misc/firestuff
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

PHP/PERL/Ruby exploit

Browse Source
This commit is contained in:
Ian Gulliver
2019-04-21 17:15:52 +00:00
parent fd452f9393
commit 7bbe051df1
4 changed files with 112 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

51
markdown/2006-02-09-php-perl-ruby-exploit.md Normal file
View File

@@ -0,0 +1,51 @@
<!--# set var="title" value="PHP/PERL/Ruby exploit" -->
<!--# set var="date" value="February 9, 2006" -->
<!--# include file="include/top.html" -->
Take the __PHP__ code:
<?php
$filename = content/.$_REQUEST[filename]..html;
include($filename);
?>
This is exploitable in an obvious way; “../” can be included in the filename, and it can be used to open any file ending in “.html” thats readable by the web user. However, theres a second, less obvious exploit path.
If magic\_quotes\_gpc is off, the following is possible:
test.php?filename=../../../../../../etc/passwd%00
PHP stores strings internally as binary-safe, but the include() requires a syscall, which expects a nil-terminated string. The result is that the syscall considers the string over at the \0, and opens /etc/passwd. PHP should really check to see if the binary-safe string contains nils before the syscall, and fail with an error if it does.
---
In __PERL__:
open IN,”foo\0bar”;
causes the syscall:
open(”foo”, O_RDONLY|O_LARGEFILE)
---
In __Ruby__:
File.open(”foo\0bar”,r');
causes the syscall:
open(”foo”, O_RDONLY|O_LARGEFILE)
---
__Python__ appears to be safe:
open(”foo\0bar”,”r”);
throws an error:
TypeError: file() argument 1 must be (encoded string without NULL bytes), not str
<!--# include file="include/bottom.html" -->

1
markdown/index.md
View File

@@ -39,6 +39,7 @@
1. 2009-Sep-11: [Confusing BIND with CNAMEs](2009-09-11-confusing-bind-with-cnames.html)
1. 2009-Feb-19: [The odd case of my mugging](2019-02-19-the-odd-case-of-my-mugging.html)
1. 2009-Feb-03: [5-packet TCP connection?](2009-02-03-5-packet-tcp-connection.html)
1. 2006-Feb-09: [PHP/PERL/Ruby exploit](2006-02-09-php-perl-ruby-exploit.html)
1. 2006-Feb-07: [Why is my SSH X Window forwarding broken?](2006-02-07-why-is-my-ssh-x-window-forwarding-broken.html)
1. 2006-Feb-06: [Installing Debian from a USB stick](2006-02-06-installing-debian-from-a-usb-stick.html)
1. 2006-Feb-02: [Rebooting Linux when it doesnt feel like it](2006-02-02-rebooting-linux-when-it-doesnt-feel-like-it.html)