Create vulnerability

p99 · Post by **p99** » 07 Feb 2007, 01:26

I'm trying to make a page in php with a local file inclusion vulnerability.

I want to be able to do: http://url/index.php?page="whatever"

Now I tried making an array with variables and that wasn't what I wanted.
I tried using include('file');

I'm just trying to set this vulnerability up on my own server so i can play around with it. It's just not the same with wargame servers.

So any help is apreciated. I haven't coded in php until about 20 minutes ago (or any server sided language) so i have little idea what i'm trying to do.

I read part of a tutorial and played with some code but i'm just not sure how to make this vulnerability.

Post by **Gogeta70** » 07 Feb 2007, 11:14

Take a look at these PHP functions:

include();
fsockopen();
fopen();
fgets();

That should get you somewhere

.

RNA · Post by **RNA** » 08 Feb 2007, 18:18

p99 wrote:I'm trying to make a page in php with a local file inclusion vulnerability.

I want to be able to do: http://url/index.php?page="whatever"

Now I tried making an array with variables and that wasn't what I wanted.
I tried using include('file');

I'm just trying to set this vulnerability up on my own server so i can play around with it. It's just not the same with wargame servers.

So any help is apreciated. I haven't coded in php until about 20 minutes ago (or any server sided language) so i have little idea what i'm trying to do.

I read part of a tutorial and played with some code but i'm just not sure how to make this vulnerability.

well for an include thing like that I think its something like this(php aint my main thing)

Code: Select all

<?php
$file = $_GET['page'];
include($file);
?>

that ?page = is sending a variable using GET, to get variables sent through the url like that(sorry for my lack of better explanation

) you do
$_GET['Name'] where Name is whatever the variable is called in the URL(in your case, page)

~RNA

p99 · Post by **p99** » 08 Feb 2007, 23:01

Ok thanks. I hadn't figured it out. I did find what I wanted using the regular include though.

I was messing around with running code from a jpg. It works and pretty damn well.

RNA · Post by **RNA** » 09 Feb 2007, 00:44

you could make it parse .jpg files through php

Let me get you something on it

ok, had to dink with my httpd.conf file(didnt have allowoverride on >.<)

heres an example for my php gen sig:

in the folder its in I have in the .htaccess

Code: Select all

<Files sig.png>
ForceType application/x-httpd-php
</Files>

instead of sig.png you could to *.jpg or whatever.

this means that the file will actually be passed through the PHP parser before going out to you, you actually are calling the URL of an image, it just gets parsed

Code: Select all

rna.is-a-geek.com/phpstuffs/sig.png
rna.is-a-geek.con/phpstuffs/sig.phps

you could have it log hits, do whatever

p99 · Post by **p99** » 09 Feb 2007, 01:43

I actually used a program that would comment the jpg. All I have to do to run the code inside is include the picture.

RNA · Post by **RNA** » 09 Feb 2007, 01:49

Including the picture that way would also force it to be parsed, same thing like

Code: Select all

include('sig.php');

would include it after running all the code, so would

Code: Select all

include('sig.png');

suck-o.com

Create vulnerability

Create vulnerability

Re: Create vulnerability