Thanks for all the feedback. If I understand the remote file inclusion vulnerability correctly this has more to do with improper data validation than a vulnerability in a PHP function. So in order to exploit a vulnerable PHP function in this manner the script would also have to be missing proper data validation, which would give you more to play with besides the PHP function correct?
On Wed, Sep 11, 2013 at 2:37 AM, Robin Wood <[email protected]> wrote: > > On 11 Sep 2013 06:53, "allison nixon" <[email protected]> wrote: > > > > By the way, if you did use file inclusion in order to abuse vulnerable > php functions, would it have gained you any more access than if you just > file included a shell? > > > > It would depend on what level of access the exploit got you. On a standard > Linux install your shell would be a low privilege user such as apache but > the exploit may get you directly through to root. > > I've not investigated web shells in any depth but something I've never > seen is one with all the exploits built in. You could code it to check the > php version then execute the appropriate function. > > Robin > > > On Tue, Sep 10, 2013 at 4:28 AM, Robin Wood <[email protected]> wrote: > >> > >> > >> > >> > >> On 8 September 2013 19:47, Dancing Dan <[email protected]> wrote: > >>> > >>> I haven't looked at PHP internals but, some languages create functions > as extensions of other functions as a form of code reuse. This could lead > to unexpected file inclusion. > >>> > >>> Does anybody know if PHP does that? > >> > >> > >> Do you mean one function internally calls another, for example a string > compare ignoring case will call the generic string compare but pass in the > ignore case flag? > >> > >> I've no idea if PHP does this but would be interested to find out and > if it does to get a list of what calls what. > >> > >> Robin > >> > >>> > >>> Bart > >>> > >>> On Sep 8, 2013 1:39 PM, "Robin Wood" <[email protected]> wrote: > >>>> > >>>> > >>>> On 8 Sep 2013 19:01, "Jim Halfpenny" <[email protected]> wrote: > >>>> > > >>>> > In short no. Take a look at file inclusion vulnerabilities. > >>>> > > >>>> > http://en.m.wikipedia.org/wiki/File_inclusion_vulnerability > >>>> > >>>> If you are suggesting include in a file which uses a vulnerable > function then your answer is actually yes. > >>>> > >>>> Robin > >>>> > >>>> > Regards > >>>> > Jim > >>>> > > >>>> > On 8 Sep 2013 04:40, "Sean McCormick" <[email protected]> > wrote: > >>>> >> > >>>> >> If a website is running a version of php with vulnerable functions > does the function have to be used in a script in order to exploit the > vulnerability? > >>>> >> > >>>> >> > >>>> >> _______________________________________________ > >>>> >> Pauldotcom mailing list > >>>> >> [email protected] > >>>> >> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom > >>>> >> Main Web Site: http://pauldotcom.com > >>>> > > >>>> > > >>>> > _______________________________________________ > >>>> > Pauldotcom mailing list > >>>> > [email protected] > >>>> > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom > >>>> > Main Web Site: http://pauldotcom.com > >>>> > >>>> > >>>> _______________________________________________ > >>>> Pauldotcom mailing list > >>>> [email protected] > >>>> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom > >>>> Main Web Site: http://pauldotcom.com > >>> > >>> > >>> _______________________________________________ > >>> Pauldotcom mailing list > >>> [email protected] > >>> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom > >>> Main Web Site: http://pauldotcom.com > >> > >> > >> > >> _______________________________________________ > >> Pauldotcom mailing list > >> [email protected] > >> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom > >> Main Web Site: http://pauldotcom.com > > > > > > > > > > -- > > _________________________________ > > Note to self: Pillage BEFORE burning. > > > > _______________________________________________ > > Pauldotcom mailing list > > [email protected] > > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom > > Main Web Site: http://pauldotcom.com > > _______________________________________________ > Pauldotcom mailing list > [email protected] > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom > Main Web Site: http://pauldotcom.com >
_______________________________________________ Pauldotcom mailing list [email protected] http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
