misc/firestuff
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
68ec5604092e365bcb9a8397daf13a1e81d31997
firestuff/markdown/2006-02-09-php-perl-ruby-exploit.md
Ian Gulliver a3dfa24549 Switch to ISO dates
2019-04-25 02:45:09 +00:00

52 lines
1.4 KiB
Markdown
Raw Blame History

This file contains ambiguous Unicode characters
This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
<!--# set var="title" value="PHP/PERL/Ruby exploit" -->
<!--# set var="date" value="2006-02-09" -->
<!--# include file="include/top.html" -->
Take the __PHP__ code:
<?php
$filename = content/.$_REQUEST[filename]..html;
include($filename);
?>
This is exploitable in an obvious way; “../” can be included in the filename, and it can be used to open any file ending in “.html” thats readable by the web user. However, theres a second, less obvious exploit path.
If magic\_quotes\_gpc is off, the following is possible:
test.php?filename=../../../../../../etc/passwd%00
PHP stores strings internally as binary-safe, but the include() requires a syscall, which expects a nil-terminated string. The result is that the syscall considers the string over at the \0, and opens /etc/passwd. PHP should really check to see if the binary-safe string contains nils before the syscall, and fail with an error if it does.
---
In __PERL__:
open IN,”foo\0bar”;
causes the syscall:
open(”foo”, O_RDONLY|O_LARGEFILE)
---
In __Ruby__:
File.open(”foo\0bar”,r');
causes the syscall:
open(”foo”, O_RDONLY|O_LARGEFILE)
---
__Python__ appears to be safe:
open(”foo\0bar”,”r”);
throws an error:
TypeError: file() argument 1 must be (encoded string without NULL bytes), not str
<!--# include file="include/bottom.html" -->
Reference in New Issue View Git Blame Copy Permalink