You thought that “This should never happen was bad”? search – eval($_GET) (opens in new tab)

(github.com)

23 pointscallaars9y ago15 comments

15 comments

Actually I thought "This should never happen" was good. This is pretty bad, though.

Yea, it's people throwing in checks for cases that should never happen, but probably have saved a lot of money and time for people who were running those products.

This is just horrible.

kbenson9y ago

Thankfully, most of these I've seen in the first four pages are for things marked as a web shell, or a security scanner, etc, so it's purposeful and not meant for serious webapp use.

Still, kind of scary to see. It's like a listening netcat piping to bash in a loop. Sure there should be a firewall in front...

gravypod9y ago

If you're going to be doing any of these, there should at least be some form of authentication within the project.

Leaving this open is just hoping someone runs "rm -rf /"

chc9y ago

It looks like the vast majority are from forks of PHP Vulnerability Hunter, and a few more are from other vulnerability tests. So I guess this isn't actually that common?

throwaway2016a9y ago

Also bad

https://github.com/search?utf8=%E2%9C%93&q=include%28%24_GET...

There is a simple Google search that allows you to find thousands of websites that do this. Which I won't put since it essential gives you a list of websites ripe for take over.

deepsun9y ago

Should be "include($_GET" (with quotes)

blakesterz9y ago

Aren't those almost all "php-vulnerability-hunter – ArbitraryPhpGet.php" ? That seems like, well, not so bad.

goshx9y ago

Try looking for database connections too.

paralelogram9y ago

https://github.com/search?p=2&q=mysql_connect+root+NOT+local...

ams61109y ago

Years ago I worked on a web app that had a "hidden" page that would do something like:

  SQL.exec($_GET['sql'])

Was used for support to be able to access customer data to be able to reproduce bugs, etc.

asfakeaccount9y ago

I'm not familiar with PHP. Can someone explain this to a newbie?

cokernel9y ago

The function eval[1] evaluates a string as code. The special variable $_GET[2] contains HTTP GET variables, which may be freely set by a remote user.

So if your PHP file executes eval($_GET['code']), then arbitrary folks can submit whatever code they want as a parameter -- as in /index.php?code=blah -- and have your webserver run it for them.

[1] http://php.net/manual/en/function.eval.php [2] http://php.net/manual/en/reserved.variables.get.php

prl3159y ago

$_GET is a magic super global in PHP that contains all of the GET parameters of a request. Doing something like eval($_GET['code']); means you're essentially allowing a user to execute arbitrary code passed in through the URL. Not the safest thing to do...

wvenable9y ago

It evaluates as PHP code the contents of the URL parameter named "code".

Although it seems like most hits are from PHP Vulnerability Hunter -- an automated whitebox fuzz testing tool capable of detected several classes of vulnerabilities in PHP web applications.

j / k navigate · click thread line to collapse

15 comments

Bognar9y ago

Actually I thought "This should never happen" was good. This is pretty bad, though.

gravypod9y ago

Yea, it's people throwing in checks for cases that should never happen, but probably have saved a lot of money and time for people who were running those products.

This is just horrible.

kbenson9y ago

Thankfully, most of these I've seen in the first four pages are for things marked as a web shell, or a security scanner, etc, so it's purposeful and not meant for serious webapp use.

Still, kind of scary to see. It's like a listening netcat piping to bash in a loop. Sure there should be a firewall in front...

gravypod9y ago

If you're going to be doing any of these, there should at least be some form of authentication within the project.

Leaving this open is just hoping someone runs "rm -rf /"

chc9y ago

It looks like the vast majority are from forks of PHP Vulnerability Hunter, and a few more are from other vulnerability tests. So I guess this isn't actually that common?

throwaway2016a9y ago

Also bad

https://github.com/search?utf8=%E2%9C%93&q=include%28%24_GET...

There is a simple Google search that allows you to find thousands of websites that do this. Which I won't put since it essential gives you a list of websites ripe for take over.

deepsun9y ago

Should be "include($_GET" (with quotes)

blakesterz9y ago

Aren't those almost all "php-vulnerability-hunter – ArbitraryPhpGet.php" ? That seems like, well, not so bad.

goshx9y ago

Try looking for database connections too.

paralelogram9y ago

https://github.com/search?p=2&q=mysql_connect+root+NOT+local...

ams61109y ago

Years ago I worked on a web app that had a "hidden" page that would do something like:

  SQL.exec($_GET['sql'])

Was used for support to be able to access customer data to be able to reproduce bugs, etc.

asfakeaccount9y ago

I'm not familiar with PHP. Can someone explain this to a newbie?

cokernel9y ago

The function eval[1] evaluates a string as code. The special variable $_GET[2] contains HTTP GET variables, which may be freely set by a remote user.

So if your PHP file executes eval($_GET['code']), then arbitrary folks can submit whatever code they want as a parameter -- as in /index.php?code=blah -- and have your webserver run it for them.

[1] http://php.net/manual/en/function.eval.php [2] http://php.net/manual/en/reserved.variables.get.php

prl3159y ago

wvenable9y ago

It evaluates as PHP code the contents of the URL parameter named "code".

Although it seems like most hits are from PHP Vulnerability Hunter -- an automated whitebox fuzz testing tool capable of detected several classes of vulnerabilities in PHP web applications.

j / k navigate · click thread line to collapse