Vladimir Vorontsov (aka d0znpp) has published rather interesting research about features in PHP interaction with Windows. It started as the equivalence between the following methods of file access was noticed:- any.phP
- any.php
- any.ph<
- any.ph>
Let’s consider a real situation to clearly understand the value of this method. Please, try to assume that we have a web application with a lot of holes and flaws like a colander. SQL Injection allows us to get admin password hashes, then we restore the passwords, but here’s bad luck – we are unable to find admin page :(. And there’s Sqli, but we cannot access site file system. And there’s LFI, but we can hook nothing :((. And in this situation said method can help!
We use include:
http://site/?file=a<\<.php
http://site/?file=b<\<.php
http://site/?file=c<\<.php
...
And continue until we find something useful. Fox example, we find "useful" on "http://site/?file=m<\<.php". The start to brute force 2nd character:
http://site/?file=ma<\<.php
http://site/?file=mb<\<.php
... and so on.
For this example, "myAdminPanel\admin.php" is a possible result.
Please ensure that this example is just a special case. This PHP feature can be used much wider! I also want to add that this method is applicable for all versions of PHP and on Windows-based systems only.
The origin is available here: http://onsec.ru/onsec.whitepaper-02.eng.pdf
This comment has been removed by the author.
ReplyDeletevery useful information php treat
ReplyDeletePHP Training in Chennai
This comment has been removed by a blog administrator.
ReplyDeleteThis comment has been removed by a blog administrator.
ReplyDelete