Welcome to HBH! If you have tried to register and didn't get a verification email, please using the following link to resend the verification email.

Injection through PHP


ghost's Avatar
0 0

So there's this site that will turn an image url into an image when you send it in a message. For example, if I sent a message that said "http://www.hellboundhackers.org/fusion_images/hbhbanner.png" It would show the HBH banner.

But it's got a problem in that if you put a PHP page with an image extension at the end, it will try to display it. Ex. http://site.com/script.php?jpg

I don't have malicious intentions, but is there any way to use that to exploit the site?


ghost's Avatar
0 0

That won't work though, unless I make my script accept certain variables. The site.com would be my site, and script.php would be my script. So for example, what I thought might work was this: In script.php, put <?php echo "Test"; ?>

and then, in a message, put this: http://site.com/script.php?jpg

And I was hoping that it would say "Test" in the message.


reaper4334's Avatar
Member
0 0

So try it?

Try doing that and if it works you probably have yourself an exploitable hole. Whether or not it will work really depends on the script that displays the image, whether it checks the filetype etc. Chances are though, it just gets the URL and shoves it between <img src=" and "> In which case you, you might have an XSS hole.