Task 3

Try to switch the modes. You'll notice that although links that switch the modes use the r GET parameter, the browser displays URLs without parameters.

Nevertheless, the date format is selected according to the selected mode.

Therefore, the server remembers, which mode is selected, and then redirects you to an URLwithout parameters.

Most likely, the selected mode is stored in a cookie. Create a GET request to test this supposition. The HTTP request should be the following:

 GET /zadachi/3/index.php?r=2 HTTP/1.1    Host: localhost    User-Agent: Mozilla/5.0 

The server will respond as follows :

 HTTP/1.1 302    Set-Cookie: r=2    Location: index.php 

This confirms the supposition.

Test how the script responds to various values of the r parameter:

  • http://localhost/zadachi/3/index.php?r=123

  • http://localhost/zadachi/3/index.php?r=123'123

  • http://localhost/zadachi/3/index.php?r=12.3abc567

The only conclusion from these requests is that the r value is filtered and cast to an integer.

Could it be that only the GET parameter is filtered? Test whether the r COOKIE parameter is filtered. Create the following request:

 GET /zadachi/3/index.php HTTP/1.1    Host: localhost    User-Agent: Mozilla/5.0    Cookie: r=12.3abc56 

A fragment of the response will be as follows:

 <b>Warning</b>:  main(./12.inc): failed to open stream: No such file    or directory in <b>x:\localhost\zadachi\index.php</b> on line    <b>19</b><br/>    <b>Warning</b>:  main(): Failed opening './12.inc' for inclusion    (include_path='.;c:\php4\pear') in    <b>x:\localhost\zadachi\index.php </b> on line <b>19</b> 

Therefore, the r COOKIE parameter is filtered in the same manner.

So, there is no PHP source code injection vulnerability. However, you might have noticed that the system tries to include and execute the , /{$r} . inc file for every received parameter. This allows you to suppose there are files such as image from book  1.INC , image from book  2.INC , and image from book  3.INC in the system.

Make requests such as http://localhost/zadachi/3/l.inc and notice that the files exist. What's more, their source code is displayed because their extension is other than PHP.

Examine the source code of these files. You can suppose that the global PHP source code injection vulnerability is in the etcpath parameter. Check this with the following:


Then, exploit the vulnerability by including a remote file, executing it on the server, and displaying the contents of the target configuration file.

The task is solved .

Hacker Web Exploition Uncovered
Hacker Web Exploition Uncovered
ISBN: 1931769494
Year: 2005
Pages: 77

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net