0

I have a php form with a method of POST the data gets passed on to the same file then i run an if statement figuring out if they're set and not empty, i want to know if someone can input ']) SomePhpCode && as the name input value and execute the inputted PHP code since its completely unsecured

<?php
if (isset($_POST['name']) &&  !empty($_POST['name']) 
    && isset($_POST['phone']) && !empty($_POST['phone']))
    {   }
else
{   
?>
<form action="" method="POST">
    <span>Please Fill Out Your Information</span>
    <input type="text"  name="name"  required autofocus>
    <input type="text"  name="phone"  required autofocus>
    <button  type="submit">Get A Call</button>
<?php   
}
?>
boogie234
  • 13
  • 2
  • Yes, if you `eval()` the input. The input must be well-formed PHP however. – tyteen4a03 Aug 27 '20 at 21:34
  • @tyteen4a03 so some one can pass `eval(SomeCode)` and whats inside eval will execute or does eval need to be coded in before the injection? – boogie234 Aug 27 '20 at 21:38
  • You will need to `eval($_POST['name'])` for something like that to work. The question is: What exactly are you trying to know here? If you are thinking along the lines of SQL Injections, [see this question](https://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php) for how to secure your forms against that. – tyteen4a03 Aug 27 '20 at 21:42
  • @tyteen4a03 im trying to know the exact code in this exact scenario i have to pass though the input for i to be able to execute what ever php code i input – boogie234 Aug 27 '20 at 21:46
  • Why? What is the use case? – tyteen4a03 Aug 27 '20 at 21:47
  • @tyteen4a03 i need to show the vulnerability in action to a firm that doesn't believe it can happen im trying to run a code like exit(); or something that proves php can be executed by having a unsecured form – boogie234 Aug 27 '20 at 21:51
  • 1
    What you're gonna be able to do with the data you're sending entirely depends on what is done with said data on the receiving end. – Jeto Aug 27 '20 at 21:53
  • You can't inject PHP code as it's a server-side language. What you might be trying to do is take advantage of slopy PHP where you can add SQL code to mess with the database, but you have to see the slopy PHP to know for sure if it will work. – Colin Gell Aug 27 '20 at 22:03
  • @ColinGell no SQL involved i mainly want to rename a file or delete it is it possible via input value? or XSS is the only way? – boogie234 Aug 27 '20 at 22:09
  • renaming or deleting files isn't possible via an input field. You can use the submission of forms as part of a DDoS attack i.e you overload their server with requests, or perhaps if the form uploads a file you could use that to upload a malicious script. I don't know much about XSS. – Colin Gell Aug 27 '20 at 22:16
  • @ColinGell how do you upload a file in this case scenario? currently theres also a lack of htacess so i could call the file just by typing it – boogie234 Aug 27 '20 at 22:21
  • Only if the form supports file uploads https://www.w3schools.com/php/php_file_upload.asp – Colin Gell Aug 27 '20 at 22:29
  • @ColinGell i found a vulnerability but i could use some help mind messaging me if thats possible on this platform ill try wring it here ` '; } ?>` basically if i manually provide the get id parameter i get it in the source code so how can i pass a piece of code in this case scenarion? and is there a way to not have chrome escape the characters like ? and ; – boogie234 Aug 27 '20 at 22:35
  • Yes the code above reveals another input field. You could try adding random values to the input field and see if anything happens, but it will only do what the serverside code tells it to do. – Colin Gell Aug 27 '20 at 23:12
  • 1
    Merely accepting user input does not necessarily have any security implications. However, _what_ you do with that input and _how_ you do it are of utmost importance. Your question only covers the former and leaves the latter open to _wild_ speculation. You should rephrase this question in a much more specific context so that it's actually answerable. – Sammitch Aug 27 '20 at 23:24

0 Answers0