I am building a site that is intentionally vulnerable to LFI exploits for teaching purposes (similar to Natas). Here is my code:
File being run through CLI (/etc/flags/challenge):
<?php
//This file must be located at /etc/flags/challenge
require_once('/var/www/html/class.sqlite.php');
require_once('/var/www/html/inc.func.php');
$dbuser = base64_decode($_COOKIE['loggedin']);
$sqlite = new sqlite("/var/www/html/db/$dbuser/challenge.db");
$flag = $sqlite->getflag($dbuser);
echo "The flag is $flag";
?>
Main file:
<html>
<head>
<title>Challenge</title>
</head>
<body>
Home About
<br>
<?php
if (array_key_exists('file', $_GET)) {
$shell = shell_exec('php ' . $_GET['file']);
echo $shell;
}
?>
<!--The flag is located at /etc/flags/challenge-->
</body>
</html>
Currently, /etc/flags/challenge is not able to access the loggedin cookie. What is the best way to allow the /etc/flags/challenge to access that cookie?
You could read the cookie in the main script and then pass it as a command-line argument:
In the main file:
Add $cookie = $_COOKIE['loggedin'];, and change $shell = ... to $shell = shell_exec('php ' . $_GET['file'] . ' ' . $cookie);
In the CLI file:
Add $cookie = $argv[1];
Read this for more info on command line arguments in PHP
Related
I have the following html page
<?php session_start(); ?>
<html>
<body>
<?php
echo '<!-- cookies -->';
foreach($_COOKIE as $k => $v) {
echo '<!-- ' . $k . '=>' . $v . ' -->';
}
?>
</body>
</html>
which yields the following page source when I view the page with https://daley.ws/file1.php
<html>
<body>
<!-- cookies --><!-- PHPSESSID=>22u20jsi288vtk5epser56d2bn7leb6n --></body>
</html>
the following python code is run on my mac:
#!/Library/Frameworks/Python.framework/Versions/3.8/bin/python3
import urllib.request
REQ_HOST = "daley.ws"
DALEY_WS = 'https://daley.ws'
DALEY_WS_FILE1 = '{}/file1.php'.format(DALEY_WS)
DALEY_WS_FILE2 = '{}/file2.php'.format(DALEY_WS)
if __name__ == "__main__":
print(DALEY_WS_FILE1)
req = urllib.request.Request(DALEY_WS_FILE1,\
unverifiable=True, origin_req_host=REQ_HOST,\
method='POST')
with urllib.request.urlopen(req) as response:
data = response.read().decode()
print('data: {}'.format(data))
and produces the following output:
https://daley.ws/file1.php
data: <html>
<body>
<!-- cookies --></body>
</html>
why is the PHPSESSID cookie not present? and how do I fix the python code so that the page produces the proper output.
There is no issue with the Python code.
When you load the page the first time in the browser, the cookie is not in the source code. But when you refresh it (the second request, but with Cookie:) it is in the source code.
It's not present in HTML, because the PHP session cookie is NOT in $_COOKIE, unless you send the cookie in the first place with HTTP header Cookie:. Try session_id() in PHP or response.getheader("Set-Cookie") in Python to get the current session cookie.
I'm making an application to remove additive or commonly called Stemming confix stripping. I wanted to make a loop to process stemming in each text file. process stemming I've put them in the loop. making the process the content of each document also I put in a text file. when I run in the browser no error but only the note NULL. what's the solution? I attach my program and program results`it is code
<?php
require_once __DIR__ . '/vendor/autoload.php';
$array_sentence = glob('../../ujicoba/simpantoken/*.txt');
settype($array_sentence, "string");
if(is_array($array_sentence) && is_object($array_sentence))
{
foreach ($array_sentence as $text)
{
$textnormalizer = new src\Sastrawi\Stemmer\Filter\TextNormalizer();
$stemmerFactory = new \Sastrawi\Stemmer\StemmerFactory();
$stemmer = $stemmerFactory->createStemmer();
$content = file_get_contents($text);
$stemmer = $stemmerFactory->createStemmer();
$output = $stemmer->stem(array($content));
echo $output . "\n";
}
}
var_dump($content);
?>
<!DOCTYPE html>
<html>
<head>
<title>Confix Stripping Stemmer</title>
</head>
<body>
</body>
</html>
my source code result in browser when running programenter code here
On l.4, settype($array_sentence, "string"); force $array_sentence as a string, which means is_array($array_sentence) && is_object($array_sentence) will return false.
