0

I today found some files created and deleted and edited on my website. I don't know how it is done. But I know it can be done by some PHP Functions like :

mkdir('Folder'); file_put_contents();scandir();...

But these codes only execute if I write in my PHP code.

How anyone can run these commands from a $_GET Value

Example PHP Code that is showing the ?name query from the URL.

<?php
echo "$_GET[name] Welcome";
?>

Can code be injected in this and hack my website?

Like https://example.com?name=".mkdir("Hacked")."

If yes, then how can I prevent these kinds of bugs and hacks?

Improve this question
1
  • That looks like a JavaScript injection vulnerability (reflected XSS), not PHP injection. If people are modifying files on the backend you probably have a vulnerability somewhere else. Commented Aug 3, 2022 at 13:20

2 Answers 2

Reset to default
1

As others have pointed out, you've demonstrated an XSS vulnerability, not a command injection vulnerability.

However, if someone is creating files on your server, you have vulnerable code elsewhere. Do all of the following:

  1. Run a malware scan
  2. Change all site-related passwords
  3. Inform users of the incident
  4. Check your system logs for clues
  5. Update your site's software
  6. Check something like PayloadsAllTheThings for information on various web app vulnerabilities. Fix them if you can find any in your own code.
  7. Maybe purchase a professional security audit if you can afford it.

There's more, depending on what your specific problem. If someone is able to execute commands on your server and upload random files, they may be able to steal data from your server. Please carefully review your system logs and code to identify what happened.

Cheers.

Improve this answer
0

No, the given code cannot lead to command injection. It does lead to reflected XSS (allowing the attacker to run javascript in your browser - thus allowing them to do anything on your website that you can do - if you click on an attacker-supplied link).

The sort of injection you are thinking of would need to take place into a function that executes commands (eg system('/someprogram [userinput]');) or executes PHP code (eg eval('[...][userinput][...]')).

There may also be other ways an attacker can create/delete/edit files (weak passwords, vulnerable web server, insecure file upload, and so on).

Improve this answer

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.