What is it? @.@

Here is the place where I record some tactics about wargame, systems, and other security issues.


Hack This Site! - Extbasic 7


Bugs? In my PHP? It's more likely than you think

Level 7

There is only one line that has a vuln, correct it. The output does not have to be valid XHTML and assume that a mysql connection has been made already.
There is a bug as well as a vuln. You MUST fix both.

Here is the script:

        if (!empty($_POST['data']))
                $data = mysql_real_escape_string($_POST['data']);
                mysql_query("INSERT INTO tbl_data (data) VALUES ('$data')");
<form name="grezvahfvfnjuvavatovgpu" action="<?=$_SERVER['PHP_SELF']?>" method="get">
        <input type="text" name="data" />
        <input type="submit" />

Dev note

We're sick of getting bug reports saying <?= ... ?> isn't valid php syntax. If you don't believe us, consult the first page of the php.net language reference.

  1. This script uses PHP function mysql_real_escape_string() to avoid SQL Injection attack. It's correct.
    Reference: http://tw.php.net/manual/en/function.mysql-real-escape-string.php
  2. But don't forget that the textarea often suffers from XSS attack and mysql_real_escape_string() does bot escape % and _.
  3. So, you need use PHP function htmlspecialchars() to convert special characters to HTML entities.
    Reference: http://tw.php.net/manual/en/function.htmlspecialchars.php
  4. Another problem is that the method of HTML form does not match with the PHP $_POST function.
  5. So, input the HTML code below and check.
    < form name="grezvahfvfnjuvavatovgpu" action="< ?=htmlspecialchars($_SERVER['PHP_SELF'])?>" method="post">
  6. It's done!