I have written another include system for my dynamic webpages, but it seems to be vulnerable to LFI.
Here is the code:
--
GeSHi`ed PHP code
- <?php
- if (isset($_GET['which']))
- {
- $which = $_GET['which'];
- switch ($which)
- {
- case 0:
- case 1:
- case 2:
- require_once $which.'.php';
- break;
- default:
- echo GWF_HTML::error('PHP-0817', 'Hacker NoNoNo!', false);
- break;
- }
- }
- ?>
Your mission is to include solution.php.
Here is the script in action: News, Forum, Guestbook.
Good Luck!
Solution:
- The link of each page is like below:
News: index.php?which=0
Forum: index.php?which=1
Guestbook: index.php?which=2 - You should know in PHP if the statement list for a case is empty, which will simply passes control into the statement list for the next case.
- And since the switch statement uses loose type comparison, anything not a digit will make the code vulnerable.
Vuln: index.php?which=solution
- Well done, too easy... Do you know why this is possible?