Sunday, March 6, 2011

Modem Vemmax 1 Nfa-01a

Videos LimaHack @ UNMSM

Hello again ... long ago I do not write anything. Got a bit busy with classes, work, and other things ... limahack xD But now that finals are over I have more time to write:)
This time I want to tell you about some vulnerabilities that I found at other universities and display, so that our university will have its holes. .. but it is not unique. First this is the site of a community of well-known free software (and not San Marcux xD) Well, this page is made with Joomla and have installed a component called "com_myfiles" to support file downloads. Searching -db exploit found that the component is vulnerable to LFI. So we can do some things;)
Attack ...!
An LFI is a vulnerability that allows us to include a PHP script to execute another PHP script running. This means the require, require_once, include and include_once when they receive by setting a variable manipulated by the user. So we can execute arbitrary code on the server or else see The contents of some files from the server.
Here is how it is an inclusion of a variable sent via GET. I censored out the parts where the name, logo or initials of the university heeding the advice of good friends;)


Fig. 1 - Error in function require_once () .

The function used is require_once and we throw away a bug that apparently the file "algo.php" does not exist. Well, ask for a file that does exist.



Fig. 2 - A list of system users.
With successive "../" climbed into the tree to the root directory then asked the / etc / passwd that contains information about users of the system and eventually nullify the extension. "Php" that concatenated to the final end with the character string "% 00".
The result is that we get a list of all system users)


To get the server to execute code by exploiting this vulnerability we must first get to inject the code we want to run into a file server How can get that? Some ways are: Using apache logs or any other public service to save logs.

Use temporary files where PHP saves the value of the cookies. If the page

If the page is also vulnerable to SQLi we try to create a file with the code using INTO OUTFILE.



A greeting and the next ...
Posted by admin at 9:41 PM

0 comments:

Post a Comment

Subscribe to: Post Comments (Atom)