Phstorm Flat-file Feedback System

Asphyxia

Server Monkey
Administrator
Joined
Apr 25, 2015
Messages
1,294
Points
252
Age
26
Location
North America
enter.php
Code:
<?php
if(isset($_POST['user']))
{
$user = htmlentities($_POST['user']);
$email = htmlentities($_POST['email']);
$feedback = htmlentities($_POST['feedback']);

$myFile = "./entries/".base64_encode($user).".txt";
$fh = fopen($myFile, 'w') or die("can't open file");
$stringData = $email."\n";
fwrite($fh, $stringData);
$stringData = $feedback."\n";
fwrite($fh, $stringData);
fclose($fh);
}
?>
<style>
body {
background-image: url("dice.gif");
background-color: #cccccc;
}
</style>

<div style="background-color: white;padding:10px;text-align:center;">
Your entry has been received, thank you <b><?php echo($user);?></b>!
<p>
<a href="https://r4p3.net">Return to the forum.</a>
</p>
</div>

<?php

if(isset($_POST['forumUser']))
{
echo "test";
}

?>
index.php
Code:
<?php
//Phstorm Flat-file Form

?>

<link rel="stylesheet" href="https://unpkg.com/[email protected]/build/pure-min.css" integrity="sha384-oAOxQR6DkCoMliIh8yFnu25d7Eq/PHS21PClpwjOTeU2jRSq11vu66rf90/cZr47" crossorigin="anonymous">

<div style="padding:15px;">
<form method="post" action="enter.php" class="pure-form pure-form-aligned">
    <fieldset>
        <legend>Please enter to win a virtual dedicated server.</legend>

<br><br>

<?php
if(isset($_GET['forumUser'])&&isset($_GET['forumEmail']))
{
$forumEmail = htmlentities($_GET['forumEmail']);
$forumUser = htmlentities($_GET['forumUser']);
echo "Email:<br><input name=\"email\" type=\"email\" placeholder=".$forumEmail." value=".$forumEmail."><br><br>";
echo "Username:<br><input name=\"user\" type=\"text\" placeholder=".$forumUser." value=".$forumUser.">";
}else{
header("Refresh:0; url=https://r4p3.net");//If missing email or username, redirect
}
?>
<br><br>
What kind of competitions would you like to see in the future?<br>
<textarea name="feedback"></textarea>
<br><br>
        <button type="submit" class="pure-button pure-button-primary">Roll the dice</button>
    </fieldset>
</form>
</div>
Make sure to have a dir "/entries" and chmod -R 777 entries/

Then we must edit the Apache config to find "/var/www/" and change AllowOverride to All.

The dice.gif is simply an animated image of dice, you can find any one!

Inside of /entries/ make sure to create .htaccess (nano .htaccess) and write Deny from all.

Now when you want to find all the results, you can simply cat ./entries/* to see all of them.

The code could probably be cleaned up!
 
Last edited:

null3d

Member
Joined
Oct 9, 2015
Messages
41
Points
43
Age
29
You really need to take a look at the index.

example.com/index.php?forumEmail=ouch"><script>alert("XSS")</script><!--&forumUser=that hurts"><script>alert("XSS")</script>
 

Asphyxia

Server Monkey
Administrator
Joined
Apr 25, 2015
Messages
1,294
Points
252
Age
26
Location
North America
You really need to take a look at the index.
Good catch, I was tired and overlooked the input. Applied htmlentities to index.php also!

Patched and applied.

CVE-1337-null3d, have a free cupcake. :p

I am also encoding the filename w/ Base64.
 
Last edited:

Jackbox

Active Member
Joined
Jan 2, 2016
Messages
169
Points
74
Age
25
Lastly, here are some tips on reading your entries from terminal! Keep in mind this is only after you have changed to the entries directory like
cd /var/www/html/entries

Write the feedback to termbin:
ls -rt | xargs -d '\n' grep -h -v @ | nc termbin.com 9999

Get a unique email list written to termbin:
ls -rt | xargs -d '\n' grep -h @ | sort | uniq | nc termbin.com 9999

Dissecting a command
Code:
ls -rt | xargs -d '\n' grep -h -v @
ls -rt /// is going to list "reverse", "time modified" order. We want exactly this to know the latest feedback files!

xargs -d '\n' grep -h -v @ /// is going to show all the lines without "@" symbol. The -d '\n' part is critical because we are wanting to strip out the "\n" characters, to then pass into grep for opening all the files in a horizontal list (not vertically separated by \n characters).

Want to know how many entries?
Code:
ls | wc
All of this should get you far enough to make this system useful despite being simplistic.
 

Top