Search code examples
phpcode-injection

Is it possible to inject PHP code via URI parameters?

I want to learn more about (ethical) hacking since I'm a web developer and sometimes I get worried about my application's security.

Someone told me once the best way to learn is to try to hack real applications yourself, so I was playing around with an example here on my localhost. It's a really simple application I've built some time ago, and it has a file called api.php that goes like this:

<?php
header('Content-type: application/json;charset=UTF-8');

if (isset($_GET["api"]) and $_GET["api"] !== "") {

  if ($_GET["api"] === "posts") {

    $url = "https://api.third-party.com/posts?q=". rawurlencode($_GET["post_id"]);

  } else if ($_GET["api"] === "users") {

    $url = "https://api.third-party.com/users?q=". $_GET["user_id"];

  } else if ($_GET["api"] === "tags") {

    $url = "https://api.third-party.com/tags?q=". $_GET["tag_id"];

  }

  $json = exec("curl -X GET ".$url);
  echo $json;

}

?>

I was trying to inject some PHP code using URI parameters. Something like this:

http://localhost:8888/test-app/api.php?api=users&user_id=5;print_r("success");}if(0){die();

My idea was that when my application would read the PHP code with the user_id parameter, it would do something like this:

<?php
header('Content-type: application/json;charset=UTF-8');

if (isset($_GET["api"]) and $_GET["api"] !== "") {

  if ($_GET["api"] === "posts") {

   $url = "https://api.third-party.com/posts?q=". rawurlencode($_GET["post_id"]);

 } else if ($_GET["api"] === "users") {

   $url = "https://api.third-party.com/user?q=". 5;

   print_r("success");

 }

 if(0){

   die();

 } else if ($_GET["api"] === "tags") {

   $url = "https://api.third-party.com/tags?q=". $_GET["tag_id"];

 }


  $json = exec("curl -X GET ".$url);
  echo $json;

}

?>

But it's actually not working. All I get is a blank screen that's probably the result of an empty $json variable echoed.

Is this something possible to do? I also have a form that calls this script via ajax, could try to use it too.

Solution 
  • exec("curl -X GET ".$url);

    Is executing a command, not running PHP. Your shell most likely does not have a print_r command. You could do something like:

    http://localhost:8888/test-app/api.php?api=tags&tags=echo%20%22%3C?php%20print_r(\%22success\%22);%20?%3E%22%20|%20php

    which would let you run

    echo "<?php print_r(\"success\"); ?>" | php