PHP Injection found.. but can I do anything useful?

[tommed]

Been auditing a friend's PHP web site for security holes, and found that he is trusting the querystring and using it in a PHP include line.. The problem is that he appends the include line with ".txt" and I'm not sure if I can actually do anything malicious with this to be worth reporting it to him...

The site basically uses a querystring item to load text from a .txt file, eg:

Code: Select all

http://example.org/info.php?title=foobar

will load the txt file "files/foobar.txt" and display it inside the page.
I can load the robots.txt file into the page like so:

Code: Select all

http://example.org/info.php?title=../robots

I think the include code probably looks something like this:

Code: Select all

include("files/" . $_GET["title"] . ".txt");

Could anything malicious be done here, or am I barking up the wrong tree?

He also has a mailing list form on another page, this is obviously doing an insert SQL operation and I'm guessing it may be suseptable to SQL injection.. what kind of injection could be used within this insert statement that could cause problems for my friend?

[mShred]

Ah just today i was scanning a friend of mine's website and came across something similar. A request that grabs an image and displays it on the screen. Of course i tested it for a RFI vulnerability. I could display an image from my website onto their site. If it was an invalid image, it would output the message "error: getimagesize failed". Well damn, i could only display images. After hours of testing, i finally concluded that i can not do anything with it due to the fact that it only displayed an image (yes i tried malicious image files). But your situation seems a little different.. Try opening files that aren't .txt and see what happens. Try loading a different site. Reply back with further results.

[pretentious]

He also has a mailing list form on another page, this is obviously doing an insert SQL operation and I'm guessing it may be suseptable to SQL injection.. what kind of injection could be used within this insert statement that could cause problems for my friend?

If his query looks like this:
insert into mailingList values('','$email','$name');
you can make the name variable read:
"pretentious'); drop table mailingList; --"
I might have some syntax wrong, but i think the theory is right

[tremor77]

1. The potential exists for directory traversal as you already noticed by loading the ROBOTS.TXT file already, outside the /files directory by using: ?title=../robots

2. The potential may exist to load something other than a text file by adding an extension and closing the query prematurely with an escape string or by adding spaces... consider: ?title=../index.php '

3. You may be able to get a directory listing in a similar fashion to #2 by using something like: ?title= '

It's hard for me to say how you could use the GET method to violate his mailing list form for an SQL injection without getting a good look at site layout and source code, but I think the potential exists. Additionally, depending on the web server's settings, using certain characters in the GET method for URL bar injection may or may not be limited. I know on my web server using ' and " in the url bar tend to get stripped. So that would be a matter of trial and error testing what escape methods you could pass to his code.

[tommed]

Thanks for the ideas and feedback guys/gals!

I can confirm that it is only possible to read .txt files. The include line must be using double quotes or escaping the querystring value first, there is no way of commenting out the .txt suffix that I have found (eg. '); / or whatever). However, it is possible to work on directories anywhere on the server that the Apache user can read.

I have been looking for the usual (TODO.txt, passwords.txt, clients.txt, ftp.txt etc..), but managed to do something slightly less interesting, but will probably be enough for the developer to admit he has a problem:

Code: Select all

showfile.php?title=../../../../../usr/share/doc/zip-2.31/algorith

This displays the file /usr/share/doc/zip-2.31/algorith.txt. I can't think of any really good txt files to try and read for Linux other than documentation in /usr/share, but hopefully this is enough!

@pretencious: I daren't run SQL drop code on my friend's site, but that is exactly the kind of thing I was after; I'm guessing your code snippet would indeed work and delete the entire contents of the mailing list (I wonder if he has a backup??) I will relay this to my friend for his developer to review!

Thanks guys! Keep up the good work!