Vulnerable PHP Examples

1. Weak Typing Log In: Username: Password: Goal: log in as root The PHP uses this comparison: md5($p) == '0e199122341212509014562288726851' You can log in with a password of 240610708 even though it has a hash of 0e462097431906509019562988736854 because PHP interprets the hashes as numbers equal to zero.

2. Strong Typing Log In: Username: Password: You can no longer log in as root The PHP uses this comparison: md5($p) === '0e199122341212509014562288726851' Now a password of 240610708 fails because the === operator does not do implicit type conversions.

3. Weak Typing Again Log In: Username: Password: Goal: log in as root To hack in, use this URL: https://attack.samsclass.info/phpfail3.php?username=root&password[]=x The PHP uses this comparison: strcmp($p, $correct) == 0 If $p is an array, the strcmp function fails and returns NULL, but the code continues to execute. Because of weak typing, NULL == 0 is true and the login succeeds.

4. PHP Handler View this file: https://attack.samsclass.info/phpwned.php5.txt The PHP code just sits there without executing, because the filename extension is ".txt". But I put this .htaccess file in the "phpvuln" directory: AddHandler application/x-httpd-php .php5 That means that every file in that folder with a name containing "php5" will run, like this one: https://attack.samsclass.info/phpvuln/phpwned.php5.txt Fixed The "phpfix" directory has this .htaccess file: <FilesMatch ".+\.php5$"> SetHandler application/x-httpd-php </FilesMatch> Now this file doesn't run: https://attack.samsclass.info/phpfix/phpwned.php5.txt But this one does: https://attack.samsclass.info/phpfix/phpwned.php5

5. $_REQUEST Click this button to set a cookie containing "isadmin=0": Now click this URL to override the value set in the cookie: https://attack.samsclass.info/phpfail5.php?isadmin=1 Note: by default, php.ini doesn't allow Cookies to affect $_REQUEST; I enabled it in php.ini with this code: ; Development Value: "GP" ; Production Value: "GP" ; http://php.net/request-order ; Note: MODIFIED by SAM 10-23-16 for Cookie PHP Demo request_order = "CGP" $_REQUEST is considered dangerous to use. It's better to use $_GET, $_POST, and $_COOKIE so you know what you are doing more precisely.

6. Error Reporting Item #5 above shows errors, which are informative to developers, but considered a security risk. That's because my php.ini has this setting: ; Default Value: On ; Development Value: On ; Production Value: Off ; http://php.net/display-errors display_errors = On

7. preg_replace Command Injection Post a Message: This form posts messages publicly. To maintain secrecy, any message starting with "SECRET" is sanitized with this code: $m = preg_replace('/SECRET(.*)/e', '\\1', $m); Message: For a good time, post this message: SECRET ${system(ls)} The unexpected dangers of preg_replace()

References Linux: 25 PHP Security Best Practices For Sys Admins PHP Security Cheat Sheet Magic Hashes Using .htaccess to make all .html pages to run as .php files? GRID USING SETHANDLER TO PROCESS OTHER EXTENSIONS AS PHP $_REQUEST