Quote:
|
Originally Posted by redhead
Which can be rewritten to a more "dynamic presentation" with a few hoops.
PHP Code:
<?php
$_url = $_GET['page'];
if( is_file($_url . ".php") )
include ($_url . ".php");
else
include ("default.php");
?>
|
DON'T USE THIS OUT OF THE BOX!
Always validate input data. This means for all $_GET, $_POST, $_COOKIE and $_REQUEST.
For example i could exploit the above script by using:
index.php?page=/usr/etc/passwd%00
This would run as: include("/usr/etc/passwd%00.php");
Issue here is that %00 is NULL aka \0 and a string in C always end a \0.
So in this case it opens '/usr/etc/passwd' and the '.php' is not processed.