' => 'passthru', 'exec '=> 'exec ', 'Shell _ exec '=> 'Shell _ exec', 'popen '=> 'popen', 'wscript' => 'wscript. shell '): array ('system' => 'system', 'passthru' => 'passthru', 'exec' => 'exec ', 'Shell _ exec '=> 'Shell _ exec', 'popen '=> 'popen'); 615: $ TB-> tdbody ('select execution function :'. $ TB-> makeselect (Array ('name' => 'execfunc', 'O ption '=> $ execfuncs, 'selected' => $ execfunc )). 'Enter the command :'. $ TB-> makeinput ('command', $ _ post ['command'], '', 'text', '60 '). ''. $ TB-> makeinput ('', 'run','', 'submit '); 620: if ($ execfunc = "system") {621: system ($ _ post ['command']); 622:} elseif ($ execfunc = "passthru") {623: passthru ($ _ post ['command']);

4. Code Injection

Keywords: eval preg_replace

C:/> grep-in "/eval/| preg_replace" C:/test /*. PHP phpspy. PHP: 1034: eval ('$ hexdtime = "'. $ hexdtime. '";');

5. Variable submission method

Keywords: Get post cookie Server Request

C:/> grep-in "_/get/| post/| Cookie/| Server/| request" C:/test/list. PHP 13: $ SID = $ _ Get ['sid']; 14: if ($ _ Get ['page']) {15: $ page = $ _ Get ['page'];

6. Cookie and session

Keywords: Cookie Session

C:/> grep-in "/session/| cookie" C:/test/admin/*. php global. php: 16: If (! Isset ($ _ cookie ['in']) {index. php: 13: If (! Isset ($ _ cookie ['in']) {job. php: 13: If (! Isset ($ _ cookie ['in']) {login. PHP: 22: setcookie ("in", "$ admin"); logout. PHP: 11: setcookie ("in", ""); main. PHP: 14: isset ($ _ cookie )? $ Ifcookie = "success": $ ifcookie = "fail ";

7. File Functions

Keywords: readfile fopen upload copy opendir fwrite unlink

... Hope you can continue!