Grep with web vulnerability discovery-vulnerability warning-the black bar safety net

2006-04-23T00:00:00
ID MYHACK58:6220068818
Type myhack58
Reporter 佚名
Modified 2006-04-23T00:00:00

Description

Grep with web vulnerability mining

Text/SuperHei_[At]_ph4nt0m.org 2006-03-08

[a. The following grep(http://www.interlog.com/~tcharron/grep.html)does not support the-r parameter,you can use the following format: grep-in "\(include\|require\)" C:\test\. php C:\test\admin\. php You can also use cygwin ported to the grep(http://zhouzhen.eviloctal.org/Look.asp?LogID=814) b. A plurality of keywords or pattern use|,if using the and mode,you can use the following pipeline mode: grep-in "\select\|$aid" C:\test\read.php |grep-i "from"]

  1. Contains vulnerability

Keywords: include require C:\>grep-in "\(include\|require\)" C:\test\*. php config. php:1 0:include 'forbid.php'; conn. inc. php:1 0:include 'forbid.php'; conn. php:1 0:include 'forbid.php'; global. php:1 0:include 'forbid.php'; global. php:1 6:require_once('conn.inc.php'); global. php:1 7:require_once('conn.php');

  1. SQL Injection

Keywords: select variable name C:\>grep-in "\select" C:\test\read.php 1 5:$query=$db->query("SELECT * FROM ".$ tablepre."content WHERE aid=$aid");

C:\>grep-in "\select\|$aid" C:\test\read.php 1 3:$aid=$_GET['aid']; 1 4:$db->query("UPDATE ".$ tablepre."content SET hits=hits+1 WHERE aid='$aid'"); 1 5:$query=$db->query("SELECT * FROM ".$ tablepre."content WHERE aid=$aid");

  1. CMD Injection

Keywords: exec system popen passthru proc_open, etc.

C:\>grep-in "\(exec\|system\|popen\|passthru\|proc_open\)" C:\test\phpspy.php 4 1 3: $a = $shell->ShellExecute($_POST['program'],$_POST['prog']); 6 0 2: $program = isset($_POST['program']) ? $_POST['program'] : "c:\wi nnt\system32\cmd.exe"; 6 1 3: $execfuncs = (substr(PHP_OS, 0, 3) == 'WIN') ? array('system'=>'system', 'passthru'=>'passthru','exec'=>'exec','shell_exec'=>'shell_exec','popen'=>'popen ','wscript'=>'Wscript. Shell') : array('system'=>'system','passthru'=>'passthru', 'exec'=>'exec','shell_exec'=>'shell_exec','popen'=>'popen'); 6 1 5: $tb->tdbody('choose to perform the function: '.$ tb->makeselect(array('name'=>'execfunc','o in'=>$execfuncs,'selected'=>$execfunc)).' Enter the command: '.$ tb->makeinput('command ',$_POST['command'],",'text','6 0').' '.$ tb->makeinput(",'Run',",'submit')); 6 2 0: if ($execfunc=="system") { 6 2 1: system($_POST['command']); 6 2 2: } elseif ($execfunc=="passthru") { 6 2 3: passthru($_POST['command']);

  1. Code Injection

Keywords:eval preg_replace

C:\>grep-in "\eval\|preg_replace" C:\test\*. php phpspy. php:1 0 3 4: eval('$hexdtime = "' . $hexdtime . '";');

  1. Variables submission

Keywords:GET POST COOKIE SERVER REQUEST

C:\>grep-in "_\GET\|POST\|COOKIE\|SERVER\|REQUEST" C:\test\list.php 1 3:$sid=$_GET['sid']; 1 4:if($_GET['page']) { 1 5: $page=$_GET['page'];

  1. cookie and session

Keywords: cookie session

C:\>grep-in "\session\|cookies" C:\test\admin\*. php global. php:1 6:if(! isset($_COOKIE['IN'])) { index. php:1 3:if(! isset($_COOKIE['IN'])) { job. php:1 3:if(! isset($_COOKIE['IN'])) { login. php:2 2: setcookie("IN","$admin"); logout. php:1 1:setcookie("IN",""); main. php:1 4:isset($_COOKIE) ? $ifcookie="SUCCESS" : $ifcookie="FAIL";

  1. File function

Keywords:readfile fopen upload copy opendir fwrite unlink, etc.

........ Hope you continue to! :)

Reference(grep usage instructions):[the following are google get :)]

http://man.chinaunix.net/newsoft/grep/open.htm http://cmpp.linuxforum.net/cman-html/man1/grep.1.html http://fanqiang.chinaunix.net/a1/b5.../080200138.html http://if.ustc.edu.cn/~ygwu/blog/archives/000535.html http://net.pku.edu.cn/~yhf/tao_rege...ularExpressions http://www.zdnet.com.cn/developer/t...39077620,00.htm