---
title: Some Important PHP Vulnerabilities
categories: [cheatsheets]
tags: [security, web]
---

# Examples Vulnerabilities

## 1) Missing Typechecking

Missing typechecking in function _in\_array()_, which lets you upload a file which is called
_2backdoor.php_ or similar.

```PHP
class Challenge {
    const UPLOAD_DIRECTORY = './solutions/';
    private $file;
    private $whitelist;

    public function __construct($file) {
        $this->file = $file;
        $this->whitelist = range(1, 24);
    }

    public function __destruct() {
        if (in_array($this->file['name'], $this->whitelist)) {
            move_uploaded_file(
                $this->file['tmp_name'],
                self::UPLOAD_DIRECTORY . $this->file['name']
            );
        }
    }
}

$challenge = new Challenge($_FILES['solution']);
```



## 2) Twig

* Twig is a PHP Template Engine
* The Code contains a XSS Attack

-> The URL filter and twig escape can be bypassed by using a valid URL format + newline to escape href

-> The Payload would be: `?nextSlide=javascript://comment%250aalert(1)`

```PHP
// composer require "twig/twig"
require 'vendor/autoload.php';

class Template {
    private $twig;

    public function __construct() {
        $indexTemplate = '<img ' .
            'src="https://loremflickr.com/320/240">' .
            '<a href="{{link|escape}}">Next slide »</a>';

        // Default twig setup, simulate loading
        // index.html file from disk
        $loader = new Twig\Loader\ArrayLoader([
            'index.html' => $indexTemplate
        ]);
        $this->twig = new Twignvironment($loader);
    }

    public function getNexSlideUrl() {
        $nextSlide = $_GET['nextSlide'];
        return filter_var($nextSlide, FILTER_VALIDATE_URL);
    }

    public function render() {
        echo $this->twig->render(
            'index.html',
            ['link' => $this->getNexSlideUrl()]
        );
    }
}

(new Template())->render();
```


## 3) File Inclusion

* File Inclusion Vulnerability when calling a non existent class, can be abused by including ../../../../etc/passwd
* Second Bug: (works in newest PHP Versions)

-> Class Name is used for an Object Instantiation + first argument of constructor can be arbitarily choosen by attacker

-> PHPs built-in class _SimpleXMLElement_ can be used for an XXE Attack to read arbitrary files.


```PHP
function __autoload($className) {
    include $className;
}

$controllerName = $_GET['c'];
$data = $_GET['d'];

if (class_exists($controllerName)) {
    $controller = new $controllerName($data['t'], $data['v']);
    $controller->render();
} else {
    echo 'There is no page with this name';
}

class HomeController {
    private $template;
    private $variables;

    public function __construct($template, $variables) {
        $this->template = $template;
        $this->variables = $variables;
    }

    public function render() {
        if ($this->variables['new']) {
            echo 'controller rendering new response';
        } else {
            echo 'controller rendering old response';
        }
    }
}
```