ThisisLegal.com
 

PHP Globals

In PHP, variables are automatically created the first time they are used (empty: "") in the code and their type is based on the content and context in which they are used. This makes variables easy to set and use for the developer.

PHP as a programming language that is most of the time used for web applications, often deals with user input.

Example:

  • Form variables
  • Cookies
  • Uploaded files

These take the input, process it and return the output. To handle the input easily, PHP provides a set of global variables.

Before PHP version 4.1.0 (including 4.1.0), all the variables (Environment (ENV), GET, POST, COOKIE, and SERVER) got written into the same namespace. So an attacker was able to put arbitrary variables with arbitrary values into the namespace. If the programmer doesn't initialize the variables in his code, they can't guarantee that the variable hasn't been changed by an attacker.

Example:

<?php 
if ($pass == "noidea"
  
$auth 1
// Further logic here 
if ($auth == 1
  echo 
"Access granted"
?>

You can easily bypass the authentification by sending a variables "auth" to the script with the value 1.

After PHP 4.1.0 register_globals is turned OFF by default and variables get written into super global arrays.

If you call the script for example like so:

http://a_website/file.php?variable1=hello&variable2=you

You could use variable1 and variable2 in your script, depending on the web server configuration, like this:

register_globals ON

$variable1
$variable2
//-->only possible if track_vars is on else:

register_globals OFF
$HTTP_GET_VARS['variable1']
$HTTP_GET_VARS['variable2']

If track_var is on you can use the following arrays:

$HTTP_ENV_VARS or $_ENV
$HTTP_GET_VARS or $_GET
$HTTP_POST_VARS or $_POST
$HTTP_COOKIE_VARS or $_COOKIE
$HTTP_SERVER_VARS or $_SERVER
$HTTP_SESSION_VARS or $_SESSION
$_REQUEST

track_vars enabled: variables submitted by the user are available both from the global variables and also as elements in the arrays mentioned above.

Sometimes you will have problems that a third-party PHP application needs register_globals ON! You can put for examples these lines

php_flag register_globals Off
php_flag track_vars On

into an .htaccess file to change the settings for only a special program. In the Apache web server configuration has "AllowOverride" be set to "AllowOverride Options"

Under the 'admin/' directory, index.php checks whether the password matches the one in the database after posting the form:

<?php 
if ($dbpass == $pass) { 
  
session_register("myname"); 
  
session_register("fullname"); 
  
session_register("userid"); 
  
header("Location: index2.php"); 

?>

When the passwords match, the variables $myname, $fullname and $userid are registered as session variables. The user then gets redirected to index2.php. Let us see what happens there:

<?php 
if (!$PHPSESSID) { 
  
header("Location: index.php"); 
  exit(
0); 
} else { 
  
session_start(); 
  if (!
$mynamesession_register("myname"); 
  if (!
$fullnamesession_register("fullname"); 
  if (!
$useridsession_register("userid"); 

?>

If the session ID has not been set, the user will be redirected back to the login screen. If there is a session ID, though, the script will resume the session and will put the previously set session variables into the global scope. Nice. Let us see how we can exploit this. Consider the following URL:

http://example.ch/admin/index2.php?PHPSESSID=1&myname=admin&fullname=joey&userid=admin

The GET variables $PHPSESSID, $myname, $fullname and $userid are created as global variables per default. So when you look at the if-else structure above, you will notice that the script figures $PHPSESSID is set and that the three variables dedicated to authorize and identify the user can be set to anything you want. The database has not even been queried.


Tutorial by Raduce


Comments

Reply

Thanks again, it looks like you put a lot of effort into this one

Reply

Well this was a hard tut but after i finished exploit 5 from HackQuest,I thought this aspect deserves a tutorial.

Reply

very good tutorial. 5 from me :D