[35073] in bugtraq
Re: [PHP] include() bypassing filter with php://input
daemon@ATHENA.MIT.EDU (Ali Campbell)
Mon May 31 14:51:50 2004
Message-ID: <40B7BA6E.107@alicampbell.org.uk>
Date: Fri, 28 May 2004 23:17:18 +0100
From: Ali Campbell <bugtraq@alicampbell.org.uk>
MIME-Version: 1.0
To: bugtraq@securityfocus.com
In-Reply-To: <1085772431.1503.28.camel@devcli95>
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit
I tested this - AFAI can tell it is exploitable against and only against
some page along these lines, as you suggest:
<HTML><HEAD></HEAD><BODY>
<!-- header stuff goes here -->
<?php
include ($_GET['page']);
?>
<!-- footer stuff goes here -->
</BODY></HTML>
... and if you code things in this remarkable way, you deserve to get
'sploited silly, vuln or no vuln. Why not go the whole hog and add the line
eval ($_GET['go_ahead_and_sploit_my_trousers_off']);
while you're at it ?
Ali
clez wrote:
> Hi there!
>
> i use php 4.3.5 and tried this "proof of concept". i assumed, that the
> form attribute "methode" is a typing mistake and adapted the exploit to
> get it working under a php 4.3.x default configuration (it's kinda
> paradox to use autoglobals in an exploit that aims to secure other
> products).
>
> but even this adapted version (see below) does not show anything on
> execution.
>
> this exploit seems to rely on a exploitable web service, that gets paths
> to include files from a get variable named "page".
>
> so this seems to me like a (fixed/changed) bug at the single service
> "www.exemple.com" (not to be mixed up with www.example.com from rfc
> 2606) and not a general php issue.
