Using and Closing the php Inklud Vulnerability

Next Generation Hackers Group) :. Ngh.void.ru
Article written by: vizor'om
----------------- | Date of writing: 30/03/05
----- | Contacts: gotius ([email protected]) and rel4nium ([email protected])
Use and closure of the vulnerability php includ.
The purpose of the article is to show you how to fix one of the varieties of php includa,
And how to use it.
This vulnerability has been known for a long time, but even today it still occurs ...
This vulnerability is that if a page is written in the site directory written in php,
And an unknown extension of the file, php will open the source text of the document, which means that we can
It's easy to find the admin password in its source (although the password can not always be opened).
For example, a site has a page opening structure of this kind:
Www.victim.com/index.php?aux_page=aux1
Duck here if we instead of aux1 substitute in aux_page = for example index.php then it will give us index.php,
(It happens that even without an unknown extension the script shows us the source code of the page) and
If we put instead index.php index.inc then the bass script will process this request and print
Us the page index. And after you see the source of the index page, you can find
The page on which passwords are written in clear!
eg:
Www.victim.com/index.php?aux_page=connect.inc
This should lead us to the passwords, but they can lie and not in connect.inc, so if you are good
You can learn the passwords easily.
This is all we can do with the help of a crooked script on php, it can be of this content:

If (isset ($ aux_page)) // page with additional information {// additional page if (file_exists ("cfg / $ aux_page")) $ f = file ("cfg / $ aux_page" "); else {$ f = array (); $ F [0] = "NOT found"; } } Consider in detail from a security perspective. if (isset ($ aux_page)) // Check if the value of the variable is set to {{if if (file_exists) ("Cfg / $ aux_page")) // checks if the file exists, if so then ... $ f = file ("cfg / $ aux_page"); // reads the contents of the file into the variable $ f else {$ f = array (); $ F [0] = "The requested information was not found"; } } This is the whole problem, there is no value for the variable ... To fix this vulnerability, you need to insert a check and bring the code to the form: if (isset ($ aux_page) && preg_match ("/ ^ (aux) {1} (\ d +) $ /", $ aux_page)) {if if (file_exists ("cfg / $ aux_page"))) $ F = file ("cfg / $ aux_page"); } else { $ f = array (); $ f [0] = "The requested information was not found"; } }

Now the variable can be assigned only values of the form aux [0; ..] (for example aux1, aux44)
After that it will be impossible to view the source of the document via php inklud.
Ps all the scripts listed in the article are fictitious, any correspondence with reality is not true

Liked? Subscribe to RSS news!
You can also support shram.kiev.ua, press:

It will not be superfluous for your friends to learn this information, share their article with them!

Expand / Collapse

Comments

When commenting on, remember that the content and tone of your message can hurt the feelings of real people, show respect and tolerance to your interlocutors even if you do not share their opinion, your behavior in the conditions of freedom of expression and anonymity provided by the Internet, changes Not only virtual, but also the real world. All comments are hidden from the index, spam is controlled.

All news

Site
Forum

How to choose the right wine for your dish Photo 2017-03-08
How to dress by age and not look stupid Photo 2017-03-08
Sexual variant "Follow me" Photo 2017-03-08
Plate of healthy food Photo 2017-03-08
NASA has opened free access to its software Photo 2017-03-08
Kate Moss, the main beauty of the generation, the femme fatale Photo 2017-03-08
101 Method of application of the paracord Photo 2017-03-05
Everything you wanted to know about tires. Marking, types, seasonality Photo 2017-03-05
How to choose quality natural spices and spices Photo 2017-03-04
Emma Watson (26 years) undressed for the March Vanity Fair Photo 2017-03-04
Emma Watson (Emma Watson) undressed for Natural Beauty Photo 2017-03-04
Tattoo with the image of famous heroes Photo 2017-03-03
Scheme of all municipal transport in Kiev Photo 2017-02-28
How often to have sex according to age Photo 2017-02-28
Fisherman's calendar and forecast of the biting of peaceful / predatory fish for 2017 Photo 2017-02-26
Fishing knots, how to tie a hook, prepare for summer Photo 2017-02-26
Euthanasia Coaster, a project of roller coasters designed for the death penalty Photo 2017-02-26
VEB Page can be evidence in court Photo 2017-02-26
In such a cosplay, you yourself will want to play Photo 2017-02-25
A smart selection of girls from Japan. Photo 2017-02-25
GOI paste (from GOI - State Optical Institute) Photo 2017-02-24
Unnecessary things, which you should quickly get rid of Photo 2017-02-24
Harmful daily habits, because of which there is bloating Photo 2017-02-24
The levers of control of aircraft engines (ORE), it is not enough ... Photo 2017-02-24
Modern design of the Business card Photo 2017-02-23
Cats, artist Vladimir Rumyantsev Photo 2017-02-23
Interesting facts about the film Prometheus Photo 2017-02-23
What did the NASA conference say? Photo 2017-02-21
The format of the SSL certificate, how to convert the certificate to .pem, .cer, .crt, .der, pkcs or pfx Photo 2017-02-21
Types of bleeding and first aid rules you need to know! Photo 2017-02-20
Early signs of diabetes that you should not ignore! Photo 2017-02-20

