sandis_m Posted January 22, 2011 Report Share Posted January 22, 2011 (edited) Vai kaimiņu hakeris Jurčiks varētu izdarīt kaut ko ļaunu, ja mans kods izskatās apmēram šāds: <?php if(isset($_GET["cms"])){ include("lapas/".$_GET["cms"].".php"); }else{ include("lapas/starts.php"); } ?> Respektīvi, iebāzt tajā $_GET["cms"] kaut ko very very evil. ? Saprotu, nav jau SQL, bet, bet... Edited January 22, 2011 by who_i_am Quote Link to comment Share on other sites More sharing options...
mounkuls Posted January 22, 2011 Report Share Posted January 22, 2011 (edited) Iebāzt jau var, protams. Tikai jēgas nav lielas(jau pirmajā piegājienā rāda URL vienalga un mape /lapas ir zināma), vieglāk jau ir nosūtīt requestu pa tiešo uz failu. Lai gan, kad meklē caurumus, arī tāda nianse var būt no svara. Edited January 22, 2011 by mounkuls Quote Link to comment Share on other sites More sharing options...
andism88 Posted January 22, 2011 Report Share Posted January 22, 2011 NEko nevar... Maksimaalais ko var izpiest atveert failu lapas/fails.php...tiesji taa ka tas domaats :D Quote Link to comment Share on other sites More sharing options...
briedis Posted January 22, 2011 Report Share Posted January 22, 2011 (edited) Var padot piemēram, "../../cits_fails", kas ir citā mapē. Edited January 22, 2011 by briedis Quote Link to comment Share on other sites More sharing options...
ezis Posted January 22, 2011 Report Share Posted January 22, 2011 Kāpēc gan neizmantot veco labo switch? Quote Link to comment Share on other sites More sharing options...
briedis Posted January 22, 2011 Report Share Posted January 22, 2011 Kāpēc gan neizmantot veco labo switch? Switch nesmuks, masīvi FTW! <? $mapping = array( "profile", "users", "random_shit", "default", ); $cmd = isset($_GET['cmd']) && in_array($cmd, $mapping) ? $_GET['cmd'] : "default"; include("files/$cmd.php"); Quote Link to comment Share on other sites More sharing options...
ezis Posted January 22, 2011 Report Share Posted January 22, 2011 Switch nesmuks, masīvi FTW! <? $mapping = array( "profile", "users", "random_shit", "default", ); $cmd = isset($_GET['cmd']) && in_array($cmd, $mapping) ? $_GET['cmd'] : "default"; include("files/$cmd.php"); Arī var, bet ja es gribu ielikt random_shit vietā funkciju kādu nevis php.php? :D Netak, ir pa tēmu variants, tikai piesienos :D jo aiz "default" ir smuks komats! :D Quote Link to comment Share on other sites More sharing options...
F3llony Posted January 23, 2011 Report Share Posted January 23, 2011 (edited) Vai kaimiņu hakeris Jurčiks varētu izdarīt kaut ko ļaunu, ja mans kods izskatās apmēram šāds: <?php if(isset($_GET["cms"])){ include("lapas/".$_GET["cms"].".php"); }else{ include("lapas/starts.php"); } ?> Respektīvi, iebāzt tajā $_GET["cms"] kaut ko very very evil. ? Saprotu, nav jau SQL, bet, bet... $GET['cms']=> '../tavas_sql_paroles_un_jebkursh_cits_fails.php' Gudri pačakarējot var atrast VOC, jeb variable output collision. Piemērs: Fails include 1: $var = 1; Fails include 2 (caur $_GET): $var = 2; Fails iekš kura notiek include 2: ///Teorētiski vajadzētu atgriezt 1. Kolīzijas gadījumā atgriezīs 2. echo $var; Šāda kļūda bieži sastopama iesācēju/"kruto", kas domā, ka viņu krutums atspēko koda kļūdas, scenārijos. Vēl jo vairāk, var izdarīt šādi: $GET['cms']=> '../admin/admin_lapa_kuraa_izvadas_sql/jebkadas_paroles.php' Arī itkā, neviens taču neveido setup formas ar echo $manaparole, bet ja nu gadās kāds ģēnijs? :} Tādā gadījumā ir pilnīgs tavas lapas own. Brieža variants ir pieņemams. Iesaku izmantot. Edited January 23, 2011 by F3llony Quote Link to comment Share on other sites More sharing options...
mad182 Posted January 23, 2011 Report Share Posted January 23, 2011 Vēl var piebilst, ka, ja to failu ir daudz un ļoti negribas masīvu veidot ar rokām, var ielasīt masīvā mapes lapas saturu, un tad sanāk nočekot, fails ir masīvā, tad var droši rādīt. Pieņemot, ka mapē lapas ir visi fiali, ko drīkst inkludot. Quote Link to comment Share on other sites More sharing options...
briedis Posted January 23, 2011 Report Share Posted January 23, 2011 Var arī vienkārši eskeipot mainīgo, un ne par ko nesatraukties. function getSafeIncludePath($str){ $str = trim($str); $invalidChars = array("/", ".", "\\", "\"", ";"); return str_replace($invalidChars, "", $str); } Quote Link to comment Share on other sites More sharing options...
sandis_m Posted January 24, 2011 Author Report Share Posted January 24, 2011 :) Paldies par informāciju. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.