logo
0 anonymous
Views: 1027754 Challenges: 342
Users: 12689 Online: 10

No Title – 8 Posts

  • No Title

    05/27/2006 08:02
    theblacksheep's Avatar theblacksheep 5610
    Not SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot Specified
    This guestbooks saves a file for every user in the \"user/\" folder with all the information about him.<br><br>Example:<br>---------------------------------------------------<br>&lt;?<br>$Rnick = \"test\";<br>$Ricq = \"\";<br>$Remail = \"none@none.none\";<br>$Rpasswort = \"098f6bcd4621d373cade4e832627b4f6\";<br>$Rhomepage = \"http://whatever.com\";<br>$Raim = \"\";<br>#<br>--------------------------------------------------<br><br>The name is the nick + \".usr\".<br>I was hoping that even more stuff is possible but I wasn't able to pull anything bigger so far <img alt="\&quot;:noclue:\&quot;" src="%5C">
  • 05/27/2006 08:02
    Gome's Avatar Gome 1460
    Not SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot Specified
    Funny.. forgot to close the &lt;? ?&gt; and add .usr as php-file.. nice.
  • 05/27/2006 08:02
    UnknownUser's Avatar UnknownUser 2,7290
    Not SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot Specified
    i can't find anywhere where i can check you findings but, based on what you are saying i would:<br><br>use a nickname that ends on .php<br><br>like test.php<br>chances are that the webserver wiill interpret test.php.usr as a php file.<br><br>then embed some code in for example the email addy.<br><br><br>
  • 05/27/2006 08:02
    theblacksheep's Avatar theblacksheep 5610
    Not SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot Specified
    I haven't checked if it is possible to use the \".\" in the username but why do you expect the webserver to treat a \".php.usr\" as a \".php\" file?<br><br>It is also not necessary because every \".usr\" gets included at one point but you can't inject your own php code.<br>The reason is that everything you enter is dealt with as a string (it is embedded in quotations).<br>There is also no way to get out of them because if you enter a quotation it is getting escaped.<br><br>---------------------------------------------------<br>&lt;?<br>$Rnick = \"...<br>#<br>--------------------------------------------------
  • 05/27/2006 08:02
    UnknownUser's Avatar UnknownUser 2,7290
    Not SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot Specified
    basicly because that's what webservers do.<br><br>I first noticed this behavior, when trying to download .php.back files.<br>i believe it to be a protection against backup files. since lot's of editors<br>make backupfiles like this, it would be sensible to prevent the webserver<br>from displaying these files plain text. And that's what happens.<br><br>
  • 05/27/2006 08:02
    logos's Avatar logos 400
    Not SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot Specified
    rhican, you're right, I've read about this awhile ago.. Here's some proof I found on google: <br><a href="%5C"><img alt="\&quot;link\&quot;" src="%5C">http://lists.grok.org.uk/pipermail/full-disclosure/2005-December/039541.html</a><br>It is said that if the server doesn't recognize the extension after .php (.php.*), then it will interpret the file as a php-file and run it.<br>You can find more with the right search string..
  • 05/27/2006 08:02
    theblacksheep's Avatar theblacksheep 5610
    Not SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot Specified
    Ohh,<br><br>I haven't heard of that issue before. Thank you for pointing it out.<br>This one can get you into real trouble.<br><br>tbs
  • 05/27/2006 08:02
    UnknownUser's Avatar UnknownUser 2,7290
    Not SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot Specified
    indeed it can. That's how my uni's wiki system was exploitable<br><br>saved the text plain in a subject.wiki file<br>and filtered the contents when displaying .. however ..