Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

PHP GET variable array injection

I've recently learned that it's possible to inject arrays into PHP GET variables to perform code execution?

.php?a[]=asd&a[]=asdasd&b[]=$a

That was the example I was given. I have no idea how it works and was wondering if this is even possible?

like image 414
dave Avatar asked Dec 11 '09 05:12

dave


People also ask

Why do we use extract ()?

The extract() function imports variables into the local symbol table from an array. This function uses array keys as variable names and values as variable values. For each element it will create a variable in the current symbol table. This function returns the number of variables extracted on success.

Can PHP be injected?

PHP Object Injection is an application level vulnerability that could allow an attacker to perform different kinds of malicious attacks, such as Code Injection, SQL Injection, Path Traversal and Application Denial of Service, depending on the context.

Is PHP vulnerable?

And indeed, as recent research demonstrates, many PHP applications suffer from vulnerabilities due to bad design and lackluster understanding of basic security practices required to secure a web application.


3 Answers

PHP will parse the query string, and inject those values in the $_GET super-global array (same for $_POST if this was done in a form using POST, btw).

In your case, the $_GET array will contain this :

array
  'a' => 
    array
      0 => string 'asd' (length=3)
      1 => string 'asdasd' (length=6)
  'b' => 
    array
      0 => string '$a' (length=2)

Each value passed in the query string will be put by PHP in the $_GET array, creating sub-arrays if necessary, when there are [] used in the query string.

But this doesn't cause any kind of "code execution" : as long as you deal with input properly (i.e. don't trust the input and use eval on it, or any kind of bad idea like this), there is no risk of code-injection.

like image 102
Pascal MARTIN Avatar answered Sep 23 '22 14:09

Pascal MARTIN


If you are not sure how to get secure, the least you can do is to filter the $_GET array. Here is the function:

function filter_url($url)
{
  if (is_array($url))
  {
    foreach ($url as $key => $value)
    {
      // recurssion
      $url[$key] = filter_url($value);
    }
    return $url;
  }
  else
  {
    // remove everything except for a-zA-Z0-9_.-&=
    $url = preg_replace('/[^a-zA-Z0-9_\.\-&=]/', '', $url);
    return $url;
  }
}

Now you can filter the $_GET like this:

$_GET = filter_url($_GET);

This will essentially clean up your $_GET array from suspicious characters such as [ ].

Thanks

like image 42
Sarfraz Avatar answered Sep 23 '22 14:09

Sarfraz


The above does not strictly allow code execution, but it may alter the control flow of your existing code if it does not take into account the fact the data may be an array.

The reason the above works is because PHP interprets variables ending in [] as arrays. So if you provide multiple GET variables with same name ending in [], PHP creates an array containing all the values.

like image 41
Jani Hartikainen Avatar answered Sep 21 '22 14:09

Jani Hartikainen