What's the Exploit?

I was looking at some logs for my site the other day and saw that someone was attempting to hack my script by adding various values to a query string:


id=$record[0]
id=echo $sys_template_folder;
id=\\"\\"; echo $sys_template_folder;
id=eval(\\"echo $sys_template_folder\\")
id=?><? echo $sys_template_folder;
id=eval( \\'?> foo <?php\\' );
id=eval(\\'?>foo<?php\\');
id=eval(\\'?>foo<?=$sys_template_folder?><?\\');
id=eval(\\'?>foo<?=$sys_template_folder
id=eval(\\'?><?=$sys_template_folder
id=\\"\\';eval(\\"return \\\\$$theVarStem;\\");
id=\\"\\';eval(\\"print \\\\$$sys_template_folder;\\");
id=\\"\\';eval(\\"print $sys_template_folder;\\");
id=eval(\\"$sys_template_folder;\\");
id=<script>print \\'hello\\';</script>
id=print_r($sys_template_folder)
id=print_r($sys_template_folder);
id=76342356543456312
id=0
id=1
id=2
id=694732522H5892732

I know what he’s trying to do (get the value of one of my settings variables), but I don’t know what exploit(s) he’s trying to take advantage of. What should I be guarding against here?

If they can get to your system template folder, they can then add code to pages within there so that they can then infect other visitors to those pages.

Thanks, Paul. I got that much (although I’m not sure how they can add anything to a page on my server), but I’m wondering how something like “index.php?id=echo $sys_template_folder;” is supposed to work – how would that code ever get executed?

If my memory of the dim dark days of the past are correct, some people and/or frameworks used to pass $_GET through extract() which created local variables from the querystring values.

All $_GET values are now automatically passed through url_decode() for your protection, but that use to be one of the attack vectors on early version of PHP.

Thanks!

To further elaborate on Paul’s explanation, the idea of they’re trying to do is to see if you echo or eval input from $_GET (and possibly $_POST too) in your pages without sanitising/ escaping the data first.

That way, something like “id=eval(\‘?>foo<?=$sys_template_folder?><?\’);” might lead to data being disclosed that shouldn’t be disclosed.

However, if you take care with user input and sanitise/ escape it, you should be safe from this attack form.

What’s particularly funny in this is that the “hacker” knew of the $sys_template_folder variable, but didn’t bother reading the rest of the code to see that their efforts were useless.

Thanks, folks!