On 12 September 2013 04:21, Sean McCormick <[email protected]>wrote:
> Thanks for all the feedback. > > If I understand the remote file inclusion vulnerability correctly this has > more to do with improper data validation than a vulnerability in a PHP > function. So in order to exploit a vulnerable PHP function in this manner > the script would also have to be missing proper data validation, which > would give you more to play with besides the PHP function correct? > > That is correct. You would use the ?FI to bring in a file that used the vulnerable function. Robin > > On Wed, Sep 11, 2013 at 2:37 AM, Robin Wood <[email protected]> wrote: > >> >> On 11 Sep 2013 06:53, "allison nixon" <[email protected]> wrote: >> > >> > By the way, if you did use file inclusion in order to abuse vulnerable >> php functions, would it have gained you any more access than if you just >> file included a shell? >> > >> >> It would depend on what level of access the exploit got you. On a >> standard Linux install your shell would be a low privilege user such as >> apache but the exploit may get you directly through to root. >> >> I've not investigated web shells in any depth but something I've never >> seen is one with all the exploits built in. You could code it to check the >> php version then execute the appropriate function. >> >> Robin >> >> > On Tue, Sep 10, 2013 at 4:28 AM, Robin Wood <[email protected]> >> wrote: >> >> >> >> >> >> >> >> >> >> On 8 September 2013 19:47, Dancing Dan <[email protected]> wrote: >> >>> >> >>> I haven't looked at PHP internals but, some languages create >> functions as extensions of other functions as a form of code reuse. This >> could lead to unexpected file inclusion. >> >>> >> >>> Does anybody know if PHP does that? >> >> >> >> >> >> Do you mean one function internally calls another, for example a >> string compare ignoring case will call the generic string compare but pass >> in the ignore case flag? >> >> >> >> I've no idea if PHP does this but would be interested to find out and >> if it does to get a list of what calls what. >> >> >> >> Robin >> >> >> >>> >> >>> Bart >> >>> >> >>> On Sep 8, 2013 1:39 PM, "Robin Wood" <[email protected]> wrote: >> >>>> >> >>>> >> >>>> On 8 Sep 2013 19:01, "Jim Halfpenny" <[email protected]> >> wrote: >> >>>> > >> >>>> > In short no. Take a look at file inclusion vulnerabilities. >> >>>> > >> >>>> > http://en.m.wikipedia.org/wiki/File_inclusion_vulnerability >> >>>> >> >>>> If you are suggesting include in a file which uses a vulnerable >> function then your answer is actually yes. >> >>>> >> >>>> Robin >> >>>> >> >>>> > Regards >> >>>> > Jim >> >>>> > >> >>>> > On 8 Sep 2013 04:40, "Sean McCormick" <[email protected]> >> wrote: >> >>>> >> >> >>>> >> If a website is running a version of php with vulnerable >> functions does the function have to be used in a script in order to exploit >> the vulnerability? >> >>>> >> >> >>>> >> >> >>>> >> _______________________________________________ >> >>>> >> Pauldotcom mailing list >> >>>> >> [email protected] >> >>>> >> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom >> >>>> >> Main Web Site: http://pauldotcom.com >> >>>> > >> >>>> > >> >>>> > _______________________________________________ >> >>>> > Pauldotcom mailing list >> >>>> > [email protected] >> >>>> > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom >> >>>> > Main Web Site: http://pauldotcom.com >> >>>> >> >>>> >> >>>> _______________________________________________ >> >>>> Pauldotcom mailing list >> >>>> [email protected] >> >>>> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom >> >>>> Main Web Site: http://pauldotcom.com >> >>> >> >>> >> >>> _______________________________________________ >> >>> Pauldotcom mailing list >> >>> [email protected] >> >>> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom >> >>> Main Web Site: http://pauldotcom.com >> >> >> >> >> >> >> >> _______________________________________________ >> >> Pauldotcom mailing list >> >> [email protected] >> >> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom >> >> Main Web Site: http://pauldotcom.com >> > >> > >> > >> > >> > -- >> > _________________________________ >> > Note to self: Pillage BEFORE burning. >> > >> > _______________________________________________ >> > Pauldotcom mailing list >> > [email protected] >> > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom >> > Main Web Site: http://pauldotcom.com >> >> _______________________________________________ >> Pauldotcom mailing list >> [email protected] >> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom >> Main Web Site: http://pauldotcom.com >> > > > _______________________________________________ > Pauldotcom mailing list > [email protected] > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom > Main Web Site: http://pauldotcom.com >
_______________________________________________ Pauldotcom mailing list [email protected] http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
