1

I have been working on a project and I wonder if it's possible to exploit curl_exec function while in PHP.

Scenario:

I have the PHP script that checks a domain for me, but the curl is not secured, can it be exploited via the request, ex: script.php?action=websiteup&token=apikey&target=EVIL-CODE-HERE

I have googled around but did not find anything that could answer my question, found some theories but nothing helped me.

Script:

case "websiteup":

            $ch = curl_init($_GET['target']);
            curl_setopt_array($ch, array(
                CURLOPT_RETURNTRANSFER => true,
                CURLOPT_HTTPHEADER     => array(
                ),
                CURLOPT_TIMEOUT        => 15,
                CURLOPT_CUSTOMREQUEST  => "HEAD",
                CURLOPT_REFERER        => $_GET['target'],
                CURLOPT_USERAGENT      => "Mozilla/5.0 ;Windows NT 6.1; WOW64; AppleWebKit/537.36 ;KHTML, like Gecko; Chrome/39.0.2171.95 Safari/537.36",
            ));
            curl_exec($ch);

            $response['message'] = array(
                "code" => curl_getinfo($ch, CURLINFO_HTTP_CODE),
                "time" => curl_getinfo($ch, CURLINFO_CONNECT_TIME),
            );

Any ideas how can it be exploited and secured ?

schroeder
  • 123,438
  • 55
  • 284
  • 319
BaiHui
  • 23
  • 2
  • I checked this out, but still does not help me in any way.. – BaiHui May 01 '20 at 01:09
  • you should get into the habit of saying `"$GET[target]"` instead of `$GET['target']` it's cheap protection from array injection attacks. not that this code is vulnerable to that. – Jasen May 02 '20 at 23:56
  • @BaiHui Please describe why it didn't help you. Just saying "It didn't help" doesn't help us either. –  May 16 '20 at 19:53

0 Answers0