making a security exploit

markg85

Hey,

the title might sound strange.. but it is what i want to do 😛

this is the code i have:

make a file calles test.php and insert the code below:

<?php
    echo $_GET['sec'];
?>

now i expected to see the phpinfo when doing this: test?sec=phpinfo(); but it just displays the name: 'phpinfo();'

do you guys have any idea why this happens? (or is the echo in front of it causing it)
and what are other ways to exploit something like this?

im not asking this to exploit script ans have fun with something mean but im asking because im making the script paFileDB Extreme Edition and im close to releasing beta 1 of it and i want to be sure i did it right with post and get variables.

Thanx in favor.

zingbats

In terms of exploiting it, I can't see any, unless you do an if statement that says

<?
if($sec=="phpinfo();") {
phpinfo();
}
?

As for why it happens, the web browser passes the ASCII code for each symbol for the letter to the script. In fact, it might be the HTTP server that converts it to ASCII.

For example:

<?
echo($_GET['sec']);
?>

and you went to test.php?sec=hello world
You're actually passing test.php?sec=hello%20world

markg85

so you can`t actually exploit it the way i wrote it in my first post? i always thought it could be exploited 😛

zingbats

Not in anyway I can think of, no.

markg85

and if it`s without the echo? so this:

<?php
    $_GET['sec'];
?>

zingbats

Try it and see, if it works, I will be suprised.

MarkR

No, that would not happen unless you used eval (Which is dangerous and should not generally be used, for this reason).

However, an attacker could easily craft a XSS exploit which would allow users of your web site to have their cookies stolen by visiting a malicious third party site.

Mark

markg85

XSS.. how would that be done?
sorry for the questions but i`m kinda new in the exploiting.. (i never try it)

MarkR

It would inject some javascript code which reads document.cookie, then somehow constructs a POST or a GET to another site where they can capture these data.

When one of your users visits the page in good faith, their cookie could then be stolen by the attacker who has control of this other site.

Mark

markg85

like the video here: http://www.milw0rm.com/video/#
titled: "vBulletin XSS Demonstration with Session Hijacking"

or not?