-1

Basically, I want to create a site to show people how to prevent PHP vulnerabilities by simulating them. However, I can not get them to work myself.

I want to see if a variable equals a valid page (I only have two for testing) and, if it does, load that page. Otherwise, I see if it contains "../". If neither of those are true, it simply says "Page not found".

This is my code so far:

<?php
if($page=="LOLone.php" || $page=="LOLtwo.php"){
echo "Welcome, look at the LOL cats!";
include($page);
}else if(strlen(strstr($page,"../"))>0){
echo "Congrats, you found the transversal attack vulnerability!";
}else{
echo "Page not found!";
}
?>

Whenever I try to use page=LOLone.php (or LOLtwo.php or even ../) it says "Page not found!" Can I not compare variables the way I am, or could this be my web-host playing it safe? I am a bit confused, but I am relatively new to PHP so I feel like I am missing something simple...

Ok, I made a simple mistake. A very big one too. Sorry. Thanks for all the replies, and I will be very careful about my own server getting hacked. In this example I should be clean though, because I have it include the page only if it equals a specified value. Thanks again.

Josh
  • 7,714
  • 5
  • 40
  • 40
Vreality
  • 305
  • 5
  • 16
  • I don't recall if PHP is strict about `else if` or `elseif` like JS is. – Blake Apr 22 '12 at 20:06
  • 10
    to new to be trying to educate others, if you can't do the basics yourself. –  Apr 22 '12 at 20:07
  • Thanks Dagon. :P I understand how to exploit it, I just have never tried to reproduce it myself. – Vreality Apr 22 '12 at 20:09
  • You could just use `strpos($page, '../') !=== false` instead of strstr/strlen – Marc B Apr 22 '12 at 20:09
  • What web host are you on? ... **So we can avoid** – Lawrence Cherone Apr 22 '12 at 20:10
  • 1
    First condition should be `if(in_array($page,array('page1.php','page2.php')))` then second condition should be `elseif(strpos($page,'../')!==false)` (with strict operator for boolean false, and elseif). – Silviu-Marian Apr 22 '12 at 20:11
  • What does `echo $page;` show? Perhaps your webhost has installed Apache+mod_security and strips parts of the URL. – Lekensteyn Apr 22 '12 at 20:15
  • Might I suggest you don't just search for '../' but '..' and '/' at the beginning. – Ashley Davies Apr 22 '12 at 20:15
  • 2
    if your posting a problem here, it speaks to your skill in educating others. –  Apr 22 '12 at 20:16
  • 1
    Lawrence Cherone, I was using 1freehosting. However, that had nothing to do with it. Sadly, I think Dagon is right... I forgot to set $page=$_GET["page"]; **facepalm** – Vreality Apr 22 '12 at 20:18

2 Answers2

1

Try

$webPath = "/home/www/somesite/userpages" ;
$pages = array(
"page1.php",
"page2.php"     
);


//http://testing.com?page=xxx
$_GET['page'] = "../../etc/passwd" ; //Sample Hack


//Prepare Include 

$page = realpath($_GET['page']);
$dirName = dirname($page);
$baseName = basename($page) . ".php";


if($dirName != $webPath)
{
    die("Die! Die! Die!");
}

if(!in_array($baseName, $pages))
{
    die("Kill! Kill! Kill!");
}

echo "Welcome" ;
Baba
  • 89,415
  • 27
  • 158
  • 212
  • Thanks Baba. Exactly what I was looking for. I completely forget to set $page=$_GET["page"]; I can not believe I forgot that... – Vreality Apr 22 '12 at 20:16
  • @Vreality2007 As everyone, and you too can see, you are not experienced. But I think that this is a really good way to learn more about not only PHP, but security as well, at the same time! Keep up learning! – Friend of Kim Apr 22 '12 at 20:19
  • +1 50ndr33 .. you are the first person to notice that ... lol – Baba Apr 22 '12 at 20:20
0

Replace

if(strlen(strstr($page,"../"))>0)

With

if( strpos($page, '../') !=== false )

Right now, you're checking the length of the strstr() call, which isn't the right way to go. Now it instead checks for the location of ../ - and if it isn't false - we know for sure that the string has it.

However, you should probably begin with another, more simple, project - since one will just ensure that your server gets hacked due to an exploit you forgot to stop.

Zar
  • 6,272
  • 6
  • 49
  • 74