This document discusses various vulnerabilities in PHP coding practices and provides examples of how each vulnerability can be exploited as well as how to fix them. It covers remote file inclusion, local file inclusion, local file disclosure, SQL injection, remote command execution, remote code execution, cross-site scripting, authentication bypass, and cross-site request forgery vulnerabilities. For each vulnerability, it provides a basic PHP code example to demonstrate the issue, how an attacker could exploit it, and recommendations on how to fix the vulnerable code, such as sanitizing user inputs, using prepared statements, and implementing authentication systems. The goal is to help PHP developers write more secure code and avoid common vulnerabilities.
2. Contents
1) About
2) Setup and Configurations
3) Remote File Inclusion
3.0 - Basic example
3.1 - Exploitation
3.2 - How to fix
4) Local File Inclusion
4.0 - Basic example
4.1 - Exploitation
4.2 - How to fix
5) Local File Disclosure/Download
5.0 - Basic example
5.1 - Exploitation
5.2 - How to fix
6) SQL Injection
6.0 - Basic example
6.1 - Exploitation
6.2 - How to fix
3. Contents
7) Remote Command Execution
7.0 - Basic example
7.1 - Exploitation
7.2 - How to fix
8) Remote Code Execution
8.0 - Basic example
8.1 - Exploitation
8.2 - How to fix
9) Cross-Site Scripting
9.0 - Basic example
9.1 - Exploitation
9.2 - How to fix
10) Authentication Bypass
10.0 - Basic example
10.1 - Via login variable
10.2 - Unprotected Admin CP
10.3 - How to fix
11) Cross Site Request Forgery
11.0 - Basic example
11.1 - Exploitation
11.2 - How to fix
4. About
This presentation will cover :
• Finding Vulnerabilities in PHP
• Identify Vulnerable Code
• Exploit Vulnerable code and compromise a Web System
• Fixing those Vulnerable Code
5. Setup and Configurations
• Install Apache, PHP and MySQL (phpmyadmin)
- Can be WAMP server for Windows, MAMP server for Mac OS
and LAMP for Linux.
• PHP configuration file (php.ini)
◦ disabled_functions = N/A
register_globals = on
magic_quotes_gpc = off
short_tag_open = on
file_uploads = on
display_errors = on
safe_mode = off
allow_url_include = on
allow_url_fopen = on
6. Remote File Inclusion
• Remote File Inclusion allows the attacker to upload a custom coded/malicious file on a
website or server using a script.
• This can lead to
- Code execution on the web server.
- Code execution on the client such as Javscript which can lead to other attacks
such as cross site scripting (XSS).
- Denial Of Service (DoS)
- Data Theft/Manipulation
Basic Example : From rfitest.php
<?php
$page=$_GET['page'];
include $page;
?>
Exploitation : (Demo)
How To Fix :
• Set allow_url_fopen and allow_url_include to "Off" in php.ini
• Don't allow special chars in variables. Filter "http" , "https" , "ftp" and "smb".
7. Local File Inclusion
• Local File Inclusion (LFI) is similar to a Remote File Inclusion vulnerability except
instead of including remote files, only local files i.e. files on the current server can
be included.
Basic Example : From lfitest.php
<?php
$page=$_GET['page'];
include '/pages/'.$page;
?>
Exploitation : (Demo)
How To Fix :
• Don't allow special chars in variables. Filter the dot "."
• Filter "/" , "" and "." .
8. Local File Disclosure/Download
• A vulnerability through which you can read the content of files.
• PHP functions that allow reading files.
- file_get_contents() Reads entire file into a string
- readfile() Outputs a file
- file() Reads entire file into an array
- fopen() Opens file or URL
- show_source() Alias of highlight_file()
Basic Example : From disclosetest.php
<?php
$page=$_GET['page'];
readfile($page);
?>
Exploitation : (Demo)
How To Fix :
• Don't allow special chars in variables. Filter the dot "."
• Filter "/" , "" and "." .
9. SQL Injection
• SQL injection is a code injection technique, used to attack data driven applications,
in which malicious SQL statements are inserted into an entry field for execution
(e.g. to dump the database contents to the attacker).
Basic Example :
<?php
require('config.php');
$safe=$_GET['id'];
$query="SELECT * FROM tbl_status WHERE id=$safe";
$a=mysql_query($query);
while($row=mysql_fetch_array($a))
{
echo $row['status'];
}?>
Exploitation : (Demo)
How To Fix :
• Don't allow special chars in variables.
