Sign in to follow this  
Followers 0
i8igmac

local file inclusion, log injection

4 posts in this topic

So I'm working on a project I plan to share once I have everything orginized... There are a lot of tutorials out there but none have covered all senario's

What if log poisoning is possible but your typical <?php passthu();?> does not work...

What other methods can we attempt to achieve command execution...

So what else can we write to this log, Perl? Python? Ruby? java?

-1

Share this post


Link to post
Share on other sites

So I'm working on a project I plan to share once I have everything orginized... There are a lot of tutorials out there but none have covered all senario's

What if log poisoning is possible but your typical <?php passthu();?> does not work...

What other methods can we attempt to achieve command execution...

So what else can we write to this log, Perl? Python? Ruby? java?

Here are some links that should prove useful:

https://www.golemtechnologies.com/articles/shell-injection#how-to-test-if-website-vulnerable-to-command-injection

http://www.blackhatlibrary.net/Command_Injection

Common practice is to find use simple "fuzzing" techniques on public domain script and "inurl:" searches with google or bing.

It's really easy to write a PERL script looking for common vulns.

PERL you want to look for stuff like:

open()

system()

exec()

Anything that passes commands to the operating system, uploads anything. Or even writes to - and names a file. For example, if a script writes form data to a text file.... Then names the file something like <user name>.txt, you could try creating a user named pwner.php๴. If encoded and terminates reading it with a null string, it might execute. When the file is written, and decoded it would be: pwner.php%00.txt.

To execute from commands for POST and GET requests, it's common to use ";" "&&" "|", or even an encoded version of each. Anything that will properly execute additional commands. Kind of like a union select statement and commenting out the rest of the old SQL in MySQLi attacks.

-1

Share this post


Link to post
Share on other sites

If searching for Ruby vulns, try and find anywhere `eval` is being used. Eval sends a string as a message to another object for creating dynamic code -- really useful, but really dangerous if you let unsanitized strings in. Also, apparently the ActiveRecord `order` method is vulnerable to SQL injection...so if that's being populated with a POST or GET, you can inject on it.

We've ran into both of these at work.

0

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now
Sign in to follow this  
Followers 0