Find the vulnerability /g/! 1 <!DOCTYPE html>

Thread replies: 17
Thread images: 2

Anonymous
2016-03-06 18:51:53 Post No. 53346557
[Report] Image search: [Google]

File: 1453696760964.jpg (295 KB, 1339x1024) Image search: [Google]

Anonymous 2016-03-06 18:51:53 Post No. 53346557 [Report]

Find the vulnerability /g/!

     1    <!DOCTYPE html>
     2    <html lang="en">
     3    
     4        <head>
     5            <meta charset="utf-8">
     6            <title>File search</title>
     7        </head>
     8    
     9        <body>
    10            <h1>File search</h1>
    11            
    12            <?php
    13            $db = new mysqli("127.0.0.1", "file_search", "s34rch1n", "file_search");
    14            ?>
    15            
    16            <form method="post" enctype="multipart/form-data">
    17                Search <input type="file" name="haystack">
    18                for <input type="text" name="needle">
    19                <button type="submit">Search!</button>
    20            </form>
    21            
    22            <?php
    23            if ($_SERVER["REQUEST_METHOD"] === "POST") {            
    24                if ($_FILES["haystack"]["type"] !== "text/plain") {
    25                    echo "<strong>The file you uploaded is not a text file.</strong>";
    26                } else if ($_FILES["haystack"]["size"] > 50000) {
    27                    echo "<strong>The file you uploaded is too large.</strong>";
    28                } else if ($_POST["needle"] === "") {
    29                    echo "<strong>You must specify a term to search for.</strong>";
    30                } else {
    31                    echo "<h3>Search results</h3>";
    32                    
    33                    $results = preg_split("/\r?\n/", `grep {$_POST["needle"]} {$_FILES["haystack"]["tmp_name"]}`);
    34                    echo "<p>" . count($results) . " search result" . (count($results) === 1 ? "" : "s") . " for <strong>" . htmlspecialchars($_POST["needle"], ENT_QUOTES) . "</strong>:</p>";
    35                    echo "<ul>";
    36                    foreach ($results as &$r) {
    37                        echo "<p>" . htmlspecialchars($r, ENT_QUOTES) . "</p>";
    38                    }
    39                    echo "</ul>";
    40                    
    41                    if ($db && $query = $db->prepare("insert into history (??)")) {
    42                        if ($query->bind_param("si", $_POST["needle"], count($results))) {
    43                            $query->execute();
    44                        }
    45                        $query->close();
    46                        mysqli_close($db);
    47                    }
    48                }
    49            }
    50            ?>
    51            
    52        </body>
    53    </html>

>>

Anonymous 2016-03-06 18:58:24 Post No.53346641
[Report]

Anonymous 2016-03-06 18:58:24 Post No.53346641 [Report]

>>53346557
>mixing php and html
>mysql instead of PDO
>grep
disgustion

>>

Anonymous 2016-03-06 19:01:35 Post No.53346691
[Report]

Anonymous 2016-03-06 19:01:35 Post No.53346691 [Report]

>>53346557
>PHP
There is your problem.

>>

Anonymous 2016-03-06 19:02:28 Post No.53346698
[Report]

Anonymous 2016-03-06 19:02:28 Post No.53346698 [Report]

i found the vulnerability. its php

>>

Anonymous 2016-03-06 19:02:52 Post No.53346706
[Report]

Anonymous 2016-03-06 19:02:52 Post No.53346706 [Report]

>>53346641
wtf is wrong with mixing html and php?

>>

Anonymous 2016-03-06 19:05:52 Post No.53346770
[Report]

Anonymous 2016-03-06 19:05:52 Post No.53346770 [Report]

>>53346557

needle: php; rm -rf /* #

>>

Anonymous 2016-03-06 19:06:45 Post No.53346783
[Report]

Anonymous 2016-03-06 19:06:45 Post No.53346783 [Report]

>>53346557

It has something to do with SQL injecting through the text file

also the ? : syntax is cancerous

>>

Anonymous 2016-03-06 19:09:47 Post No.53346822
[Report]

Anonymous 2016-03-06 19:09:47 Post No.53346822 [Report]

>>53346783
Don't think there's an SQL injection since there's no query being formed in the PHP?

>>

Anonymous 2016-03-06 19:35:13 Post No.53347182
[Report]

Anonymous 2016-03-06 19:35:13 Post No.53347182 [Report]

>>53346691
Idiot

>>

Anonymous 2016-03-06 19:36:10 Post No.53347199
[Report]

Anonymous 2016-03-06 19:36:10 Post No.53347199 [Report]

>>53347182
stay mad

>>

Anonymous 2016-03-06 20:27:50 Post No.53347964
[Report]

Anonymous 2016-03-06 20:27:50 Post No.53347964 [Report]

>>53346770
This.

>`grep {$_POST["needle"]} {$_FILES["haystack"]["tmp_name"]}`
The backtick operator (`) is exec(). Without escaping the input, an attacker can execute anything they want on the server.

>>

Anonymous 2016-03-06 21:48:45 Post No.53349205
[Report]

Anonymous 2016-03-06 21:48:45 Post No.53349205 [Report]

it's RCE in backtick operator >>53346770

>>

Anonymous 2016-03-06 21:52:16 Post No.53349259
[Report]

Anonymous 2016-03-06 21:52:16 Post No.53349259 [Report]

>>53346706
http://www.php-fig.org/psr/psr-1/
>1. Overview, point 3

>>

Anonymous 2016-03-06 21:57:24 Post No.53349336
[Report] Image search: [Google]

Anonymous 2016-03-06 21:57:24 Post No.53349336 [Report]

File: 1456904320231.jpg (42 KB, 541x498) Image search: [Google]

42 KB, 541x498

>>53346557
>PHP

>>

Anonymous 2016-03-06 22:14:46 Post No.53349620
[Report]

Anonymous 2016-03-06 22:14:46 Post No.53349620 [Report]

>send one gazillion terabytes file
>server goes down

>>

Anonymous 2016-03-06 22:16:49 Post No.53349655
[Report]

Anonymous 2016-03-06 22:16:49 Post No.53349655 [Report]

>>53346557
>PHP
Found it.

>>

Anonymous 2016-03-06 22:41:15 Post No.53350033
[Report]

Anonymous 2016-03-06 22:41:15 Post No.53350033 [Report]

>>53347964
this