The following code works for stemming:
<?php
include('stopword.php');
$regexRules = array(
'/^be(.*)lah$/',
'/^be(.*)an$/',
'/^me(.*)i$/',
'/^di(.*)i$/',
'/^pe(.*)i$/',
'/^ter(.*)i$/',
'/^di(.*)kan$/',
'/^di(.*)nya$/',
'/^di(.*)kannya$/',
'/^mem(.*)pe$/',
'/^meng(.*)g$/',
'/^meng(.*)h$/',
'/^meng(.*)q$/',
'/^meng(.*)k$/',
'/^mem(.*)kan$/',
'/^diper(.*)i$/',
'/^di(.*)i$/',
'/^memper(.*)kan$/',
'/^meny(.*)i$/',
'/^meny(.*)kan$/',
'/^men(.*)kan$/',
'/^me(.*)kan$/',
'/^meng(.*)nya$/',
'/^memper(.*)i$/',
'/^men(.*)i$/',
'/^meng(.*)i$/',
'/^ber(.*)nya$/',
'/^ber(.*)an$/',
'/^ke(.*)an$/',
'/^ke(.*)annya$/',
'/^peng(.*)an$/',
'/^peny(.*)an$/',
'/^per(.*)an$/',
'/^pen(.*)an$/',
'/^pe(.*)an$/',
'/^ber(.*)$/',
'/^di(.*)$/',
'/^men(.*)$/',
'/^meng(.*)$/',
'/^meny(.*)$/',
'/^mem(.*)$/',
'/^pen(.*)$/',
'/^peng(.*)$/',
'/^ter(.*)$/',
'/^mem(.*)$/',
'/^(.*)nya$/',
'/^(.*)lah$/',
'/^(.*)pun$/',
'/^(.*)kah$/',
'/^(.*)mu$/',
'/^(.*)an$/',
'/^(.*)kan$/',
'/^(.*)i$/',
'/^(.*)ku$/',
);
global $regexRules;
$file_string = glob('yourfoldertoseavedata_text/*.txt');
$string = array('(.*)');
foreach ($file_string as $data)
{
$string[] = file_get_contents($data);
$stemming = str_ireplace($regexRules,"", $string);
var_dump($stemming);
}
?>
Link to my project:
http://www.mediafire.com/download/1ebozib6qdq2obd/Delivery4All.rar
Basically when i try to open displaymenus.php my php code doesn't get executed but my html code gets
I have xampp for windows but i don't think the problem is in the xampp but in my code
Code for displaymenus.php:
hello
<?php
require 'controllers/menucontroller.php';
$menuController = new menucontroller();
if(!empty($_POST['types']))
{
$menuTables = $menuController->createmenutables($_POST['types']);
}else{
$menuTables = $menuController->createmenutables('^');
}
$content = $menuController->createtypedropdown() . $menuTables;
$title = 'Deliver4All';
include_once 'template.php';
?>
Why does file_get_contents not work for me? In the test file code below, it seems that everyone's examples that I've searched for all have this function listed, but it never gets executed. Is this a problem with the web hosting service? Can someone test this code on their server just to see if the geocoding array output actually gets printed out as a string? Of course, I am trying to assign the output to a variable, but there is no output here in this test file....
<html>
<head>
<title>Test File</title>
<script type="text/javascript" src="http://maps.google.com/maps/api/js?sensor=false">
</script>
</head>
<body>
<?
$adr = 'Sydney+NSW';
echo $adr;
$url = "http://maps.googleapis.com/maps/api/geocode/json?address=$adr&sensor=false";
echo '<p>'.$url.'</p>';
echo file_get_contents($url);
print '<p>'.file_get_contents($url).'</p>';
$jsonData = file_get_contents($url);
echo $jsonData;
?>
</body>
</html>
Check file_get_contents PHP Manual return value. If the value is FALSE then it could not read the file. If the value is NULL then the function itself is disabled.
To learn more what might gone wrong with the file_get_contents operation you must enable error reporting and the display of errors to actually read them.
# Enable Error Reporting and Display:
error_reporting(~0);
ini_set('display_errors', 1);
You can get more details about the why the call is failing by checking the INI values on your server. One value the directly effects the file_get_contents function is allow_url_fopen. You can do this by running the following code. You should note, that if it reports that fopen is not allowed, then you'll have to ask your provider to change this setting on your server in order for any code that require this function to work with URLs.
<html>
<head>
<title>Test File</title>
<script type="text/javascript" src="http://maps.google.com/maps/api/js?sensor=false">
</script>
</head>
<body>
<?php
# Enable Error Reporting and Display:
error_reporting(~0);
ini_set('display_errors', 1);
$adr = 'Sydney+NSW';
echo $adr;
$url = "http://maps.googleapis.com/maps/api/geocode/json?address=$adr&sensor=false";
echo '<p>', $url, '</p>';
$jsonData = file_get_contents($url);
echo '<pre>', htmlspecialchars(substr($jsonData, 128)), sprintf(' ... (%d)', strlen((string)$jsonData)), '</pre>';
# Output information about allow_url_fopen:
if (ini_get('allow_url_fopen') == 1) {
echo '<p style="color: #0A0;">fopen is allowed on this host.</p>';
} else {
echo '<p style="color: #A00;">fopen is not allowed on this host.</p>';
}
# Decide what to do based on return value:
if ($jsonData === FALSE) {
echo "Failed to open the URL ", htmlspecialchars($url);
} elseif ($jsonData === NULL) {
echo "Function is disabled.";
} else {
echo '<pre>', htmlspecialchars($jsonData), '</pre>';
}
?>
</body>
</html>
If all of this fails, it might be due to the use of short open tags, <?. The example code in this answer has been therefore changed to make use of <?php to work correctly as this is guaranteed to work on in all version of PHP, no matter what configuration options are set. To do so for your own script, just replace <? or <?php.