• For non-numeric variables : filter all special chars used in
SQLI : - , . ( ) ' " _ + / *
10. Remote Command Execution
• Remote command execution vulnerability allows a remote attacker to execute
arbitrary code in the system with administrator privileges without the attention of
the owner of the targeted site.
Basic Example : (remotetest.php)
<?php
$cmd=$_GET['cmd'];
system($cmd);
?>
Exploitation : (Demo)
How To Fix :
• Don't allow user input .
• Use escapeshellarg() and escapeshellcmd() functions .
11. Remote Code Execution
• Remote code execution vulnerability allows a remote attacker to execute code in
the system of the targeted site.
Basic Example : (codetest.php)
<?php
$code=$_GET['code'];
eval($code);
?>
Exploitation : (Demo)
How To Fix :
• Don't allow ";" and the PHP code will be invalid.
• Don't allow any special char like "(" or ")" etc.
12. Cross-site Scripting (XSS)
• Cross-site scripting (XSS) is a vulnerability in which the attacker inserts malicious
coding into a link that appears to be from a trustworthy source.
• There are mostly 2 types of xss
- Non-Persistent :
In case of Non-Persistent attack, it requires a user to visit the specially crafted link by the
attacker. When the user visit the link, the crafted code will get executed by the user’s
browser.
- Persistent :
In case of persistent attack, the code injected by the attacker will be stored in a secondary
storage device (mostly on a database). The damage caused by Persistent attack is more than
the non-persistent attack.
Basic Example : (xsstest.php)
<?php
$name=$_GET['name'];
print $name;
?>
Exploitation : (Demo)
How To Fix :
• Use htmlentities() or htmlspecialchars() functions.
• Filter all special chars used for XSS ( a lot ).
13. Authentication Bypass
• This vulnerability allows attacker to bypass the authentication system and give
access to admin panel.
Basic Example : (bypasstest.php)
<?php
if ($logged==true) {
echo 'Logged in.'; }
else {
print 'Not logged in.';
}
?>
Exploitation : (Demo)
If we set the value of $logged variable to 1 the if condition will be true and we are
logged in.
14. Via Login Variable : (logintest.php)
<?php
if ($login_ok)
{
$_SESSION['loggato'] = true;
echo "<p>Welcome Admin</p>";
echo"<div align='center'><a href='index.php'>Admin Panel</a> |
<a href='admin.php'>Delete|Edit</a> | <a href='install.php'>Install
</a></div>";
}
else{
echo "login failed";
}?>
Exploitation : (Demo)
If the "login_ok" variable is TRUE ( 1 ) the script set us a SESSION which tells the
script that we are logged in. So lets set the "login_ok" variable to TRUE.
Unprotected Admin CP :
This is hard to believe but some PHP programmers don't protect the admin
control panel : no login, no .htaccess, no nothing. So we simply go to
the admin panel directory and we take the control of the website.
15. How To Fix :
• Login variable bypass : Use a REAL authentication system, use SESSION and
verify login using SESSION.
• Unprotected Admin CP : Use an authentication system or use .htaccess to
allow access from specific IP's or .htpasswd to request an username and a
password for admin CP.
◦ Example :
.htaccess :
order deny, allow
deny from all
allow from 127.0.0.1
.htpasswd :
AuthUserFile /the/path/.htpasswd
AuthType Basic
AuthName "Admin CP"
Require valid-user
16. Cross Site Request Forgery
Basic Example : (csrftest.php)
<?php
if(isset($_GET['news']))
{ unlink($news.'.txt'); }
else {
die('File not deleted'); }
?>
Exploitation : (Demo)
• localhost/phpv/csrftest.php?news=file1
How To Fix :
• Use tokens. At each login,generate a random token and save it
in the session. Request the token in URL to do administrative
actions, if the token missing or is wrong,don't execute the
action.
Example :
<?php
if(isset($_GET['news']) && $token=$_SESSION['token'])
{ unlink('$news.'.txt'); }
else {
die('Error.'); }
?>
17. End Of Session
Vulnerability In PHP and Safe Coding Practices
By: Sachin Thakuri
Feedbacks and Comment are Welcomed!!