Accueil Explorer Aide
Connexion
msc
/
cheatsheets
1
0
Fork 0
Fichiers Tickets 0 Pull Requests 0 Wiki
Aborescence: 99a8b9c17d
Branches Tags
cheatsheets
/
cheatsheets
/
security
/
web
/
php-vulnerabilities.md

php-vulnerabilities.md 3.0 KB
Historique Raw

title: Some Important PHP Vulnerabilities categories: [cheatsheets]

tags: [security, web]

Examples Vulnerabilities

1) Missing Typechecking

Missing typechecking in function in_array(), which lets you upload a file which is called 2backdoor.php or similar.

class Challenge {
    const UPLOAD_DIRECTORY = './solutions/';
    private $file;
    private $whitelist;

    public function __construct($file) {
        $this->file = $file;
        $this->whitelist = range(1, 24);
    }

    public function __destruct() {
        if (in_array($this->file['name'], $this->whitelist)) {
            move_uploaded_file(
                $this->file['tmp_name'],
                self::UPLOAD_DIRECTORY . $this->file['name']
            );
        }
    }
}

$challenge = new Challenge($_FILES['solution']);

2) Twig

  • Twig is a PHP Template Engine
  • The Code contains a XSS Attack

-> The URL filter and twig escape can be bypassed by using a valid URL format + newline to escape href

-> The Payload would be: ?nextSlide=javascript://comment%250aalert(1)

// composer require "twig/twig"
require 'vendor/autoload.php';

class Template {
    private $twig;

    public function __construct() {
        $indexTemplate = '<img ' .
            'src="https://loremflickr.com/320/240">' .
            '<a href="{{link|escape}}">Next slide »</a>';

        // Default twig setup, simulate loading
        // index.html file from disk
        $loader = new Twig\Loader\ArrayLoader([
            'index.html' => $indexTemplate
        ]);
        $this->twig = new Twignvironment($loader);
    }

    public function getNexSlideUrl() {
        $nextSlide = $_GET['nextSlide'];
        return filter_var($nextSlide, FILTER_VALIDATE_URL);
    }

    public function render() {
        echo $this->twig->render(
            'index.html',
            ['link' => $this->getNexSlideUrl()]
        );
    }
}

(new Template())->render();

3) File Inclusion

  • File Inclusion Vulnerability when calling a non existent class, can be abused by including ../../../../etc/passwd
  • Second Bug: (works in newest PHP Versions)

-> Class Name is used for an Object Instantiation + first argument of constructor can be arbitarily choosen by attacker

-> PHPs built-in class SimpleXMLElement can be used for an XXE Attack to read arbitrary files.

function __autoload($className) {
    include $className;
}

$controllerName = $_GET['c'];
$data = $_GET['d'];

if (class_exists($controllerName)) {
    $controller = new $controllerName($data['t'], $data['v']);
    $controller->render();
} else {
    echo 'There is no page with this name';
}

class HomeController {
    private $template;
    private $variables;

    public function __construct($template, $variables) {
        $this->template = $template;
        $this->variables = $variables;
    }

    public function render() {
        if ($this->variables['new']) {
            echo 'controller rendering new response';
        } else {
            echo 'controller rendering old response';
        }
    }
}