How to choose the right wine for your dish The rule "red for meat, white for fish" is in effect ... Photo 2017-03-08
How to dress by age and not look stupid How long have you felt? Go, I suppose, like a pimple ... Photo 2017-03-08
Sexual version of "Follow Me" A few years ago, Russian photographers Murad and Natalia Osman created ... Photo 2017-03-08
A plate of healthy food Harvard University and modern science conducts numerous studies to optimize ... Photo 2017-03-08
NASA has opened free access to its software NASA has opened free access to the software catalog 2017-2018. How to ... Photo 2017-03-08
Kate Moss, the main beauty of the generation, the fatal woman Every generation has its own main beauty, a fatal woman, who ... Photo 2017-03-08
101 Paracord method of use For most people the paracord is known as a very convenient device with ... Photo 2017-03-05
Everything you wanted to know about tires. Marking, types, seasonality Tires are the main link between the car and the road. From the ... Photo 2017-03-05
How to choose quality natural spices and spices How to choose natural spices and spices in the market or in ... Photo 2017-03-04
Emma Watson (26 years old) undressed for the March Vanity Fair Emma undressed for the March Vanity Fair, true, on the cover ... Photo 2017-03-04
Emma Watson (Emma Watson) undressed for the book Natural Beauty Emma decided to do this for the book Natural Beauty! And she ... Photo 2017-03-04
A tattoo featuring famous heroes A bitane tattoo artist creates incredibly realistic tattoos with images of famous heroes ... Photo 2017-03-03
Scheme of all municipal transport in Kiev The scheme indicates all buses, trolleybus and tram routes, and ... Photo 2017-02-28
How often you need to have sex according to age Many are curious to know if they are having sex too much or too much ... Photo 2017-02-28
The calendar of the fisherman and the forecast of the biting of peaceful / predatory fish for 2017 There are certain phases of the luminary when you just need to be alone ... Photo 2017-02-26
Fishing knots how to tie a hook, prepare for the summer The type of knot is chosen taking into account the type of fishing line used (monofilament or ... Photo 2017-02-26
Euthanasia Coaster, a project of roller coasters designed for the death penalty The author acknowledges that the roller coaster is not the optimal machine for the ... Photo 2017-02-26
VEB Page can be evidence in court It is necessary to understand that, for example, copyrights are violated not by the existing ... Photo 2017-02-26
In such a cosplay, you yourself will want to play The main prototypes of a costume game - cartoon characters, anime, video games, movies, ... Photo 2017-02-25
A smart selection of girls from Japan. The Japanese (Japanese nihondzin / nipponzin, nihon-minzoku) are the people, the main (more than 98%) ... Photo 2017-02-25
GOI paste (from GOI - State Optical Institute) GOI paste can be used for polishing products from a wide variety of ... Photo 2017-02-24

Cats. Artist Vladimir Rumyantsev. Photo 2017-02-23
Prometheus - Interesting Facts Photo 2017-02-23
Did you see the Lithuanian Cheerleaders? Worth Seeing! 2017-02-23
Olsen, Elizabeth / Elizabeth Olsen Photo 2017-02-23
She sat at the Window, And He Entered Her Car ... Photo 2017-02-23
Photo of Cats, Cats, Kitties Photo 2017-02-23
How the Turtle Can Run Photo 2017-02-23
Bengal Cat Talking With a Kitten 2017-02-23
National Bank Introduces New Coin to Circulation (Photo) Photo 2017-02-23
Protasov Yar 30 Years Ago Photo 2017-02-23
Photo of the Animals Photo 2017-02-23
Nasa Broadcast What's Reported At the Nasa Photo Conference 2017-02-23
Something, Size With Jupiter, Rushing "Through" the Sun Photo 2017-02-22
Central Streets of Kiev Will Be Blocked For Five Days Photo 2017-02-20
3 Folk Ways to Make the Vagina Narrow And Elastic Photo 2017-02-20
Monica Bellucci In The Magazine Gq Italy, February 2017 Photo 2017-02-20
The Serebro Group In Maxim Magazine, March 2017 Photo 2017-02-20
What to Do If You Have been Detained by Police - 146 Article Piracy Photo 2017-02-20
New Free Os has appeared Photo 2017-02-18
Wood Under the Electron Microscope Photo 2017-02-18
The Market of Payment Cards In 2016, Demonstrated a Significant Growth Photo 2017-02-18

Social

Your IP: 66.249.93.38
Your Country: European Union

Free 50 UAH for your Monobank card?