Is it possible to inject PHP code via URI parameters?

General technological topics without their own forum go here

Is it possible to inject PHP code via URI parameters?

Post by leviya on Tue Jan 16, 2018 5:29 am
([msg=95168]see Is it possible to inject PHP code via URI parameters?[/msg])

want to learn more about ethical hacking since I'm a web developer and sometimes I get worried about my application's security.

Someone told me once the best way to learn is to try to hack real applications yourself, so I was playing around with an example here on my localhost. It's a really simple application I've built some time ago, and it has a file called api.php that goes like this:

<?php
header('Content-type: application/json;charset=UTF-8');

if (isset($_GET["api"]) and $_GET["api"] !== "") {

if ($_GET["api"] === "posts") {

$url = "https://api.third-party.com/posts?q=". rawurlencode($_GET["post_id"]);

} else if ($_GET["api"] === "users") {

$url = "https://api.third-party.com/users?q=". $_GET["user_id"];

} else if ($_GET["api"] === "tags") {

$url = "https://api.third-party.com/tags?q=". $_GET["tag_id"];

}

$json = exec("curl -X GET ".$url);
echo $json;

}

?>
I was trying to inject some PHP code using URI parameters. Something like this:

http://localhost:8888/test-app/api.php? ... 5;print_r("success");}if(0){die();
My idea was that when my application would read the PHP code with the user_id parameter, it would do something like this:

<?php
header('Content-type: application/json;charset=UTF-8');

if (isset($_GET["api"]) and $_GET["api"] !== "") {

if ($_GET["api"] === "posts") {

$url = "https://api.third-party.com/posts?q=". rawurlencode($_GET["post_id"]);

} else if ($_GET["api"] === "users") {

$url = "https://api.third-party.com/user?q=". 5;

print_r("success");

}

if(0){

die();

} else if ($_GET["api"] === "tags") {

$url = "https://api.third-party.com/tags?q=". $_GET["tag_id"];

}


$json = exec("curl -X GET ".$url);
echo $json;

}

?>
But it's actually not working. All I get is a blank screen that's probably the result of an empty $json variable echoed.

Is this something possible to do? I also have a form that calls this script via ajax, could try to use it too.
leviya
New User
New User
 
Posts: 1
Joined: Sat Dec 09, 2017 6:22 am
Location: USA
Blog: View Blog (0)


Return to General

Who is online

Users browsing this forum: No registered users and 0 guests