Comments on: Local File Inclusion with Magic_quotes_gpc enabled http://www.notsosecure.com/folder2/2010/02/02/local-file-inclusion-with-magic_quotes_gpc-enabled/ From Pentesters To Pentesters Thu, 08 Jul 2010 02:17:27 +0100 http://wordpress.org/?v=2.8.4 hourly 1 By: 7b-ly.com http://www.notsosecure.com/folder2/2010/02/02/local-file-inclusion-with-magic_quotes_gpc-enabled/comment-page-1/#comment-96702 7b-ly.com Mon, 24 May 2010 20:42:14 +0000 http://www.notsosecure.com/folder2/?p=347#comment-96702 i did try whit etc/passwd%00 but that does not work any ideal ? i did try whit etc/passwd%00
but that does not work
any ideal ?

]]> By: Week 5 in Review | Infosec Events http://www.notsosecure.com/folder2/2010/02/02/local-file-inclusion-with-magic_quotes_gpc-enabled/comment-page-1/#comment-94604 Week 5 in Review | Infosec Events Mon, 08 Feb 2010 14:28:19 +0000 http://www.notsosecure.com/folder2/?p=347#comment-94604 [...] Local File Inclusion with Magic_quotes_gpc enabled – notsosecure.com Penetration using magic_quote_gpc and PHP [...] [...] Local File Inclusion with Magic_quotes_gpc enabled – notsosecure.com Penetration using magic_quote_gpc and PHP [...]

]]> By: kuza55 http://www.notsosecure.com/folder2/2010/02/02/local-file-inclusion-with-magic_quotes_gpc-enabled/comment-page-1/#comment-94376 kuza55 Wed, 03 Feb 2010 06:16:38 +0000 http://www.notsosecure.com/folder2/?p=347#comment-94376 Similar stuff is possible on linux: http://www.ush.it/2009/02/08/php-filesystem-attack-vectors/ Similar stuff is possible on linux: http://www.ush.it/2009/02/08/php-filesystem-attack-vectors/

]]> By: sid http://www.notsosecure.com/folder2/2010/02/02/local-file-inclusion-with-magic_quotes_gpc-enabled/comment-page-1/#comment-94331 sid Tue, 02 Feb 2010 16:16:13 +0000 http://www.notsosecure.com/folder2/?p=347#comment-94331 Hi skully, please see the update, you dont need magic quote at all. I managed to make so many mistakes in a small blog post :( Hi skully, please see the update, you dont need magic quote at all. I managed to make so many mistakes in a small blog post :(

]]> By: skully http://www.notsosecure.com/folder2/2010/02/02/local-file-inclusion-with-magic_quotes_gpc-enabled/comment-page-1/#comment-94329 skully Tue, 02 Feb 2010 16:07:27 +0000 http://www.notsosecure.com/folder2/?p=347#comment-94329 Hi, Very interesting only I am not able to reproduce it. I tested from 100 to > 4096 dots, this does not disable the NULL byte from being escaped. You say you tested on WAMP ? ie: Windows ? How can /etc/passwd work on windows ? I tried in windows also, and it failed. Could you please explain or give poc code ? Thanks Hi,
Very interesting only I am not able to reproduce it. I tested from 100 to > 4096 dots, this does not disable the NULL byte from being escaped.

You say you tested on WAMP ? ie: Windows ? How can /etc/passwd work on windows ?

I tried in windows also, and it failed. Could you please explain or give poc code ?

Thanks

]]> By: sid http://www.notsosecure.com/folder2/2010/02/02/local-file-inclusion-with-magic_quotes_gpc-enabled/comment-page-1/#comment-94321 sid Tue, 02 Feb 2010 12:18:38 +0000 http://www.notsosecure.com/folder2/?p=347#comment-94321 Hi Bogan, i have only tested it on windows, while the backslash(\) will get escaped by magic quote the forward slash will not be escaped, so that explains why it will only work if include is relational in windows. <del datetime="2010-02-02T12:39:39+00:00">I can confirm that in my windows setup, it worked with null byte</del>. As you pointed out, it doesn't work with null byte and the null byte is actually not required. Hi Bogan,

i have only tested it on windows, while the backslash(\) will get escaped by magic quote the forward slash will not be escaped, so that explains why it will only work if include is relational in windows.

I can confirm that in my windows setup, it worked with null byte. As you pointed out, it doesn’t work with null byte and the null byte is actually not required.

]]> By: Bogdan Calin http://www.notsosecure.com/folder2/2010/02/02/local-file-inclusion-with-magic_quotes_gpc-enabled/comment-page-1/#comment-94320 Bogdan Calin Tue, 02 Feb 2010 12:13:04 +0000 http://www.notsosecure.com/folder2/?p=347#comment-94320 No, it's not about the null byte. It works like this vuln.php?page=../../../../../etc/passwd....(lots of dots). With the null byte it doesn't work. It only works on Windows AND it only works if the include is relative. If you have something like: include "d:\\xampp\\htdocs\\test\\" . $_GET['i'] . ".txt"; it doesn't work. No, it’s not about the null byte. It works like this vuln.php?page=../../../../../etc/passwd….(lots of dots). With the null byte it doesn’t work.

It only works on Windows AND it only works if the include is relative.

If you have something like:
include “d:\\xampp\\htdocs\\test\\” . $_GET['i'] . “.txt”; it doesn’t work.

]]> By: s3th http://www.notsosecure.com/folder2/2010/02/02/local-file-inclusion-with-magic_quotes_gpc-enabled/comment-page-1/#comment-94319 s3th Tue, 02 Feb 2010 12:04:35 +0000 http://www.notsosecure.com/folder2/?p=347#comment-94319 i wanna see a printscreen :) i wanna see a printscreen :)

]]> By: Bernardo http://www.notsosecure.com/folder2/2010/02/02/local-file-inclusion-with-magic_quotes_gpc-enabled/comment-page-1/#comment-94318 Bernardo Tue, 02 Feb 2010 11:45:39 +0000 http://www.notsosecure.com/folder2/?p=347#comment-94318 Good one Sid! Good one Sid!

]]>