If PHP's allow_url_fopen ini directive is set to true, and if curl doesn't work either (see this answer for an example of how to use it instead of file_get_contents), then the problem could be that your server has a firewall preventing scripts from getting the contents of arbitrary urls (which could potentially allow malicious code to fetch things).
I had this problem, and found that the solution for me was to edit the firewall settings to explicitly allow requests to the domain (or IP address) in question.
If it is a local file, you have to wrap it in htmlspecialchars like so:
$myfile = htmlspecialchars(file_get_contents($file_name));
Then it works
Wrap your $adr in urlencode().
I was having this problem and this solved it for me.
//JUST ADD urlencode();
$url = urlencode("http://maps.googleapis.com/maps/api/geocode/json?address=$adr&sensor=false");
<html>
<head>
<title>Test File</title>
<script type="text/javascript" src="http://maps.google.com/maps/api/js?sensor=false">
</script>
</head>
<body>
<?php
$adr = 'Sydney+NSW';
echo $adr;
$url = "http://maps.googleapis.com/maps/api/geocode/json?address=$adr&sensor=false";
echo '<p>'.$url.'</p>';
echo file_get_contents($url);
print '<p>'.file_get_contents($url).'</p>';
$jsonData = file_get_contents($url);
echo $jsonData;
?>
</body>
</html>
The error may be that you need to change the permission of folder and file which you are going to access. If like GoDaddy service you can access the file and change the permission or by ssh use the command like:
sudo chmod 775 file.jpeg
and then you can access if the above mentioned problems are not your case.
I read several similar posts but I don't see my fault.
index.php looks like:
<head>
<title>Demo Title</title>
</head>
<body>
<?php
require_once "footer.php";
?>
</body>
footer.php looks like:
<?php
/*
* _$ Rev. : 08 Sep 2010 14:52:26 $_
* footer.php
*/
$host = $_SERVER['SERVER_NAME'];
$param = $_SERVER ['REQUEST_URI'];
$url = "http://".$host.$param;
echo $url;
$file = # fopen($_SERVER[$url],"r") or die ("Can't open HTTP_REFERER.");
$text = fread($file,16384);
if (preg_match('/<title>(.*?)<\/title>/is',$text,$found)) {
$title = $found[1];
} else {
$title = " -- no title found -- ";
}
?>
A request for the URL http://127.0.0.1/test/index.php results in:
http://127.0.0.1/test/index.phpCan't open HTTP_REFERER.
or for http://127.0.0.1/test/
http://127.0.0.1/test/Can't open HTTP_REFERER.
Any hints appreciated.
$_SERVER is an array which contains a bunch of fields relating to the server config. It does not contain an element named "http://".$host.$param, so trying to open that as a filename will result in the fopen call failing, and thus going to the die() statement.
More likely what you wanted to do was just open the file called "http://".$host.$param. If that's what you want, then just drop the $_SERVER[] bit and it should work better.
Note that because it's a URL, you will need your PHP config to allow opening of remote files using fopen(). PHP isn't always configured this way by default as it can be a security risk. Your dev machine may also be configured differently to the system you will eventually deploy to. If you find you can't open a remote URL using fopen(), there are alternatives such as using CURL, but they're not quite as straightforward as a simple fopen() call.
Also, if you're reading the whole file, you may want to consider file_get_contents() rather than fopen() and fread(), as it replaces the whole thing into a single function call.
try this:
$file = # fopen($url,"r") or die ("Can't open HTTP_REFERER.");
Try
<?php
$dom = new DOMDocument();
$host = $_SERVER['SERVER_NAME'];
$param = $_SERVER ['REQUEST_URI'];
$url = "http://".$host.$param;
echo 'getting title for page: "' . $url . '"';
$dom->loadHTML($url);
$dom->getElementsByTagName('title');
if ($dom->length)
{
$title = $dom->item(0);
echo $title;
}
else
{
echo 'title tag not found';
}
?>
I can see your trying to track the referral's title
You need to use $_SERVER['HTTP_REFERER']; to get that
what you want to do is something like this
$referrer = (!empty($_SERVER['HTTP_REFERER']) && !substr($_SERVER['SERVER_NAME']) ? $_SERVER['HTTP_REFERER'] : false);
if($referrer)
{
try
{
if(false !== ($resource = fopen($referrer,"r")))
{
$contents = '';
while($contents .= fread($resource,128))
{}
if(preg_match('/<title>(.*?)<\/title>/is',$contents,$found))
{
echo 'Referrer: ' $found[1];
}
}
}catch(Exception $e){}
}