开发者

how to exploit vulnerability of php?

开发者 https://www.devze.com 2022-12-24 09:08 出处:网络
I have never seen a buffer overflow exploit in live action. Suppose I found a server that seems to have vulnerabilities. Where can I get p开发者_JAVA百科roof of the concept code preferably in c/c++ to

I have never seen a buffer overflow exploit in live action. Suppose I found a server that seems to have vulnerabilities. Where can I get p开发者_JAVA百科roof of the concept code preferably in c/c++ to exploit the vulnerability? eg I found this vulnerability

Multiple directory traversal vulnerabilities in 
    functions such as 'posix_access()', 'chdir()', 'ftok()'
    may allow a remote attacker to bypass 'safe_mode' 
    restrictions. (CVE-2008-2665 and CVE-2008-2666).  

How can I get proof of concept code for educational purposes

PS I am a student and my only desire is to learn


I believe you have somewhat failed to understand the nature of the directory traversal bug.

safe_mode in PHP means that only local filepaths are allowed to be open, rather than allowing any recognizeable protocol such as for example http:// paths. The safe_mode check that verifies wether or not the path is a local file can be tricked to accept HTTP URLs (and other protocols) and wrongfully identifying them as local paths, there by allowing a range of security holes depending on the exact implementation (but remote code inclusion or XSS attacks are what comes to mind).

In general you use PHP scripts to exploit PHP bugs, since the bugs are actually in the interpreter. A buffer overflow can't really occur in your PHP code, but rather in some specific function of the PHP compiler and to exploit it you need to either find a script that calls that function with a user supplied argument (i.e. browse through popular open source software) or simple create your own intentional exploit script and upload to the location you wish to exploit, for example your webhosting provider.

When it comes to bugs in the PHP interpreter it's essentially the webserver/PHP module you're exploiting via PHP function calls, not through written exploits (unless they are simply applications doing HTTP requests to the PHP site).

0

精彩评论

暂无评论...
验证码 换一张
取 消