Sam Bowne

Vulnerable PHP Examples

1. Weak Typing

Log In:

Username: Password:

Goal: log in as root

The PHP uses this comparison:
md5($p) == '0e199122341212509014562288726851'
You can log in with a password of 240610708 even though it has a hash of
0e462097431906509019562988736854 because PHP interprets the hashes
as numbers equal to zero.

2. Strong Typing

Log In:

Username: Password:

You can no longer log in as root

The PHP uses this comparison:
md5($p) === '0e199122341212509014562288726851'
Now a password of 240610708 fails because the === operator does not do
implicit type conversions.

3. Weak Typing Again

Log In:

Username: Password:

Goal: log in as root

To hack in, use this URL:[]=x
The PHP uses this comparison:
strcmp($p, $correct) == 0
If $p is an array, the strcmp function fails and returns NULL, but the code continues to execute.
Because of weak typing, NULL == 0 is true and the login succeeds.

4. PHP Handler

View this file:

The PHP code just sits there without executing, because the filename extension is ".txt".

But I put this .htaccess file in the "phpvuln" directory:

AddHandler application/x-httpd-php .php5
That means that every file in that folder with a name containing "php5" will run, like this one:


The "phpfix" directory has this .htaccess file:
<FilesMatch ".+\.php5$">
    SetHandler application/x-httpd-php
Now this file doesn't run:

But this one does:


Click this button to set a cookie containing "isadmin=0":

Now click this URL to override the value set in the cookie:

Note: by default, php.ini doesn't allow Cookies to affect $_REQUEST; I enabled it in php.ini with this code:

; Development Value: "GP"
; Production Value: "GP"
; Note: MODIFIED by SAM 10-23-16 for Cookie PHP Demo
request_order = "CGP"
$_REQUEST is considered dangerous to use. It's better to use $_GET, $_POST, and $_COOKIE so you know what you are doing more precisely.

6. Error Reporting

Item #5 above shows errors, which are informative to developers, but considered a security risk. That's because my php.ini has this setting:
; Default Value: On
; Development Value: On
; Production Value: Off
display_errors = On

7. preg_replace Command Injection

Post a Message:

This form posts messages publicly. To maintain secrecy, any message
starting with "SECRET" is sanitized with this code:

$m = preg_replace('/SECRET(.*)/e', '\\1', $m);

For a good time, post this message:
SECRET ${system(ls)}
The unexpected dangers of preg_replace()


Linux: 25 PHP Security Best Practices For Sys Admins
PHP Security Cheat Sheet
Magic Hashes
Using .htaccess to make all .html pages to run as .php files?

Last modified: 4-15-19