Find the vulnerability /g/!
1 <!DOCTYPE html>
2 <html lang="en">
3
4 <head>
5 <meta charset="utf-8">
6 <title>File search</title>
7 </head>
8
9 <body>
10 <h1>File search</h1>
11
12 <?php
13 $db = new mysqli("127.0.0.1", "file_search", "s34rch1n", "file_search");
14 ?>
15
16 <form method="post" enctype="multipart/form-data">
17 Search <input type="file" name="haystack">
18 for <input type="text" name="needle">
19 <button type="submit">Search!</button>
20 </form>
21
22 <?php
23 if ($_SERVER["REQUEST_METHOD"] === "POST") {
24 if ($_FILES["haystack"]["type"] !== "text/plain") {
25 echo "<strong>The file you uploaded is not a text file.</strong>";
26 } else if ($_FILES["haystack"]["size"] > 50000) {
27 echo "<strong>The file you uploaded is too large.</strong>";
28 } else if ($_POST["needle"] === "") {
29 echo "<strong>You must specify a term to search for.</strong>";
30 } else {
31 echo "<h3>Search results</h3>";
32
33 $results = preg_split("/\r?\n/", `grep {$_POST["needle"]} {$_FILES["haystack"]["tmp_name"]}`);
34 echo "<p>" . count($results) . " search result" . (count($results) === 1 ? "" : "s") . " for <strong>" . htmlspecialchars($_POST["needle"], ENT_QUOTES) . "</strong>:</p>";
35 echo "<ul>";
36 foreach ($results as &$r) {
37 echo "<p>" . htmlspecialchars($r, ENT_QUOTES) . "</p>";
38 }
39 echo "</ul>";
40
41 if ($db && $query = $db->prepare("insert into history (??)")) {
42 if ($query->bind_param("si", $_POST["needle"], count($results))) {
43 $query->execute();
44 }
45 $query->close();
46 mysqli_close($db);
47 }
48 }
49 }
50 ?>
51
52 </body>
53 </html>
