Literally the only way to leverage php to gain more access then a system()
call is if there were a buffer overflow in a php function or some other
vulnerability in a lower level of a function call, AND if most execution
functions (e.g. passthrough(), system(), exec(), shell_exec()) were
intentionally banned or "safe_mode" (and I use that term extremely loosely)
were on. Even if that were the case, you'd need to defeat a bunch of other
memory protections in place a la exploiting a regular buffer overflow.
I think what Bart may have been referencing is the fact that some object
oriented languages like Python and Java return references to their
returned objects, which allows one to do stuff like " blahblah
".trim().replace('blah','derp') and get "derpderp" returned.
This could in some languages (Java) lead to the same assortment of
vulnerabilities classified as "trusted method chaining" that allows one to
get a reference to a trusted function or object, but the security model of
java is completely different than all other object-oriented languages which
means all functions in non-java are "safe". Long story short, there's no
real way to "accidentally" include a file other then the known LFI vectors.
Sorry for the rambles, just throught I'd throw my .02$ in :)
Ryan
On Sep 10, 2013 10:53 PM, "allison nixon" <[email protected]> wrote:
> By the way, if you did use file inclusion in order to abuse vulnerable php
> functions, would it have gained you any more access than if you just file
> included a shell?
>
>
> On Tue, Sep 10, 2013 at 4:28 AM, Robin Wood <[email protected]> wrote:
>
>>
>>
>>
>> On 8 September 2013 19:47, Dancing Dan <[email protected]> wrote:
>>
>>> I haven't looked at PHP internals but, some languages create functions
>>> as extensions of other functions as a form of code reuse. This could lead
>>> to unexpected file inclusion.
>>>
>>> Does anybody know if PHP does that?
>>>
>>
>> Do you mean one function internally calls another, for example a string
>> compare ignoring case will call the generic string compare but pass in the
>> ignore case flag?
>>
>> I've no idea if PHP does this but would be interested to find out and if
>> it does to get a list of what calls what.
>>
>> Robin
>>
>>
>>> Bart
>>> On Sep 8, 2013 1:39 PM, "Robin Wood" <[email protected]> wrote:
>>>
>>>>
>>>> On 8 Sep 2013 19:01, "Jim Halfpenny" <[email protected]> wrote:
>>>> >
>>>> > In short no. Take a look at file inclusion vulnerabilities.
>>>> >
>>>> > http://en.m.wikipedia.org/wiki/File_inclusion_vulnerability
>>>>
>>>> If you are suggesting include in a file which uses a vulnerable
>>>> function then your answer is actually yes.
>>>>
>>>> Robin
>>>>
>>>> > Regards
>>>> > Jim
>>>> >
>>>> > On 8 Sep 2013 04:40, "Sean McCormick" <[email protected]>
>>>> wrote:
>>>> >>
>>>> >> If a website is running a version of php with vulnerable functions
>>>> does the function have to be used in a script in order to exploit the
>>>> vulnerability?
>>>> >>
>>>> >>
>>>> >> _______________________________________________
>>>> >> Pauldotcom mailing list
>>>> >> [email protected]
>>>> >> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
>>>> >> Main Web Site: http://pauldotcom.com
>>>> >
>>>> >
>>>> > _______________________________________________
>>>> > Pauldotcom mailing list
>>>> > [email protected]
>>>> > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
>>>> > Main Web Site: http://pauldotcom.com
>>>>
>>>> _______________________________________________
>>>> Pauldotcom mailing list
>>>> [email protected]
>>>> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
>>>> Main Web Site: http://pauldotcom.com
>>>>
>>>
>>> _______________________________________________
>>> Pauldotcom mailing list
>>> [email protected]
>>> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
>>> Main Web Site: http://pauldotcom.com
>>>
>>
>>
>> _______________________________________________
>> Pauldotcom mailing list
>> [email protected]
>> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
>> Main Web Site: http://pauldotcom.com
>>
>
>
>
> --
> _________________________________
> Note to self: Pillage BEFORE burning.
>
> _______________________________________________
> Pauldotcom mailing list
> [email protected]
> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
> Main Web Site: http://pauldotcom.com
>
_______________________________________________
Pauldotcom mailing list
[email protected]
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com
