Pages

Thursday, January 13, 2011

PHP features in Windows operating system

Vladimir Vorontsov (aka d0znpp) has published rather interesting research about features in PHP interaction with Windows. It started as the equivalence between the following methods of file access was noticed:

  • any.phP
  • any.php
  • any.ph<
  • any.ph>

Let’s consider a real situation to clearly understand the value of this method. Please, try to assume that we have a web application with a lot of holes and flaws like a colander. SQL Injection allows us to get admin password hashes, then we restore the passwords, but here’s bad luck – we are unable to find admin page :(. And there’s Sqli, but we cannot access site file system. And there’s LFI, but we can hook nothing :((. And in this situation said method can help!

We use include:

http://site/?file=a<\<.php
http://site/?file=b<\<.php
http://site/?file=c<\<.php
...

And continue until we find something useful. Fox example, we find "useful" on "http://site/?file=m<\<.php". The start to brute force 2nd character:

http://site/?file=ma<\<.php
http://site/?file=mb<\<.php
... and so on.

For this example, "myAdminPanel\admin.php" is a possible result.

Please ensure that this example is just a special case. This PHP feature can be used much wider! I also want to add that this method is applicable for all versions of PHP and on Windows-based systems only.

The origin is available here: http://onsec.ru/onsec.whitepaper-02.eng.pdf

4 comments: