Vulnerable PHP Examples
1. Weak TypingLog In:
Goal: log in as rootThe PHP uses this comparison:You can log in with a password of 240610708 even though it has a hash of
md5($p) == '0e199122341212509014562288726851'
0e462097431906509019562988736854 because PHP interprets the hashes
as numbers equal to zero.
2. Strong TypingLog In:
You can no longer log in as rootThe PHP uses this comparison:Now a password of 240610708 fails because the === operator does not do
md5($p) === '0e199122341212509014562288726851'
implicit type conversions.
3. Weak Typing AgainLog In:
Goal: log in as rootTo hack in, use this URL:The PHP uses this comparison:
https://attack.samsclass.info/phpfail3.php?username=root&password=xIf $p is an array, the strcmp function fails and returns NULL, but the code continues to execute.
strcmp($p, $correct) == 0
Because of weak typing, NULL == 0 is true and the login succeeds.
4. PHP HandlerView this file:
The PHP code just sits there without executing, because the filename extension is ".txt".
But I put this .htaccess file in the "phpvuln" directory:That means that every file in that folder with a name containing "php5" will run, like this one:
AddHandler application/x-httpd-php .php5
FixedThe "phpfix" directory has this .htaccess file:Now this file doesn't run:
<FilesMatch ".+\.php5$"> SetHandler application/x-httpd-php </FilesMatch>
But this one does:
5. $_REQUESTClick this button to set a cookie containing "isadmin=0":
Now click this URL to override the value set in the cookie:
Note: by default, php.ini doesn't allow Cookies to affect $_REQUEST; I enabled it in php.ini with this code:$_REQUEST is considered dangerous to use. It's better to use $_GET, $_POST, and $_COOKIE so you know what you are doing more precisely.
; Development Value: "GP" ; Production Value: "GP" ; http://php.net/request-order ; Note: MODIFIED by SAM 10-23-16 for Cookie PHP Demo request_order = "CGP"
6. Error ReportingItem #5 above shows errors, which are informative to developers, but considered a security risk. That's because my php.ini has this setting:
; Default Value: On ; Development Value: On ; Production Value: Off ; http://php.net/display-errors display_errors = On
7. preg_replace Command InjectionPost a Message:
This form posts messages publicly. To maintain secrecy, any message
starting with "SECRET" is sanitized with this code:For a good time, post this message:
$m = preg_replace('/SECRET(.*)/e', '\\1', $m);The unexpected dangers of preg_replace()
ReferencesLinux: 25 PHP Security Best Practices For Sys Admins
PHP Security Cheat Sheet
Using .htaccess to make all .html pages to run as .php files?
GRID USING SETHANDLER TO PROCESS OTHER EXTENSIONS AS PHP