Jump to content

full path disclosure tactic

hisoka

By hisoka
in PHP

 Share

Recommended Posts

hisoka Invested Member

hisoka

Posted
Posted

I read this article :

 

http://samar.techgaun.com/2010/09/full-path-disclosure-tutorial.html

 

and I fall in love with it . It is very clear and simple . But what attracts me more is this line

 

"Now, lets exploit the $_GET['page'] variable which will look as below:"

 

http://localhost/index.php?page[]=main

 

Justsomeguy my question to you is why the array is injected after the variable . Why not injected , for example, after the string like this

 

 

http://localhost/index.php?page=main[]

 

 

 

Link to comment
Share on other sites
Ingolme w3schools Guru

Ingolme

Posted
Posted

That's the way PHP reads the query string. If you wrote page=main[] then it would assume that $_GET['page'] had the string "main[]".

 

When PHP reads [] next to a query string key it interprets the key as an array, that's just the convention. You can also pass indices in the query string and PHP will pick it up, such as ?page[test]=main which PHP would interpret a

$_GET['page']['test'] = "main"
Link to comment
Share on other sites
hisoka Invested Member

hisoka

Posted
  • Author
Posted (edited)

very good . So , of course Besides the fact that putting an empty array in front of main is wrong because a value cannot be in the form "string[]" , here page is the variable and main is its value like this page[main] and therefore the array cannot be attributed to main otherwise to page . However I still cannot understand why when attributing an empty array to page , the server get confused and show an error which can be the user or pass or both or an error that a hacker can exploit ??!!

Edited by hisoka
Link to comment
Share on other sites
justsomeguy w3schools Guru

justsomeguy

Posted
Posted

The original code creates a variable in $_GET['page'][0] with the value "main", and your line creates a variable in $_GET['page'] with the value "main[]". That's the difference.

 

However I still cannot understand why when attributing an empty array to page , the server get confused and show an error which can be the user or pass or both or an error that a hacker can exploit ??!!

I don't know what he's getting at either. Changing the string to an array would only cause an error if he's trying to use string functions with the value and instead an array gets passed. Just doing a basic comparison I don't think will cause an error, but I could be wrong. You could test it.

 

ini_set('display_errors', 1);
error_reporting(E_ALL);
$test = [];
echo $test == 'test';
I assume that will be a blank page, not an error message.
Link to comment
Share on other sites
hisoka Invested Member

hisoka

Posted
  • Author
Posted (edited)

It gives an error . I tried something else

 

first I made two php files . One is called macho.php and the other is spencer.php

 

in macho.php I put some little php code like this :

 

<?php

 

echo "good";

 

?>

 

then save it as php

 

and in spencer.php I put this code :

 

<?php
ini_set('display_errors', 1);
error_reporting(E_ALL);
$file = macho.php;
include($_GET[file]);
?>

 

then save it in the same directory as macho.php and run it like this

 

localhost/spencer.php?file=macho.php and the result was "good" . It is local file inclusion and the macho.php was processed by spencer.php

 

Now when I did like this

 

localhost/spencer.php?file[]=

 

I got an error :

 

 

 

This error provides a hacker with directories that he is not supposed to see . This is what happens when the code is not secure enough and vulnerable

Edited by hisoka
Link to comment
Share on other sites
justsomeguy w3schools Guru

justsomeguy

Posted
Posted

And the only reason it shows those errors is because you are using include with a value from $_GET. If you weren't using include, then that particular error would not show. Both of those errors are errors from using include. Like I said, another way for that to cause an error may be if you try to call a function that expects a string to be passed, but instead it gets an array passed. In that case you might receive a notice about array-to-string conversion. Otherwise, it's generally not going to show an error. The code that I posted in post 4, for example, I would not expect to show an error.

 

This is what happens when the code is not secure enough and vulnerable

If you're including files through $_GET then that alone is a major security vulnerability if you're not validating the file that gets included to make sure it's on a whitelist of allowed files. Otherwise you're letting an attacker include any arbitrary file. That's a big problem.
Link to comment
Share on other sites
hisoka Invested Member

hisoka

Posted
  • Author
Posted (edited)

full path disclosure exploit can reveal secret information under some conditions :

 

The site should be vulnerable to local file inclusion and allow_url_include and allow_url_fopen should be on . It is all about file inclusion exploit

Edited by hisoka
Link to comment
Share on other sites
Ingolme w3schools Guru

Ingolme

Posted
Posted

Putting an empty array in the query string is not wrong. The empty square brackets is a shorthand expression meaning "add an element to the end of the array"

  • Like 1
Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share
Go to topic listing
×
×
  • Create New...