Home > OS >  php://input and file_get_contents just output the POST data rather than process it
php://input and file_get_contents just output the POST data rather than process it

Time:01-05

I have the following snippet of code. For the URL QueryString, I am passing in php://input. In the body of the request I am passing in <?php echo "ABC";?>

$image_url=$_GET['URL'];
$data = file_get_contents($image_url);
$new = 'images/TEST.jpg';
$upload = file_put_contents($new, $data);

When I curl the image I get <?php echo "ABC";?>. Why is it just printing the string I passed to it rather than ABC

This is for a security lab I'm running locally so I'm using it as a PoC for this exploit e.g. https://blog.sucuri.net/2016/10/backdoor-abusing-of-php-tricks.html and https://www.exploit-db.com/papers/45870

I'm aware it won't get executed when viewing the file but shouldn't the PHP I sent in the body get interpreted and that be placed in a file so I should be seeing ABC rather than <?php echo "ABC";?>.

Another (better) example: https://www.aptive.co.uk/blog/local-file-inclusion-lfi-testing/

Thanks

CodePudding user response:

A standard configuration of a web server is to execute PHP directives only in files with a .php file extension.

You could configure your web server to execute PHP in files with a .jpg file extension (the specifics depend on which web server you are using) but this would be highly unusual — doubly so because a JPEG image is a binary file and not a text file to start with.

Also note that allowing arbitrary PHP to be accepted as user input and then executed on your server is highly dangerous.

I'm aware I won't get executed when viewing the file but shouldn't the PHP I sent in the body get interpreted?

No. Reading a file into a variable only reads a file into a variable. file_get_contents does not execute PHP directives in user input.

That would also be highly dangerous and PHP isn't that bad.

CodePudding user response:

It's simply because a .jpg isn't a .php file, so by default it won't be executed by the PHP interpreter. Therefore you'll just get the raw content of the file.

(In theory you could configure your webserver to make it pass anything with a .jpg extension to PHP, but I don't recommend as it's quite likely to make it more difficult to access actual image files, or at least slow down their processing. I can't think of a sensible use case where what is supposed to be an image format would need to go via the PHP engine).

Re your update:

shouldn't the PHP I sent in the body get interpreted?

...no. It's being held in a string variable (file_get_contents simply returns the raw content of the file). The PHP interpreter does not evaluate it - in fact at the time the code is interpreted (i.e. before it's executed) then the value doesn't even exist (obviously, because the variable cannot be populated until the code is executed).

If you had written either

$data = file_get_contents($image_url);
exec($data);

or

include($image_url);

then it's very likely the code in the file would be interpreted, incorporated into the main script, and executed. That would be a big vulnerability. You should absolutely never do this with either code provided directly from an external input, or by allowing the external input to specify which code file or snippet should be evaluated or included.

(N.B. The above techniques still wouldn't cause the "ABC" string to be placed into the output file, though. It would cause the code to be executed, and "ABC" to be output as the result of the script directly.)

Page link:https//www.codepudding.com/os/250483.html

Prev:MySQL Select Average weekly data from 6:00 p.m. to 8:00 a.m
Next:HTML/PHP form wont submit in Safari
  •  Tags:  
  • Related

About Us:  Contact Us      Terms of Service       Privacy Policy

Copyright © 2010-2023,Powered By CodePudding