xss - What bad can do following php code?

355

I need help in understandingXSS onPHP. Which security holes are in this specific case?

<?php
$test = NULL;
$name = $_REQUEST['name'];

if(!$test){
    die("$name cannot be found");
}

?>

EDITED. WHY IT SHOW ME PHPINFO? LINK http://testing985.freeiz.com/

<?
$test = NULL;
$name = ''.print phpinfo().'';

if(!$test){
    die("$name cannot be found");
}
?>
969

Answer

Solution:

Enter this and you will see:

{-code-1}

In this example you go to google. In real world you would go to a phishing site, which look exactly the same, like your page.

To santize this, you want to remove tags for example:

$name = strip_tags($name);

Alternative there is a more powerfull framework availibe:

http://htmlpurifier.org/

Also this here:

$name = "''.print phpinfo().''";

Will ourput this:

''.print phpinfo().'' cannot be found

The reason is, that''.print phpinfo().'' is already astring. You would need toeval($name); to get it executed. Better you forgeteval immediately.

Also note:

$test = NULL;

if (!$test){}; //true
if ($test){}; //false
if ($test === false){}; //false
if ($test === true){}; //false
if ($test === null){}; //true

For your edit:

My bad, with the line{-code-14} = ''.print phpinfo().'' i meant, if you have a url like this{-code-11} which basicly stands for{-code-14} = "''.print phpinfo().''" instead of{-code-14} = ''.print phpinfo().''.

Means:

If I want to enter for your{-code-14} the code''.print phpinfo().'';, i would escape it to{-code-16}.

Now you have this line:

{-code-14} = $_REQUEST['name'];

You write the content of the GET VAR (In this case''.print phpinfo().'';) asstring into your{-code-14}

So your basicly have this line:

$name = "''.print phpinfo().''";

And this will output simple:

''.print phpinfo().''

So why this line gives the PHP Info Output?

{-code-14} = ''.print phpinfo().'';

It are 3 parts:

  • '' (returns empty String)
  • print phpinfo() (returns1 from print; The print command doeas nothing, sincephpinfo() returnvoid;phpinfo() does his job and output at this points the Information)
  • '' (returns empty String)

So you assign your{-code-14} a string chain ofNothing,1,Nothing. This means,{-code-14} = '1'. In this assignment, you already have printed thephpinfo().

With this line:

die("{-code-14} cannot be found");

You append to the already Info output, the text1 cannnot be found;

People are also looking for solutions to the problem: php - How to call a property combined with a variable?

Source

Didn't find the answer?

Our community is visited by hundreds of web development professionals every day. Ask your question and get a quick answer for free.

Ask a Question

Write quick answer

Do you know the answer to this question? Write a quick response to it. With your help, we will make our community stronger.

Similar questions

Find the answer in similar questions on our website.