EvilZone
Hacking and Security => Hacking and Security => : Stackprotector May 17, 2013, 12:02:17 PM
-
Hai guys,
Today i found this neat little trick to inject into a include($_GET['sex']); LFI vulnerability.
php://filter/read=convert.base64-encode/resource=index.php
This returns instead of the result of index.php the actual content encoded in base64. So when you got some basedir restrictions and you can't do much more than including stupid files you can read them and get the config's etc. :)
-
Those funny PHP wrappers (http://www.php.net/manual/en/wrappers.php.php) :D
They are also useful to bypass WAFs/filters.
http://www.ptsecurity.ru/ics/%D0%90.%D0%9C%D0%BE%D1%81%D0%BA%D0%B2%D0%B8%D0%BD_%D0%9E_%D0%B1%D0%B5%D0%B7%D0%BE%D0%BF_%D0%B8%D1%81%D0%BF_%D0%A0%D0%9D%D0%A0_wrappers.pdf
And sometimes even for code execution, like it's shown at the end of this post:
http://zerofreak.blogspot.com.es/2012/04/lfi-exploitation-via-phpinput-shelling.html
-
Those funny PHP wrappers (http://www.php.net/manual/en/wrappers.php.php) :D
They are also useful to bypass WAFs/filters.
http://www.ptsecurity.ru/ics/%D0%90.%D0%9C%D0%BE%D1%81%D0%BA%D0%B2%D0%B8%D0%BD_%D0%9E_%D0%B1%D0%B5%D0%B7%D0%BE%D0%BF_%D0%B8%D1%81%D0%BF_%D0%A0%D0%9D%D0%A0_wrappers.pdf
And sometimes even for code execution, like it's shown at the end of this post:
http://zerofreak.blogspot.com.es/2012/04/lfi-exploitation-via-phpinput-shelling.html
php://fd
php://fd allows direct access to the given file descriptor. For example, php://fd/3 refers to file descriptor 3.
That could do some harm in site with vulnerability's