Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
Whether this is about ha.ckers.org, sla.ckers.org or some other project you are interested in or want to talk about, throw it in here to get feedback. 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
Once you are in...
Posted by: lpilorz
Date: January 18, 2007 04:50AM

So, you found a code execution bug in some PHP app. Now, you'd like to have some tools for getting as much information from the server as you can. I think we could post some of the useful stuff here.

For a good start - listing the directory content bypassing open_basedir restrictions (tested on PHP 4.4.1):
http://lukasz.pilorz.net/testy/open_basedir/open_basedir_ls.txt
It does not list all the directories and files, but it's meant to be fast rather than accurate.

I found the glob() warning bug by myself, but it was reinventing the wheel - Peter Brodersen found it back in 2005: http://seclists.org/fulldisclosure/2005/Sep/0001.html

Feedback and all your little tools are welcome :)

(Edit: it doesn't list dirs/files you have open_basedir rights to, and those starting with the same letter as one of the already listed, e.g.
Real dir content:
./abc
./acd
./bde
./sub/abc
open_basedir_ls:
./abc
./bde
./sub/abc
)



Edited 2 time(s). Last edit at 01/18/2007 04:54AM by lpilorz.

Options: ReplyQuote


Sorry, only registered users may post in this forum.