An online tool embeded vim editor into web to debug your php code. It also helps you to practice vim online.
Website: phpio.net

// Press F11 to toggle full screen editting (Ctrl+⌘+F on Mac OS).
// Press Ctrl+Shift+F to format code.
echo 'Welcome to PHPIO.NET!';
Member Avatar

diafol

WARNING!!!

foreach (new DirectoryIterator('./') as $fileInfo) {
    if($fileInfo->isDot()) continue;
    echo $fileInfo->getFilename() . "<br>\n";
}

Just told me what is in your doc root. This is unsafe phpio. I bet I could read your password and get to your webroot. Get rid of this right now!!!!

commented: I'll call you Diablo today. +11

@diafol

Actually it is possible and it is also possible to overwrite files or inject code into the RAM... honeypot? :D

@diafol
Thank you, It's underconstruction.
But I think it is impossible to access to my webroot.

Hope you will tell me If you figure out something wrong.

@phpio

Hi,

test diafol's script and execute / you get the system root, you can traverse the filesystem, you can arrive to the passwd file from there. Also, it's possible to:

  • download the script that executes the code
  • write to the parent directory through the error_log() function
  • execute SQLite and create a database directly in RAM

I suggest you to stop this box, and start from a new installation, set correct permissions otherwise the system can be compromised.

Member Avatar

diafol

Hi cereal. I did get into his webroot and managed to read files (spl fileinfo anyone?). I sent a PM to say as much. This is the problem with roll your own executors. There.s always one class or module that you forget to protect against. It only takes one though.

Thank you guys for pointing out problem...

@diafol
Could you please let me know how to prevent from getting that information?

Member Avatar

diafol

I think you.ve protected yourself with preventing access above docroot and stopped spl classes. I (almost) never use system or exec commands in my code so I couldn.t give you and exact list of things to block. However I can usually spot a problem if I see one. I don.t think it would be appropriate to discuss what you have and haven.t done on an open forum if your site is still live; and I don.t have the time to discuss via PM. Anybody else?

@phpio

Hi,
the source of __FILE__ (and the other files in the same path) can still be read with this line:

include "php://filter/convert.base64-encode/resource=index.php";

This is a variant of the LFI (Local File Inclusion attack) that uses php://filter and will return a base64 string that, converted, shows the source code. When the filesystem was accessible then reading the contents of files, like /etc/passwd, was simply a matter of writing the correct path.

More info about php:// @ http://php.net/manual/en/wrappers.php.php

commented: You are a naughty boy cereal :D +15