Tuesday 11 June 2013

[EN] New code, new vulnerabilities - PICOL LFI

Durning one of my project few days ago I wrote another version of my source code scanner.
Another one, because this 'super code' is a never ending story. Maybe I will put here few examples in the future in some kind of 'how to do' this or that. We'll see... ;)

Anyway.
Below, simple example (related to post about nice trick @ seclists.org and questions about 'how I found this webapp' code to tests):





Yes, in this example this is local file include vulnerability in a PICOL Generator .
If we will set 'wrong' php.ini settings, we can make here remote file include attack too.

Anyway, durning a webapp pentest, if we'll find this webapp, server can be 'hacked' ;)

Have fun! at localhost ;]

One more idea if you don't know this site, check it now .;)

o/

No comments:

Post a Comment

What do You think...?