Home page logo
/

pauldotcom logo PaulDotCom mailing list archives

Re: Exploiting vulnerable php functions
From: Robin Wood <robin () digininja org>
Date: Thu, 12 Sep 2013 23:17:50 +0100

On 12 September 2013 04:21, Sean McCormick <sean.m.mccormick () gmail com>wrote:

Thanks for all the feedback.

If I understand the remote file inclusion vulnerability correctly this has
more to do with improper data validation than a vulnerability in a PHP
function.  So in order to exploit a vulnerable PHP function in this manner
the script would also have to be missing proper data validation, which
would give you more to play with besides the PHP function correct?

That is correct. You would use the ?FI to bring in a file that used the
vulnerable function.

Robin


On Wed, Sep 11, 2013 at 2:37 AM, Robin Wood <robin () digininja org> wrote:


On 11 Sep 2013 06:53, "allison nixon" <elsakoo () gmail com> wrote:

By the way, if you did use file inclusion in order to abuse vulnerable
php functions, would it have gained you any more access than if you just
file included a shell?


It would depend on what level of access the exploit got you. On a
standard Linux install your shell would be a low privilege user such as
apache but the exploit may get you directly through to root.

I've not investigated web shells in any depth but something I've never
seen is one with all the exploits built in. You could code it to check the
php version then execute the appropriate function.

Robin

On Tue, Sep 10, 2013 at 4:28 AM, Robin Wood <robin () digininja org>
wrote:




On 8 September 2013 19:47, Dancing Dan <d4ncingd4n () gmail com> wrote:

I haven't looked at PHP internals but, some languages create
functions as extensions of other functions as a form of code reuse. This
could lead to unexpected file inclusion.

Does anybody know if PHP does that?


Do you mean one function internally calls another, for example a
string compare ignoring case will call the generic string compare but pass
in the ignore case flag?

I've no idea if PHP does this but would be interested to find out and
if it does to get a list of what calls what.

Robin


Bart

On Sep 8, 2013 1:39 PM, "Robin Wood" <robin () digininja org> wrote:


On 8 Sep 2013 19:01, "Jim Halfpenny" <jim.halfpenny () gmail com>
wrote:

In short no. Take a look at file inclusion vulnerabilities.

http://en.m.wikipedia.org/wiki/File_inclusion_vulnerability

If you are suggesting include in a file which uses a vulnerable
function then your answer is actually yes.

Robin

Regards
Jim

On 8 Sep 2013 04:40, "Sean McCormick" <sean.m.mccormick () gmail com>
wrote:

If a website is running a version of php with vulnerable
functions does the function have to be used in a script in order to exploit
the vulnerability?


_______________________________________________
Pauldotcom mailing list
Pauldotcom () mail pauldotcom com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com


_______________________________________________
Pauldotcom mailing list
Pauldotcom () mail pauldotcom com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com


_______________________________________________
Pauldotcom mailing list
Pauldotcom () mail pauldotcom com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com


_______________________________________________
Pauldotcom mailing list
Pauldotcom () mail pauldotcom com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com



_______________________________________________
Pauldotcom mailing list
Pauldotcom () mail pauldotcom com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com




--
_________________________________
Note to self: Pillage BEFORE burning.

_______________________________________________
Pauldotcom mailing list
Pauldotcom () mail pauldotcom com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com

_______________________________________________
Pauldotcom mailing list
Pauldotcom () mail pauldotcom com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com



_______________________________________________
Pauldotcom mailing list
Pauldotcom () mail pauldotcom com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com

_______________________________________________
Pauldotcom mailing list
Pauldotcom () mail pauldotcom com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]