misc/firestuff
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

PHP/PERL/Ruby exploit

Browse Source
This commit is contained in:
Ian Gulliver
2019-04-21 17:15:52 +00:00
parent fd452f9393
commit 7bbe051df1
4 changed files with 112 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

59
2006-02-09-php-perl-ruby-exploit.html Normal file
View File

@@ -0,0 +1,59 @@
<!--# set var="title" value="PHP/PERL/Ruby exploit" -->
<!--# set var="date" value="February 9, 2006" -->
<!--# include file="include/top.html" -->
<p>Take the <strong>PHP</strong> code:</p>
<pre><code>&lt;?php
$filename = content/.$_REQUEST[filename]..html;
include($filename);
?&gt;
</code></pre>
<p>This is exploitable in an obvious way; “../” can be included in the filename, and it can be used to open any file ending in “.html” thats readable by the web user. However, theres a second, less obvious exploit path.</p>
<p>If magic_quotes_gpc is off, the following is possible:</p>
<pre><code>test.php?filename=../../../../../../etc/passwd%00
</code></pre>
<p>PHP stores strings internally as binary-safe, but the include() requires a syscall, which expects a nil-terminated string. The result is that the syscall considers the string over at the \0, and opens /etc/passwd. PHP should really check to see if the binary-safe string contains nils before the syscall, and fail with an error if it does.</p>
<hr />
<p>In <strong>PERL</strong>:</p>
<pre><code>open IN,”foo\0bar”;
</code></pre>
<p>causes the syscall:</p>
<pre><code>open(”foo”, O_RDONLY|O_LARGEFILE)
</code></pre>
<hr />
<p>In <strong>Ruby</strong>:</p>
<pre><code>File.open(”foo\0bar”,r');
</code></pre>
<p>causes the syscall:</p>
<pre><code>open(”foo”, O_RDONLY|O_LARGEFILE)
</code></pre>
<hr />
<p><strong>Python</strong> appears to be safe:</p>
<pre><code>open(”foo\0bar”,”r”);
</code></pre>
<p>throws an error:</p>
<pre><code>TypeError: file() argument 1 must be (encoded string without NULL bytes), not str
</code></pre>
<!--# include file="include/bottom.html" -->

1
index.html
View File

@@ -40,6 +40,7 @@
<li>2009-Sep-11: <a href="2009-09-11-confusing-bind-with-cnames.html">Confusing BIND with CNAMEs</a></li> <li>2009-Sep-11: <a href="2009-09-11-confusing-bind-with-cnames.html">Confusing BIND with CNAMEs</a></li>
<li>2009-Feb-19: <a href="2019-02-19-the-odd-case-of-my-mugging.html">The odd case of my mugging</a></li> <li>2009-Feb-19: <a href="2019-02-19-the-odd-case-of-my-mugging.html">The odd case of my mugging</a></li>
<li>2009-Feb-03: <a href="2009-02-03-5-packet-tcp-connection.html">5-packet TCP connection?</a></li> <li>2009-Feb-03: <a href="2009-02-03-5-packet-tcp-connection.html">5-packet TCP connection?</a></li>
<li>2006-Feb-09: <a href="2006-02-09-php-perl-ruby-exploit.html">PHP/PERL/Ruby exploit</a></li>
<li>2006-Feb-07: <a href="2006-02-07-why-is-my-ssh-x-window-forwarding-broken.html">Why is my SSH X Window forwarding broken?</a></li> <li>2006-Feb-07: <a href="2006-02-07-why-is-my-ssh-x-window-forwarding-broken.html">Why is my SSH X Window forwarding broken?</a></li>
<li>2006-Feb-06: <a href="2006-02-06-installing-debian-from-a-usb-stick.html">Installing Debian from a USB stick</a></li> <li>2006-Feb-06: <a href="2006-02-06-installing-debian-from-a-usb-stick.html">Installing Debian from a USB stick</a></li>
<li>2006-Feb-02: <a href="2006-02-02-rebooting-linux-when-it-doesnt-feel-like-it.html">Rebooting Linux when it doesnt feel like it</a></li> <li>2006-Feb-02: <a href="2006-02-02-rebooting-linux-when-it-doesnt-feel-like-it.html">Rebooting Linux when it doesnt feel like it</a></li>

51
markdown/2006-02-09-php-perl-ruby-exploit.md Normal file
View File

@@ -0,0 +1,51 @@
<!--# set var="title" value="PHP/PERL/Ruby exploit" -->
<!--# set var="date" value="February 9, 2006" -->
<!--# include file="include/top.html" -->
Take the __PHP__ code:
<?php
$filename = content/.$_REQUEST[filename]..html;
include($filename);
?>
This is exploitable in an obvious way; “../” can be included in the filename, and it can be used to open any file ending in “.html” thats readable by the web user. However, theres a second, less obvious exploit path.
If magic\_quotes\_gpc is off, the following is possible:
test.php?filename=../../../../../../etc/passwd%00
PHP stores strings internally as binary-safe, but the include() requires a syscall, which expects a nil-terminated string. The result is that the syscall considers the string over at the \0, and opens /etc/passwd. PHP should really check to see if the binary-safe string contains nils before the syscall, and fail with an error if it does.
---
In __PERL__:
open IN,”foo\0bar”;
causes the syscall:
open(”foo”, O_RDONLY|O_LARGEFILE)
---
In __Ruby__:
File.open(”foo\0bar”,r');
causes the syscall:
open(”foo”, O_RDONLY|O_LARGEFILE)
---
__Python__ appears to be safe:
open(”foo\0bar”,”r”);
throws an error:
TypeError: file() argument 1 must be (encoded string without NULL bytes), not str
<!--# include file="include/bottom.html" -->

1
markdown/index.md
View File

@@ -39,6 +39,7 @@
1. 2009-Sep-11: [Confusing BIND with CNAMEs](2009-09-11-confusing-bind-with-cnames.html) 1. 2009-Sep-11: [Confusing BIND with CNAMEs](2009-09-11-confusing-bind-with-cnames.html)
1. 2009-Feb-19: [The odd case of my mugging](2019-02-19-the-odd-case-of-my-mugging.html) 1. 2009-Feb-19: [The odd case of my mugging](2019-02-19-the-odd-case-of-my-mugging.html)
1. 2009-Feb-03: [5-packet TCP connection?](2009-02-03-5-packet-tcp-connection.html) 1. 2009-Feb-03: [5-packet TCP connection?](2009-02-03-5-packet-tcp-connection.html)
1. 2006-Feb-09: [PHP/PERL/Ruby exploit](2006-02-09-php-perl-ruby-exploit.html)
1. 2006-Feb-07: [Why is my SSH X Window forwarding broken?](2006-02-07-why-is-my-ssh-x-window-forwarding-broken.html) 1. 2006-Feb-07: [Why is my SSH X Window forwarding broken?](2006-02-07-why-is-my-ssh-x-window-forwarding-broken.html)
1. 2006-Feb-06: [Installing Debian from a USB stick](2006-02-06-installing-debian-from-a-usb-stick.html) 1. 2006-Feb-06: [Installing Debian from a USB stick](2006-02-06-installing-debian-from-a-usb-stick.html)
1. 2006-Feb-02: [Rebooting Linux when it doesnt feel like it](2006-02-02-rebooting-linux-when-it-doesnt-feel-like-it.html) 1. 2006-Feb-02: [Rebooting Linux when it doesnt feel like it](2006-02-02-rebooting-linux-when-it-doesnt-feel-like-it.html)