bundyxc Posted August 10, 2009 Share Posted August 10, 2009 I have the following code $page = "http://example.com/" . $var; Is there any value that $var could contain that would change the site? I know that it coulg to up one directory, but is there any way for them to change the site to something like othersite.com? Link to comment https://forums.phpfreaks.com/topic/169548-url-injection/ Share on other sites More sharing options...
halfman Posted August 10, 2009 Share Posted August 10, 2009 I have the following code $page = "http://example.com/" . $var; Is there any value that $var could contain that would change the site? I know that it coulg to up one directory, but is there any way for them to change the site to something like othersite.com? Not that I know of, unless someone upload a file on your server that trigger an action then yes it is possible. Link to comment https://forums.phpfreaks.com/topic/169548-url-injection/#findComment-894569 Share on other sites More sharing options...
BLaZuRE Posted August 10, 2009 Share Posted August 10, 2009 Only a period comes to mind at the moment. You can have names such as test.example.com or example.com.ca (for a canada website). End your address using '/' since that helps the browser see the end of the domain with its suffix and start your address with 'http://' so it knows what protocol to use. I'd use mysql_real_escape_string just in case though (if user input). Also, http://www.example.com/ is better. WWW tells you it's on the world wide web, rather than letting the browser assume that (you could be going to http://secure.example.com/ or http://hello.example.com.uk/). Also, you may need periods for file names, so that's a tricky one. Link to comment https://forums.phpfreaks.com/topic/169548-url-injection/#findComment-894575 Share on other sites More sharing options...
bundyxc Posted August 10, 2009 Author Share Posted August 10, 2009 See, I'm just helping out a friend with a script, and he's determined that what I just did is completely safe, and foolproof (because of the forwardslash). He uses a fopen() right after that. Any way to exploit that? Link to comment https://forums.phpfreaks.com/topic/169548-url-injection/#findComment-894593 Share on other sites More sharing options...
chmpdog Posted August 10, 2009 Share Posted August 10, 2009 as long as its not going to a database Link to comment https://forums.phpfreaks.com/topic/169548-url-injection/#findComment-894623 Share on other sites More sharing options...
halfman Posted August 10, 2009 Share Posted August 10, 2009 I found this for you, hopefuly it helps: A novice hacker could write something in the url like : mypage?somebloodyfile=http://domain2/code.txt and in the http://domain2/code.txt he/she can have a message showing : Hacked by a bloody hacker. So whats the solution. Here is how it should be done. Complicated Way to solve: … html header … <?php //list of valid pages $pages=array(”games/index.html”, “news/news.html”, “games/1.html”); //check $page variable $valid=false; for ($i=0; $i<sizeof($pages) || !$valid; $i++) { if ($page==$page[$i]) { $valid=true; } } if ($valid) include($page); if (!$valid) include($pages[0]); // include the first page if not valid ?> … html footer … Alternate but easy way: … html header … <?php $invalidChars=array(”/”,”.”,”\\”,”\”",”;”,”http“,”:”,”!”,”*”,”&”); $page=str_replace($invalidChars,”",$page); include (”pages/”.$page.”.html”); ?> … html footer … Reference: http://zakariarouf.wordpress.com/2007/12/05/url-injection-hacking-website-taking-control-php/ Link to comment https://forums.phpfreaks.com/topic/169548-url-injection/#findComment-894627 Share on other sites More sharing options...
bundyxc Posted August 10, 2009 Author Share Posted August 10, 2009 Yeah, I found that... however, I'm trying to make it so that I can change the URL when example.com/ is already hardcoded into the address. Link to comment https://forums.phpfreaks.com/topic/169548-url-injection/#findComment-894629 Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.