Sam Bowne

Vulnerable PHP Examples

1. Weak Typing

Log In:

Username: Password:

Goal: log in as root

The PHP uses this comparison:
md5($p) == '0e199122341212509014562288726851'
You can log in with a password of 240610708 even though it has a hash of
0e462097431906509019562988736854 because PHP interprets the hashes
as numbers equal to zero.

2. Strong Typing

Log In:

Username: Password:

Goal: log in as root

The PHP uses this comparison:
md5($p) === '0e199122341212509014562288726851'
Now a password of 240610708 fails because the === operator does not do
implicit type conversions.

3. Weak Typing Again

Log In:

Username: Password:

Goal: log in as root

To hack in, use this URL:
https://attack.samsclass.info/phpfail3.php?username=root&password[]=x
The PHP uses this comparison:
strcmp($p, $correct) == 0
If $p is an array, the strcmp function fails and returns NULL, but the code continues to execute.
Because of weak typing, NULL == 0 is true and the login succeeds.

4. PHP Handler

View this file:

https://attack.samsclass.info/phpwned.php5.txt

The PHP code just sits there without executing, because the filename extension is ".txt".

But I put this .htaccess file in the "phpvuln" directory:

AddHandler application/x-httpd-php .php5
That means that every file in that folder with a name containing "php5" will run, like this one:

https://attack.samsclass.info/phpvuln/phpwned.php5.txt

Fixed

The "phpfix" directory has this .htaccess file:
<FilesMatch ".+\.php5$">
    SetHandler application/x-httpd-php
</FilesMatch>
Now this file doesn't run:

https://attack.samsclass.info/phpfix/phpwned.php5.txt

But this one does:

https://attack.samsclass.info/phpfix/phpwned.php5

5. $_REQUEST

Click this button to set a cookie containing "isadmin=0":

Now click this URL to override the value set in the cookie:

https://attack.samsclass.info/phpfail5.php?isadmin=1

Note: by default, php.ini doesn't allow Cookies to affect $_REQUEST; I enabled it in php.ini with this code:

; Development Value: "GP"
; Production Value: "GP"
; http://php.net/request-order
; Note: MODIFIED by SAM 10-23-16 for Cookie PHP Demo
request_order = "CGP"
$_REQUEST is considered dangerous to use. It's better to use $_GET, $_POST, and $_COOKIE so you know what you are doing more precisely.

6. Error Reporting

Item #5 above shows errors, which are informative to developers, but considered a security risk. That's because my php.ini has this setting:
; Default Value: On
; Development Value: On
; Production Value: Off
; http://php.net/display-errors
display_errors = On

References

Linux: 25 PHP Security Best Practices For Sys Admins
PHP Security Cheat Sheet
Magic Hashes
Using .htaccess to make all .html pages to run as .php files?
GRID USING SETHANDLER TO PROCESS OTHER EXTENSIONS AS PHP
$_REQUEST


Last modified: 10-24-168:17 am