Hacking using method “rename()” of PHP part 2.

This week we showed a real world case exploring the rename() method, even though we showed a didactic example some weeks ago.

The example was little bit different.

In this post we will show the second option about how can cause problem to a system.

So, what happens inside, why can it cause problems to the system?

Look at the latest articles about rename:

In essence, rename() takes two parameters, the first with old name and the second with new name.

In the last example, we showed injection in the first parameter and now we will show a injection example in second parameter.

The example is simple:

$_GET['newName'] = 'index.php';
<?php 
     $oldName = 'imageOldName.jpg';
     rename( $oldName, $_GET['newName'] );

What happens?

In the practice the system will delete the old file and create a new with the new name with the content of the old file.

What’s the problem?

If file exists with the same name, the new file will override the last one.

What do you can do with that?

We can override system files or important images, such as logos, for example or generate files that didn’t exist before and with that new file cause new reactions in the server like .htaccess ( file of server configuration ) of index.htm like the real example in last post.

Attack example:

http://www.target.com/?newName=../../index.php

$_GET[‘newName’] = ‘../../index.php’;

<?php 
     $oldName = 'imageOldName.jpg';
     rename( $oldName, $_GET['newName'] ); //Line override index.php
?>

The system will override the index.php with content of the old image and the system will be stopped. =)

Look the vídeo with simple action:

And the real problem:

In next week, a new subject or another real world case?

See you folks.

Leave a Reply

Your email address will not be published. Required fields are marked *