Permalink
Switch branches/tags
Nothing to show
Find file Copy path
841a807 Nov 30, 2018
1 contributor

Users who have contributed to this file

38 lines (30 sloc) 1.53 KB

PHP-Proxy Encrypt Key Flaw and LFI Vulnerability Description


Testing Target

Abstract

We discovered the PHP-Proxy str_rot_pass encrypt function is flawed. Despite the user change the default key, the remote attacker can easily decrypt the key and cause the vulnerability of Local File Inclusion.

Concept

  1. First, we download the latest version from the official website and check helpers.php code.

  2. From helpers.php code, we discovered str_rot_pass encrypt function is flawed. Maybe it is not rigorous enough, it is easy to be cracked.

  3. We write a sample payload that It only applies to such a condition. If you want to change the conditions, then you may need to rewrite the payload. Download Link Click

  • [url_mode] set 2 (default)
  • Not disable curl file protocol
  1. Use payload to decrypt the key and get decrypt key link.

  2. Successfully obtained passwd file

Instance

This is an actual case. We can see that the remote attacker can quickly get the target passwd or other information.