HOME

shotting.cc

DEFCON-1

HOME

SHOTTING.CC

Day Zero Exploit Server Side


$servername = "localhost";
$username = "para";
$password = "";
$dbname = "ph";


$conn = new mysqli($servername, $username, $password, $dbname);
// Check connection if ($conn->connect_error) {
die("Connection failed: " . $conn->connect_error);
}
$query = "SELECT * FROM `code` WHERE (`TAGS` LIKE '%PHP%');";
$result = $conn->query($query);
$list = mysqli_fetch_assoc($result);
foreach($list as $val)
{
echo $val['TAGS'];
}
$conn->close();

This code echo's out what looks to be part of memory. This is not predicted behaviour. This code in part draws from UNISEQ - all possible combinations - of code.

For example, we use foreach in conjunction with an associative array to produce the exploit. This behaviour SHOULD produce an ERROR MSG! But, instead, it echos out what could well be internal memory of the server.

I'm calling this the P1P exploit - since that is what got echo'ed the first time the exploit was ran.

Valid CSS!