Beispiel #1
0
<!-- from http://hakipedia.com/index.php/Local_File_Inclusion -->
<?php 
include "../common/header.php";
?>

<?php 
hint("will include the arg specified in the POST parameter \"file\", strips prepended \"../\" strings, must encode / with %2f");
?>

<form action="/LFI-10/index.php" method="POST">
    <input type="text" name="file">
</form>

<?php 
$file = str_replace('../', '', $_POST['file']);
if (isset($file)) {
    include "pages/{$file}";
} else {
    include "index.php";
}
Beispiel #2
0
<?php

include "../common/header.php";
?>

<!-- from http://www.ush.it/2009/02/08/php-filesystem-attack-vectors/ -->
<?php 
hint("will include the arg specified in the GET parameter \"file\", looks for .php at end - bypass by apending /. (slash plus dot)");
?>


<form action="/LFI-3/index.php" method="GET">
    <input type="text" name="file">
</form>


<?php 
if (substr($_POST['file'], -4, 4) != '.php') {
    echo file_get_contents($_POST['file']);
} else {
    echo 'You are not allowed to see source files!' . "\n";
}
?>

Beispiel #3
0
/**
 * Update Posted Log
 */
function update_log_form($mode)
{
    global $cfg, $lang, $row, $text_cols, $log_table;
    $row['id'] = htmlspecialchars($row['id']);
    $row['name'] = htmlspecialchars($row['name']);
    $row['href'] = htmlspecialchars($row['href']);
    $row['category'] = htmlspecialchars($row['category']);
    $row['comment'] = htmlspecialchars($row['comment']);
    $row['mod'] = htmlspecialchars($row['mod']);
    $row['ping_uri'] = htmlspecialchars($row['ping_uri']);
    if ($cfg['xml_lang'] == 'ja') {
        $input_check = 'inputCheck()';
        $confirm_delete = 'confirmDelete()';
    } else {
        $input_check = 'inputCheck_e()';
        $confirm_delete = 'confirmDelete_e()';
    }
    if ($cfg['trackback'] == 'on') {
        if ($row['ping_uri'] == '') {
            $ping_uri = 'http://';
        } else {
            $ping_uri = $row['ping_uri'];
        }
        $trackback_ping_form = <<<EOD
<p id="trackback-form">
<label for="send-ping-uri">{$lang['tb_sendurl']}:</label><br />
<input type="text" id="send-ping-uri" name="send_ping_uri" size="40" accesskey="z" tabindex="1" value="{$ping_uri}" class="bordered" />
<select name="encode" tabindex="1">
<option value="UTF-8" selected="selected">UTF-8</option>
<option value="EUC-JP">EUC-JP</option>
<option value="SJIS">Shift_JIS</option>
</select>
</p>
<p>
{$lang['send_update_ping']} : 
<input type="radio" tabindex="1" name="send_update_ping" value="no" checked="checked" />No
<input type="radio" tabindex="1" name="send_update_ping" value="yes" />Yes
</p>
EOD;
    } else {
        $trackback_ping_form = '';
    }
    if ($mode == 'draft') {
        $date = htmlspecialchars($row['date']);
        $dform = <<<EOD
<label for="date-and-time">{$lang['date_and_time']} :</label><br />
<input type="text" id="date-and-time" name="date" tabindex="1" value="{$date}" size="20" class="bordered" />
<input type="checkbox" id="custom-date" name="custom_date" tabindex="1" /><label for="custom-date">{$lang['use_custom_date']}</label><br />
EOD;
        $target = 'draft_updated';
        $draft_status = $lang['draft'];
        $no_change_mod_time = '';
        $make_private = '';
        $update_submit_title = $lang['draft_update'];
        $delete_submit_title = $lang['draft_destroy'];
    } else {
        $date = '';
        $dform = '';
        $target = 'updated';
        $draft_status = '';
        $no_change_mod_time = '<input type="checkbox" name="no_update_mod" tabindex="1" value="yes" checked="checked" /> ' . $lang['no_update_timestamp'];
        $make_private = '<p><input type="checkbox" name="private" tabindex="1" value="1" /> ' . $lang['make_private'] . '</p>';
        $update_submit_title = $lang['update'];
        $delete_submit_title = $lang['delete'];
    }
    // Set variables
    $id = $row['id'];
    $name = $row['name'];
    $href = $row['href'];
    $comment = $row['comment'];
    $mod = $row['mod'];
    $categories = add_categories();
    $tag_buttons = display_tag_buttons();
    $upload_file_form = display_upload_file_form();
    $hint = hint();
    $contents = <<<EOD
<div class="section">
<h2>{$draft_status} {$lang['update']} : {$lang['log']}ID {$id}</h2>
<div class="section">
<form id="addform" action="./{$target}.php" method="post" enctype="multipart/form-data">
<p>
{$dform}
<label for="article-title">{$lang['title']} :</label><br />
<input type="text" name="name" id="article-title" tabindex="1" value="{$name}" size="40" class="bordered" /><br />
<label for="article-title-uri">URI{$hint['href']} : </label><br />
<input type="text" name="href" id="article-title-uri" tabindex="1" value="{$href}" size="40" class="bordered" /><br />
</p>
{$categories}
<p>
<label for="comment">{$lang['comment']}{$hint['comment']} : </label><br />
{$tag_buttons}
<br />
<textarea id="comment" name="comment" tabindex="1" rows="20" cols="{$text_cols}" >{$comment}</textarea><br />
</p>
{$upload_file_form}
<p>
{$no_change_mod_time}
<input type="hidden" name="mod" value="{$mod}" />
</p>
{$make_private}{$trackback_ping_form}
<div class="submit-button">
<input type="hidden" name="id" value="{$id}" />
<input class="backbutton" tabindex="1" accesskey="u" type="submit" value="{$update_submit_title}" />
</div>
</form>
<form id="del" action="./delete.php" method="post" onsubmit="return {$confirm_delete}">
<div class="submit-button">
<input type="hidden" name="id" value="{$id}" />
<input tabindex="2" accesskey="d" type="submit" value="{$delete_submit_title}" />
</div>
</form>

</div><!-- End .section -->
</div><!-- End .section -->
EOD;
    return $contents;
}
Beispiel #4
0
<?php

include "../common/header.php";
?>

<!-- from http://www.ush.it/2009/02/08/php-filesystem-attack-vectors/ -->

<?php 
hint("will include the arg specified in the POST parameter \"library\", appends .php to end, use null byte %00 to bypass");
?>


<form action="/LFI-7/index.php" method="POST">
    <input type="text" name="library">
</form>

<?php 
include "includes/" . $_POST['library'] . ".php";
?>

Beispiel #5
0
<?php

include "../common/header.php";
?>
<!-- from https://pentesterlab.com/exercises/php_include_and_post_exploitation/course -->
<?php 
hint("will exec 'whois' with the arg specified in the POST parameter \"domain\"");
?>

<form action="/CMD-4/index.php" method="POST">
    <input type="text" name="domain">
</form>

<pre>
<?php 
system("whois " . $_POST["domain"]);
?>
</pre>
Beispiel #6
0
        $extra = $q[ExtraGlad];
        $limitskl = $q[LimitSkl];
        print "<input id=GladLimit type=hidden value={$q['LimitGlad']}>";
        print "<input id=SklLimit type=hidden value={$q['LimitSkl']}>";
        print "<input id=Extra type=hidden value={$q['ExtraGlad']}>";
    } else {
        print "<input id=GladLimit type=hidden value=7>";
        print "<input id=SklLimit type=hidden value=0>";
        print "<input id=Extra type=hidden value=1>";
    }
    print "</table>";
    $sendData = $id ? "send_data(0,null,{$id},0)" : "open_saveDialog(true)";
    print "<div style='margin-top:10px;'><table border=0 bgcolor=78746C cellspacing=1 cellpadding=6><td bgcolor=#515E64><a href='javascript:{$sendData};' class='blue'><img src=\"/images/icons/save.gif\" width=16px height=14px border=0  align=\"absmiddle\"><b> " . message(175) . "</a></td></table></div>";
    //<table width=300px border=0 cellspacing=0 cellpadding=0><td></td></table>
    if ($form->hint) {
        print "<br><div>" . hint($form->hint, $form->pageid) . "</div>";
    }
    ?>

<script language="JavaScript">

<!-- www.cgi.ru -->

var up, down;

var min1, sec1;

var cmin, csec;

function Minutes(data) 
{ 
Beispiel #7
0
<!-- from http://hakipedia.com/index.php/Local_File_Inclusion -->
<?php 
include "../common/header.php";
?>

<?php 
hint("not everything you need to play with is in a text field");
?>

<form action="/LFI-11/index.php" method="POST">
    <input type="text" name="file">
    <input type="hidden" name="style" name="stylepath">
</form>

<?php 
include $_POST['stylepath'];
$file = str_replace('../', '', $_POST['file']);
if (isset($file)) {
    include "pages/{$file}";
} else {
    include "index.php";
}
<?php

$arr = array("Ane", "Ancient", "Arch", "Aventine", "Baths", "Beth", "Boih", "Campidoglio", "Capella", "Castel", "Hadrian", "Hotel");
$queryText = trim($_POST['query']);
if ($queryText == "") {
    echo "";
} else {
    $result = hint($queryText, $arr);
    echo implode(",", $result);
}
function hint($queryText, $arr)
{
    //截取数组里的每个字符串的前查询字符串的长度与查询字符串比较
    $temp = array();
    $strLen = strlen($queryText);
    for ($i = 0; $i < count($arr); $i++) {
        if (strtolower(substr($arr[$i], 0, $strLen)) === strtolower($queryText)) {
            array_push($temp, $arr[$i]);
        }
    }
    return $temp;
}
Beispiel #9
0
<?php

include "../common/header.php";
?>

<!-- from https://pentesterlab.com/exercises/php_include_and_post_exploitation/course -->

<?php 
hint("will include the arg specified in the POST parameter \"page\"");
?>


<form action="/LFI-6/index.php" method="POST">
    <input type="text" name="page">
</form>

<?php 
include $_POST["page"];
Beispiel #10
0
<?php

include "../common/header.php";
?>

<!-- from http://www.ush.it/2009/02/08/php-filesystem-attack-vectors/ -->
<?php 
hint("will include the arg specified in the GET parameter \"class\", appends .php to end, defeat with NULL byte %00");
?>


<form action="/LFI-4/index.php" method="GET">
    <input type="text" name="class">
</form>

<?php 
include 'includes/class_' . addslashes($_GET['class']) . '.php';
?>

Beispiel #11
0
<?php

include "../common/header.php";
?>

<!-- from https://pentesterlab.com/exercises/php_include_and_post_exploitation/course -->
<?php 
hint("will exec the arg specified in the GET parameter \"cmd\"");
?>

<form action="/CMD-1/index.php" method="GET">
    <input type="text" name="cmd">
</form>

<?php 
system($_GET["cmd"]);
Beispiel #12
0
if (isset($_GET['edit']) && is_numeric($_GET['edit'])) {
    if (!isset($_SESSION['modify']) || $_SESSION['modify'] != $_GET['edit'] && !$admin) {
        hint('No privilege!');
        header('location: ' . URL . '?modify=' . $_GET['edit']);
    } else {
        $sth = $db->prepare('SELECT * FROM post WHERE id = ' . $_GET['edit']);
        $sth->execute();
        $sth->bindColumn('id', $id);
        $sth->bindColumn('author', $author);
        $sth->bindColumn('mail', $mail);
        $sth->bindColumn('title', $title);
        $sth->bindColumn('content', $content);
        $sth->bindColumn('homepage', $homepage);
        $sth->fetch();
        if (empty($id)) {
            hint('No Article No.' . $_GET['edit'] . ' !');
            header('location: ' . URL);
        } else {
            include 'template/' . TEMPLATE . '/header.tpl.php';
            include 'template/' . TEMPLATE . '/edit.tpl.php';
            include 'template/' . TEMPLATE . '/footer.tpl.php';
            unset($_SESSION['hint']);
        }
    }
    // close the database connection
    $db = NULL;
    exit;
}
// Admin Page
if (isset($_GET['admin'])) {
    include 'template/' . TEMPLATE . '/header.tpl.php';
Beispiel #13
0
<?php

include "../common/header.php";
?>
<!-- from https://www.owasp.org/index.php/Path_Traversal -->

<?php 
hint("will include the arg specified in the HTTP Cookie parameter \"TEMPLATE\"");
$template = 'blue.php';
if (array_key_exists($_COOKIE['TEMPLATE'])) {
    $template = $_COOKIE['TEMPLATE'];
}
include "/Users/josenazario/templates/" . $template;
Beispiel #14
0
<?php

include "../common/header.php";
?>
<!-- from https://pentesterlab.com/exercises/php_include_and_post_exploitation/course -->
<?php 
hint("not everything you need to inject is in a text input field ...");
?>

<form action="/CMD-6/index.php" method="POST">
    <input type="text" name="domain">
    <input type="hidden" name="server" value="whois.publicinterestregistry.net">
</form>

<pre>
<?php 
if (preg_match('/^[-a-z0-9]+\\.a[cdefgilmnoqrstuwxz]|b[abdefghijmnorstvwyz]|c[acdfghiklmnoruvxyz]|d[ejkmoz]|e[cegrstu]|f[ijkmor]|g[abdefghilmnpqrstuwy]|h[kmnrtu]|i[delmnoqrst]|j[emop]|k[eghimnprwyz]|l[abcikrstuvy]|m[acdeghklmnopqrstuvwxyz]|n[acefgilopruz]|om|p[aefghklmnrstwy]|qa|r[eosuw]|s[abcdeghijklmnortuvyz]|t[cdfghjklmnoprtvwz]|u[agksyz]|v[aceginu]|w[fs]|y[et]|z[amw]|biz|cat|com|edu|gov|int|mil|net|org|pro|tel|aero|arpa|asia|coop|info|jobs|mobi|name|museum|travel|arpa|xn--[a-z0-9]+$/', strtolower($_POST["domain"]))) {
    system("whois -h " . $_POST["server"] . " " . $_POST["domain"]);
} else {
    echo "malformed domain name";
}
?>
</pre>
Beispiel #15
0
            ?>
	</a></td>
<?php 
        }
        ?>
                    </tr>
                  </table>

<?php 
    }
}
?>

<br><?php 
if ($form->hint) {
    print hint($form->hint, $form->pageid, $form->name) . "<br>";
}
?>
				  </td><td width=30px>&nbsp;</td>
              </tr>
            </table>
       </td>
          <td>&nbsp;</td>
        </tr>
      </table></td>
  </tr>
  <tr>
    <td valign="top"><table width="100%" border="0" cellspacing="0" cellpadding="0">
        <tr>
          <td>&nbsp;</td>
          <td width="768"  class="bottom"><table width="100%" height="89" border="0" cellpadding="0" cellspacing="0">
Beispiel #16
0
<?php

include "../common/header.php";
?>
<!-- from http://www.ush.it/2009/02/08/php-filesystem-attack-vectors/ -->

<?php 
hint("will include the arg specified in the GET parameter \"library\", appends .php to end, escape with NULL byte %00");
?>

<form action="/LFI-1/index.php" method="GET">
    <input type="text" name="library">
</form>

<?php 
include "includes/" . $_GET['library'] . ".php";
?>

Beispiel #17
0
<?php

if ($form->hint) {
    print "<br>" . hint($form->hint, $form->pageid) . "<br>";
}
print "<center><img src=\"/images/line-sep4.gif\" width=491 height=30><br><a href=\"{$PHP_SELF}?act=insert&type={$type}\" class=black>" . message(2) . "</a> |\n <a href=\"{$PHP_SELF}?type={$type}\"  class=black>" . message(3) . "</a>  |\n<a href=\"{$PHP_SELF}?type={$type}&act=create\"  class=black>" . message(6) . "</a>\n<br><img src=\"/images/line-sep4.gif\" width=491 height=30></center>";
print "</center><br>";
print "</table></td>";
print "</table></td><tr><td height=50px background=\"/images/admin-bottom-bg.gif\"></table>";
//drawfooter();
$db->close();
Beispiel #18
0
        } else {
            $rfp = fopen(stripslashes($target_file), "rb");
            $target_txt = @fread($rfp, filesize($target_file));
            flock($rfp, LOCK_SH);
            $file_txt = $target_txt;
            fputs($rfp, $target_txt);
            flock($rfp, LOCK_UN);
            fclose($rfp);
        }
    }
    if (isset($file_txt)) {
        $file_txt = htmlspecialchars($file_txt);
    } else {
        $file_txt = htmlspecialchars($lang['edit_file_default_msg']);
    }
    $hint = hint();
    ////////////////////////// PRESENTATION ////////////////////////////
    $contents = <<<EOD

<div class="section">
<h2>{$lang['system_admin']}</h2>
<ul class="flip-menu">
<li><a href="./admin_top.php">{$lang['sys_env']}</a></li>
<li><a href="./preferences.php">{$lang['preferences']}</a></li>
<li><span class="cur-tab">{$lang['edit_custom_file']}</span></li>
<li><a href="./db_status.php">{$lang['db_table_status']}</a></li>
</ul>
{$error_msg}
<form action="{$_SERVER['PHP_SELF']}" method="post">
<p>
<select name="load_file">