Achim,
On Mon, Dec 29, 2008 at 5:03 AM, Achim Hoffmann <a...@securenet.de> wrote:
>
> !! a web application, the vulnerability was the classic
> !! index.php?filename=/etc/passwd that let's you read the content of any
>
> !! attack.localFileReader: basically you only have one command, "cat",
> !! which allows you to print the content of a file using a local file
>
> Andres,
> unless I missed something in your description, you found a local file
> include vulnerabilitiy (which may be just a information leakage also,
> but that doesn't matter here:)
It's actually a local file READ vulnerability. The code looks like this:
<? file_get_contents( $_GET['filename'] ?>
Not like this:
<? require_once( $_GET['filename'] ?>
> and then you use "cat" which requires
> a command injection vulnerability.
> Could you please explain how that works?
I said "cat", not cat ;)
What I can do is read files, which is "by definition" what can be done
with the vulnerability.
> !! Can you think about other interesting techniques that can be
> !! applied to this vulnerability in order to gain more information about
> !! the target server? Thanks for your input!
>
> index.cgi?filename=../../../../../../../../proc/self/cmdline
>
> this works always if the vulnerability is there (missing data validation)
> and the web server is not jailed.
> It also works on some common *nix (all Linux, some Solaris, ...) and
> gives your all interesting data where to search further.
Nice trick! I'll add it! Thanks!
> {-: Achim
--
Andres Riancho
http://w3af.sourceforge.net/
Web Application Attack and Audit Framework
------------------------------------------------------------------------------
_______________________________________________
W3af-develop mailing list
W3af-develop@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/w3af-develop
