Archive for the 'RFI' Category
become a hacker with webgoat
Filed under: Information, Injection, LFI, PHP, RFI, XSS, sql, tools | Tags: ajax, flaws, hacking, learn, PHP, security, tutorial, webgoat, websecurity
Comments(0) WebGoat is a insecure web application which is designed to teach web application security concepts.
You can try hacking: Access Control Flaws, Authentication Flaws, Session Management Flaws, Cross-Site Scripting (XSS), Buffer Overflows, Injection Flaws, Improper Error Handling, Insecure Storage, Denial of Service, Insecure Configuration, Web Services and AJAX Security.
There is a “Lesson Plan” a kind of tutorial and in the “Hints Menu” you can view the parameters, cookies, the Code and the solution.
It’s a lot of fun and you learn more about web application security.
The null byte to hack includes
Filed under: Injection, LFI, PHP, RFI, Security | Tags: include, inclusion, LFI, local file inclusion, null, null byte, PHP, remote file inclusion, RFI, security
Comments(3) The null byte (also null terminator) is a character with the value zero, present in the ASCII and Unicode character sets. Strings end if there is a null character.
In PHP this character looks like this %00.
Ok whats the deal with null bytes?
A lot of people think that this method below, to include a file which has a fix extension (.php), is a bullet prof one, but that’s not true.
include ($_GET['site'].”.php”);
?>
If you call the script with a null byte in the URL it’s possible to include any local or remote site!
http://example.com/?site=../../../../etc/passwd%00
What does a phpshell look like?
Filed under: Injection, PHP, RFI | Tags: Injection, PHP, phpshell, remotefile, RFI, security, shell, system
Comments(0) After my last posting “(evil) Register Globals (on)“, I got an email asking what remote files look like and what they do. I call remote files “phpshells”. phpshells can send commands directly to the server system over http.
An easy version could be using a GET variable for a system call. Indeed, it’s enough to steal information, destroy pages and do other nasty stuff on a web server.
system($_GET['cmd']);
?>
The r57shell is the deluxe version of a phpshell. I added some pictures below. It’s an interface and has functions like ftp, mail and many more.
(evil) Register Globals (on)
Filed under: Injection, LFI, RFI | Tags: bypass, Injection, LFI, PHP, register_globals, RFI, security
Comments(2) The register_globals directive is enabled (register_globals = On) by default in PHP versions 4.2.0 and greater in the php config (php.ini). While it doesn’t represent a security vulnerability, it’s a security risk.
Why is it a security risk? Let’s look at this example:
