Holes in website's scripts

This article describing a few holes that can be done by newbies coding a PHP based site.

Holes in website's scripts
I was messing around with our website and found a major security hole in it, after "exploring" the internet i found another few websites that were vulnurable to this, so i decided to write a little tutorial about it.

Introduction
The security of php/perl/java/asp (or whatever) websites depends not only on the admin of the website but also on the coder that coded the script for the site. Lets say that the coder left the root's login/pass in the index.php page (it's only an example :). So every ordinary web user can just view the source of this index.php page and see the root's login/pass, and then just login as root... So web scripts can sometimes reveal sensitive data or have holes in it - this can sometimes lead to compromising of the site by a hacker.

In this file i will show you an example of a hole in a php script that was found in our website (www.cdpgroup.cjb.net), this showing you how websites can be hacked only by using the browser's address tab and by viewing the code source.

 _______________________________________________________________
|To view the source in Internet Explorer/Opera: View --> Source |
|To view the source in Netscape: Edit --> Source |
|_______________________________________________________________|

Part I
I was bored, so i just opened my browser and start watching at the source of our index.php file . I didn't know what i was looking for, and i was about to close the source window and then i saw this:

"controlpanel.php" is the members website configuration file, when accessing the file - members can change/add/delete stuff on the site as news/posts etc.

The first idea was to write the file in the address tab and just access it. Ofcourse i was 99.9% sure that it won't work, but i wanted to see how the server will respond to it. So i just wrote:

www.cdpgroup.f2s.com/controlpanel.php

It showed me a blank php file. Nothing was there because the website's php script was configured so that "controlpanel.php" file can be accessed only with the member's login/pass or else it will deny the access. I continued exploring the website, and then entered the tutorials page and viewed one of the tutorials. This what i saw in the address bar:

www.cdpgroup.f2s.com/tuts/index.php?file=./hackanon.html

The "file=" parameter gives the php script a command to read
the "hackanon.html" file. The "." (dot) stands for the "current directory" and the "/" (slash) divides between the directories . So the $file parameter reads the "hackanon.html" in the current directory (=www.cdpgroup.com/tuts/hackanon.html).

The "../" (dot-dot-slash) sign means one directory up (if "./" equals to "current directory" then "../" equals to one directory up). Here is an example for this in DOS and *nix so you will understand it better:

[x] DOS:

c:\drivers\dir

. <---(dot) 21/04/01 19:14
.. <---(dot-dot) 21/04/01 19:14
Cool 21/04/01 19:15
File.txt 23,045 bytes 22/04/01 14:32
     1 file(s) 23,045 bytes
     4 dir(s) 351,462,372 bytes free

c:\drivers\cd .
("." equals to "current directory" - it stays in
     the same directory after the execution of the
     "dir" command)

c:\drivers\cd ..
(".." equals to one directory up - it will go up one
     directory after the execution of the "dir" command)

c:\

[x]: *nix

root@PrizHaCk:~/programs# pwd

/root/programs

root@PrizHaCk:~/programs# cd ..

root@PrizHaCk:~/pwd

/root

root@PrizHaCk:~/cd ..

root@PrizHaCk:/#

My target was to access the "controlpanel.php" file without the password. So i wrote this in the address bar:

www.cdpgroup.f2s.com/tuts/index.php?file=../controlpanel.php

And this gave me the controlpanel.php file without any login/pass because the php script wasn't configured to deny access to the file thru this method!

I saw there an "add news", "delete news post", "delete forum posts" and other buttons. I writed something in the "add news" section and pressed on the "add news" button. It gave me a page with

"Error: Invalid Login name or password".

It still required login/pass. But now, when i have the access to
the "controlpanel.php" file, i can view the source code of it and look for bugs or anything else that can be useful. After looking thru the whole source i noticed this:

<?php if($login=="hardw1r3" || $login=="aztek") { echo " <br>
<a href=\"controlpanel.php?login=$login&act=addlink\">Add Link</a>"; } ?>

Do you see it? If $login equal to "hardw1r3" or "aztek" (now i knew the login's of those members) then it will add another option to the controlpanel - called "addlink". But it doesn't have a $pass parameter! That means it can be accessed without password! So now i could login as aztek/hardw1r3 and add link to the links page as them, just by writing this:

www.cdpgroup.f2s.com/controlpanel.php?login=aztek&act=addlink

or

www.cdpgroup.f2s.com/controlpanel.php?login=hardw1r3&act=addlink

I looked above and saw this:

...&act=poll">Change Poll
...&act=addnews">Add News
...&act=news">Delete News Posts
...&act=link">Change Link of the Week
...&act=forum">Delete Forum Posts

Now i could not only change the link but also change poll, add/delete news, Changing link of the week and delete forum posts - only by changing the "&act=" option. For example - if i wanted to change poll as "aztek" i would write this:

www.cdpgroup.f2s.com/controlpanel.php?login=aztek&act=poll

So now i could abuse the site, but because of my honest conscience i didn't do that. ;-)

Part II
I accessed the "controlpanel.php" file with this command:

www.cdpgroup.f2s.com/tuts/index.php?file=../controlpanel.php

Now, by changing the path i can have access to all the files on the site because the script wasn't configured to deny access to files using the "file=../" - one directory up. I could access any of the files on the site only by using this command:

www.cdpgroup.f2s.com/tuts/index.php?file=../XXXXXXXX/XXXXXX

The x's represent any file on the site that i want to view. But now i need the exact path's and names of the files, so i can view them. I viewed the source of the "controlpanel.php" file and looked for names of files - one of the most interesting files that attract my attention was
/config/passwords/members.config.php" - that file stores all the members passwords! I just writed this in the address tab to view the file:

www.cdpgroup.f2s.com/tuts/index.php?file=../config/passwords/members.config.php

And i had all the members logins and passwords! I could login as any of the members and change posts/news/links and I could access any file i wanted and see the source.

After a little check i found few websites that were vulnurable to this too, the only difference was that the parameter of the reading command ("file=") was different on every site.

Yet Another Hole
Added By: AZTEK

While I was surfing around my site (http://aztekslair.cjb.net) I found a very big hole, now my site runs some of the same scripts that CDP's site runs (Go Figure Why). I was surfing around and i found that if you did a file=/etc/passwd it would give you the password file (kinda like the old phf exploit), its good that the server runs shadowing or else I would not
be responsable for my actions. This didn't seem to bad untill I realised that if you gave the full path to the password file (ex: www.cdpgroup.f2s.com?file=/web/site/cdpgroup/passdir/passfile) you could still veiw it.

Now the server CDP runs on has PHP compiled with Safe-Mode on which means it would never work on that you cannot access anything that is outside your site's directory, but this was still a big hole on my site. I have patched it so you are welcome to try.

That's it for now. All newbies could learn something from this little tutorial.

PrizHaCk

If you have any comments mail me:
prizhack@yahoo.com

Copyright ©2001 Caffeinated Data Phreaks

 

Share this article!

Follow us!

Find more helpful articles: