hisoka Posted March 18, 2016 Share Posted March 18, 2016 I read this article : http://samar.techgaun.com/2010/09/full-path-disclosure-tutorial.html and I fall in love with it . It is very clear and simple . But what attracts me more is this line "Now, lets exploit the $_GET['page'] variable which will look as below:" http://localhost/index.php?page[]=main Justsomeguy my question to you is why the array is injected after the variable . Why not injected , for example, after the string like this http://localhost/index.php?page=main[] Link to comment Share on other sites More sharing options...
Ingolme Posted March 18, 2016 Share Posted March 18, 2016 That's the way PHP reads the query string. If you wrote page=main[] then it would assume that $_GET['page'] had the string "main[]". When PHP reads [] next to a query string key it interprets the key as an array, that's just the convention. You can also pass indices in the query string and PHP will pick it up, such as ?page[test]=main which PHP would interpret a $_GET['page']['test'] = "main" Link to comment Share on other sites More sharing options...
hisoka Posted March 18, 2016 Author Share Posted March 18, 2016 (edited) very good . So , of course Besides the fact that putting an empty array in front of main is wrong because a value cannot be in the form "string[]" , here page is the variable and main is its value like this page[main] and therefore the array cannot be attributed to main otherwise to page . However I still cannot understand why when attributing an empty array to page , the server get confused and show an error which can be the user or pass or both or an error that a hacker can exploit ??!! Edited March 18, 2016 by hisoka Link to comment Share on other sites More sharing options...
justsomeguy Posted March 18, 2016 Share Posted March 18, 2016 The original code creates a variable in $_GET['page'][0] with the value "main", and your line creates a variable in $_GET['page'] with the value "main[]". That's the difference. However I still cannot understand why when attributing an empty array to page , the server get confused and show an error which can be the user or pass or both or an error that a hacker can exploit ??!!I don't know what he's getting at either. Changing the string to an array would only cause an error if he's trying to use string functions with the value and instead an array gets passed. Just doing a basic comparison I don't think will cause an error, but I could be wrong. You could test it. ini_set('display_errors', 1); error_reporting(E_ALL); $test = []; echo $test == 'test';I assume that will be a blank page, not an error message. Link to comment Share on other sites More sharing options...
hisoka Posted March 18, 2016 Author Share Posted March 18, 2016 (edited) It gives an error . I tried something else first I made two php files . One is called macho.php and the other is spencer.php in macho.php I put some little php code like this : <?php echo "good"; ?> then save it as php and in spencer.php I put this code : <?phpini_set('display_errors', 1);error_reporting(E_ALL);$file = macho.php;include($_GET[file]);?> then save it in the same directory as macho.php and run it like this localhost/spencer.php?file=macho.php and the result was "good" . It is local file inclusion and the macho.php was processed by spencer.php Now when I did like this localhost/spencer.php?file[]= I got an error : This error provides a hacker with directories that he is not supposed to see . This is what happens when the code is not secure enough and vulnerable Edited March 18, 2016 by hisoka Link to comment Share on other sites More sharing options...
justsomeguy Posted March 18, 2016 Share Posted March 18, 2016 And the only reason it shows those errors is because you are using include with a value from $_GET. If you weren't using include, then that particular error would not show. Both of those errors are errors from using include. Like I said, another way for that to cause an error may be if you try to call a function that expects a string to be passed, but instead it gets an array passed. In that case you might receive a notice about array-to-string conversion. Otherwise, it's generally not going to show an error. The code that I posted in post 4, for example, I would not expect to show an error. This is what happens when the code is not secure enough and vulnerableIf you're including files through $_GET then that alone is a major security vulnerability if you're not validating the file that gets included to make sure it's on a whitelist of allowed files. Otherwise you're letting an attacker include any arbitrary file. That's a big problem. Link to comment Share on other sites More sharing options...
hisoka Posted March 18, 2016 Author Share Posted March 18, 2016 (edited) full path disclosure exploit can reveal secret information under some conditions : The site should be vulnerable to local file inclusion and allow_url_include and allow_url_fopen should be on . It is all about file inclusion exploit Edited March 18, 2016 by hisoka Link to comment Share on other sites More sharing options...
justsomeguy Posted March 18, 2016 Share Posted March 18, 2016 Yes, if all of those things are enabled and you're including filenames that you got from user input without validating anything, then your entire server is open to all sorts of vulnerabilities. 1 Link to comment Share on other sites More sharing options...
hisoka Posted March 19, 2016 Author Share Posted March 19, 2016 (edited) "So , of course Besides the fact that putting an empty array in front of main is wrong because a value cannot be in the form "string[]"" is this true or wrong ? Edited March 19, 2016 by hisoka Link to comment Share on other sites More sharing options...
Ingolme Posted March 19, 2016 Share Posted March 19, 2016 Putting an empty array in the query string is not wrong. The empty square brackets is a shorthand expression meaning "add an element to the end of the array" 1 Link to comment Share on other sites More sharing options...
hisoka Posted March 21, 2016 Author Share Posted March 21, 2016 thank you Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now