PHP GET variable array injection

php security arrays get exploit
22,522

Solution 1

PHP will parse the query string, and inject those values in the $_GET super-global array (same for $_POST if this was done in a form using POST, btw).

In your case, the $_GET array will contain this :

array
  'a' => 
    array
      0 => string 'asd' (length=3)
      1 => string 'asdasd' (length=6)
  'b' => 
    array
      0 => string '$a' (length=2)

Each value passed in the query string will be put by PHP in the $_GET array, creating sub-arrays if necessary, when there are [] used in the query string.

But this doesn't cause any kind of "code execution" : as long as you deal with input properly (i.e. don't trust the input and use eval on it, or any kind of bad idea like this), there is no risk of code-injection.

Solution 2

echo $_GET['a'][0]; //prints "asd"
echo $_GET['a'][1]; //prints "asdasd"
echo $_GET['b'][0]; //prints "$a"

Solution 3

Long story short: no code execution. Otherwise, don't you think somebody would have hacked Facebook already? :)

I think the person who told you that was confused about some other bugs that used deep array nesting to trigger a buffer overflow/double free/some other hack vector, that could theorically be used to execute some code. Those are software bugs as you can see everyday in many popular software. They usually get patched quickly.

You might find more info at http://www.suspekt.org/

Solution 4

I think he is talking about something evaluating differently when passed an array

strcasecmp( $_GET['password'], $password ) == 0 ) { echo($secret); } ` If you pass an empty array into strcasecmp it will evaluate to true for whatever reason.

IE: index.php?password=[]

Solution 5

It seems like you misunderstood something.

The above example simply creates an array like

Array (
  [a] => Array (
    [0] => asd
    [1] => asdasd
  )
  [b] => Array ( [0] => $a )
)

This is documented and works exactly as intended.

Share:
22,522
dave
Author by

dave

Updated on September 14, 2020

Comments

  • dave
    dave almost 4 years

    I've recently learned that it's possible to inject arrays into PHP GET variables to perform code execution?

    .php?a[]=asd&a[]=asdasd&b[]=$a

    That was the example I was given. I have no idea how it works and was wondering if this is even possible?

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

Exploiting file_get_contents()
Multi-select to Array
Null byte injection in an upload form
Get and remove first element of an array in PHP
PHP MySQL $_GET Hack prevention
PHP protection of GET parameters
PHP security exploit - list content of remote PHP file?
PHP $_SESSION for multiple users at once
Make array of all GET-variables
PHP - Get array value with a numeric index