Assault on PHP Applications PHP Vulnerability Exploitation

Author:

Aelphaeis Mangarae

Date:

June 13 2009

th

[Table of Contents]

Web Application Vulnerability Type

Page Number

Paper Introduction

Page 3

File Inclusion Vulnerabilities

Page 4

File Upload Vulnerabilities

Page 13

Disk File Read/Write Vulnerabilities

Page 33

Command Execution Vulnerabilities

Page 49

SQL Injection Vulnerabilities

Page 54

Insecure Cookie Handling

Page 104

REQUIRED READING

Page 114

Greetz To

Page 115

Introduction "Never increase, beyond what is necessary, the number of words required to explain anything" William of Ockham (1285-1349)

In this paper I will cover a small array of vulnerabilities that occur in PHP applications. The vulnerabilities and the exploitation of them shown in this paper are the most common vulnerabilities that you will find exploits for in the public domain. As some people learn best by example, I use example vulnerable code and show exploitation of vulnerabilities in PHP applications. Real world examples of vulnerabilities in PHP software are also shown to educate the reader. The server used for demonstration is this paper is a WAMP (Windows, Apache, MySQL, PHP) setup in my small LAN, the specific details of which are listed below. Keep in mind the examples in this paper are just examples intended to teach you the basics and is not necessarily a reflection of real world exploitation.

Test Server Software: Operating System: Windows XP x64 Database: MySQL 5.1 Web Server: Apache 2.2.0 PHP Version: 5.1.2

Page 3

File Inclusion Vulnerabilities PHP File Inclusion Explained What Is PHP File Inclusion? PHP File Inclusion is done by functions that are a part of PHP (such as include(), include_once()) and allows PHP to open other files for reading. In the case of using include(), the purpose is to reading a file containing PHP code to be interpreted [and output]. An Example of PHP File Inclusion (TorrentTrader 2.04 index.php):