Follow us on Twitter!
Ideas are far more powerful than guns.
Thursday, April 17, 2014
Navigation
Home
HellBoundHackers Main:
HellBoundHackers Find:
HellBoundHackers Information:
Learn
Communicate
Submit
Shop
Challenges
HellBoundHackers Exploit:
HellBoundHackers Programming:
HellBoundHackers Think:
HellBoundHackers Track:
HellBoundHackers Patch:
HellBoundHackers Other:
HellBoundHackers Need Help?
Other
Members Online
Total Online: 14
Guests Online: 13
Members Online: 1

Registered Members: 82815
Newest Member: medjiking
Latest Articles
View Thread

HellBound Hackers | Computer General | Web hacking

Author

File Disclosure


Member

Your avatar

Posts:
Location:
Joined: 01.01.70
Rank:
Guest
Posted on 29-04-06 04:49
I found a site that has a file disclosure vuln (you know index.php?f=../../and/so/on/index.php type stuff), but instead of executing the PHP code I injected it instead simply displays the file.

Instead of a simple

Code
include($_GET['f']);




this site uses

Code
echo file_get_contents($_GET['f']);




or something.

I won't disclose the site for legal reasons, but is there a way I can inject PHP code onto the server?

BTW they use Smarty.


Author

RE: File Disclosure


Member

Your avatar

Posts:
Location:
Joined: 01.01.70
Rank:
Guest
Posted on 29-04-06 19:03
Read the articles to see how to check if a site is vulnerable, then try some of the methods listed.

Cheers

Dantronix


Author

RE: File Disclosure


Member

Your avatar

Posts:
Location:
Joined: 01.01.70
Rank:
Guest
Posted on 12-05-06 02:42
Yeah, try storing a PHP script on your server and then make $file = http://yoursite.com/script.php.
Author

RE: File Disclosure


Member

Your avatar

Posts:
Location:
Joined: 01.01.70
Rank:
Guest
Posted on 12-05-06 05:03
First: It doesn't eval or include the file, just prints it out. so offsite-server file was out of the question.

Second, they fixed it already after I told them, posted on zone-h/digg, etc. It was the EFF if you were wondering Smile