/    Sign up×
Community /Pin to ProfileBookmark

Can this code be exploited?

Copy linkTweet thisAlerts:
Oct 16.2008

Hi,

I have this code:

[code=php]if (@unlink(DIR . ‘_’ . $_REQUEST[‘id’] . ‘.ext’))
{
//blablabla
}[/code]

Can it be exploited in any way, and if yes, what would be an example of exploiting it?

Thanks in advance,

ayvegh

to post a comment
PHP

7 Comments(s)

Copy linkTweet thisAlerts:
@ratcatemeOct 16.2008 — i can't see how i could change the directory unless the folder the script is in has a folder in it that starts with an _ other wise it breaks almost every good coding practice related to unlink()

you should validate it first check for slashes and stuff.

properly best to make it so the user can't enter the file for deletion but get that info from a database so no user input is in your unlink command or if it is it is heavily screened before you put it in.

Scott.
Copy linkTweet thisAlerts:
@ayveghauthorOct 16.2008 — I know it breaks all the rules, but I'm trying to give an example of exploiting via that example (!) and I need a case example.

(What I mean to say is, that I need an example of a query string which exploits that code by doing something malicious. ?)

Can you help me out? ?

Thanks again.
Copy linkTweet thisAlerts:
@NogDogOct 16.2008 — Not sure if a backspace character could be sent to overwrite that underscore or not, e.g.:
<i>
</i>script_name.php?id=&amp;#37;09..%2F..%2F..%2Fsomefile.txt%00
Copy linkTweet thisAlerts:
@ayveghauthorOct 16.2008 — Not sure if a backspace character could be sent to overwrite that underscore or not, e.g.:
<i>
</i>script_name.php?id=&amp;#37;09..%2F..%2F..%2Fsomefile.txt%00
[/QUOTE]
Interesting idea; I will test it.

Is there any way to inject another function into there by ending the unlink() prematurely, similar to SQL Injection?

Thanks again.

EDIT: Nope. ?

/dir/to/location/_ ../../../somefile.txt.ext
Copy linkTweet thisAlerts:
@NogDogOct 16.2008 — Interesting idea; I will test it.

Is there any way to inject another function into there by ending the unlink() prematurely, similar to SQL Injection?

Thanks again.[/QUOTE]

I don't see how in that case. It's not like you're eval()-ing the value, you're just unlink()-ing whatever value is received. Now if it was an include() call instead of unlink(), that might be a different story.
Copy linkTweet thisAlerts:
@ayveghauthorOct 16.2008 — I don't see how in that case. It's not like you're eval()-ing the value, you're just unlink()-ing whatever value is received. Now if it was an include() call instead of unlink(), that might be a different story.[/QUOTE]
Oh well. ?

Thanks anyways!
Copy linkTweet thisAlerts:
@ratcatemeOct 16.2008 — just make sure there are no dirs starting with an _ caus if the script was in say /scripts/ and it looked like this

/scripts/

/scripts/_test/

/special/

/special/data.txt

i could go
script_name.php?id=test/../../special/data.txt

Scott.
×

Success!

Help @ayvegh spread the word by sharing this article on Twitter...

Tweet This
Sign in
Forgot password?
Sign in with TwitchSign in with GithubCreate Account
about: ({
version: 0.1.9 BETA 6.16,
whats_new: community page,
up_next: more Davinci•003 tasks,
coming_soon: events calendar,
social: @webDeveloperHQ
});

legal: ({
terms: of use,
privacy: policy
});
changelog: (
version: 0.1.9,
notes: added community page

version: 0.1.8,
notes: added Davinci•003

version: 0.1.7,
notes: upvote answers to bounties

version: 0.1.6,
notes: article editor refresh
)...
recent_tips: (
tipper: @nearjob,
tipped: article
amount: 1000 SATS,

tipper: @meenaratha,
tipped: article
amount: 1000 SATS,

tipper: @meenaratha,
tipped: article
amount: 1000 SATS,
)...