How can explore hacking in unlink PHP method.

Unlink is PHP method to delete physical files. You can look more in php documentation here.

I love talk about this subject. We had some articles about this.

One year ago I talked about thousands of downloads WordPress plugins with same problem.

After months, It was found a security bug in WordPress core with unlink.

So the problem with unlink is more common than we can imagine.

But What is the problem? How can explore unlink to bad things.

For bug happen the environment need a input data and use of unlink method, of course. =)

For study case we will use simple input data, unlink with parameter $_GET or $_POST, without filter.

But some people use filter, some time this filters can have success or not, but for this example I will show without filter.

The basic about unlink is like:

unlink('folder/image.jpg'); // this image will be remove.

But when you have a power of put what you want like this. It is a dream to hacker.

unlink( $_GET['image'] );

You have a power of delete some file that you want, like config files os index’s files and broken the system, in some cases you can restart like WordPress with wp-config.php or Joomla or Drupal.

Look this example:

The url is:

http://www.target.com/index.php?image=image20.jpg

… that run internal code.

unlink( $_GET['image'] ); // Delete image20.jpg

Ok You will delete but if you change image20.jpg to index.php like this:

http://www.target.com/index.php?image=index.php

unlink( $_GET['image'] ); // Delete index.php

unlink( 'index.php' );

We will delete the index file and main file of the system, who try access this site after this will not find site.

http://www.target.com/index.php?image=../../wp-config.php

unlink( $_GET['image'] ); // Delete ../../wp-config.php

unlink( '../../wp-config.php' );

I will delete the config filee and some system you will can restart the system.

You can see the real example in this video.

Buummmmm…. tango Down.

Leave a Reply

Your email address will not be published. Required fields are marked *