PHP Injection like xss?

What are some of the major vulnerabilities that arise when a website doesn't filter any user input? (except with magic_quotes for sql inj)

Can you inject php just like a xss vulnerability? It would seem that if you could get php into the sendpm.php page like this markupSendPM.php?pmTo=myself&Subj=hey&Message=<?php header( 'Location: http://www.google.com' ) ; ?> Then it would be executed on the server right?

When I try this

header( 'Location: http://www.google.com' ) ;
?>``` the <?php on the first line disappears,, and everything else stays visible and client side.

But when I put it all on one line like this,
```markup<?php header( 'Location: http://www.google.com' ) ; ?>```
it all disappears and isn't client side anymore. * Why would it only work if its on one line??*  
*And how come it doesn't redirect?*

Thanks in advance for help.

I had the exact same idea, but with input fields, but the problem was that in the context of a script its still an immutable string, so it just takes it as is, not for its programming meaning. I suspect this only works for javascript because it is a client side language.

Yeah, PHP injection is possible. I guess it would be considered remote code execution? But it probably wouldn't be as easy as what you have laid out. The variable information, when the code reads it, is already in PHP. So you wouldn't need to reopen the PHP tags for one like you did. At least I'm pretty sure you wouldn't, I've never seen the need for them to be used.

PHP is server side, XSS is client side.

the only way you can execute remote code, is if the website permits it. i/e they are running a eval() on the $_GET variable. which is extremely unlikely.

what your doing is just injecting php into the html source. PHP cant run within html, which is what is happening because your code is "echo'ed" out onto the page. the reason you coudlnt see it when it was on one line.. i imagine is because in FF, php code within HTML is hidden and if you view source, its shown as purple italic text. i bet if you view the source, you'd see your attempt in there.

however if they were using eval() then your code would have worked, providing you had <?php at the begining and ?> at the end.

Mr_Cheese wrote: PHP is server side, XSS is client side.

the only way you can execute remote code, is if the website permits it. i/e they are running a eval() on the $_GET variable. which is extremely unlikely.

what your doing is just injecting php into the html source. PHP cant run within html, which is what is happening because your code is "echo'ed" out onto the page. the reason you coudlnt see it when it was on one line.. i imagine is because in FF, php code within HTML is hidden and if you view source, its shown as purple italic text. i bet if you view the source, you'd see your attempt in there.

however if they were using eval() then your code would have worked, providing you had <?php at the begining and ?> at the end.

Yes, but if that's true n' all, then couldn't you inject PHP into the page much like a shell does, and allow it to execute it server side? Wouldn't that then be the effectively the same thing as a shell? I mean, a shell injects PHP in the form of text and allows the text to be executed on the server(so long as it's included in a document that parses PHP). I know the eval() trick, but I thought you would be able to do more with it. Never really attempted to do anything real heavy with PHP injection, nothing at all really but in theory I thought that it could work that way. I donno I guess :whoa:

slpctrl wrote: Yes, but if that's true n' all, then couldn't you inject PHP into the page much like a shell does, and allow it to execute it server side? There's a difference between eval() and include() ;) but there sure is a resemblance since both can let you execute PHP code if vulnerable.

what about making a value a php code

like when you change the value of an option in a form could you chang it so when it's posted to the php script it reads

markup?><?php (what ever you want the code to be) ?>

then the script would read the closing ?> as a close to the current code and then execute your code in your php script???

Yes, but if that's true n' all, then couldn't you inject PHP into the page much like a shell does

As uberon said. code injection = eval(). Your talking about a RFI exploit. That uses include().

then the script would read the closing ?> as a close to the current code and then execute your code in your php script???

No. the value would just be the php tag. it wouldnt be executed, it would just be the value of the variable which can be echoed out. As i said earlier.. the only way to excute code remotely on a website, is if the website is built to handle such a request. I.e they use eval().

Ah, ah right okay I see. I was thinking completely wrong blah blah. I should probably get some sleep at some point today :p