Phstorm Flat-file Feedback System

[Asphyxia]

enter.php

<?php
if(isset($_POST['user']))
{
$user = htmlentities($_POST['user']);
$email = htmlentities($_POST['email']);
$feedback = htmlentities($_POST['feedback']);

$myFile = "./entries/".base64_encode($user).".txt";
$fh = fopen($myFile, 'w') or die("can't open file");
$stringData = $email."\n";
fwrite($fh, $stringData);
$stringData = $feedback."\n";
fwrite($fh, $stringData);
fclose($fh);
}
?>
<style>
body {
background-image: url("dice.gif");
background-color: #cccccc;
}
</style>

<div style="background-color: white;padding:10px;text-align:center;">
Your entry has been received, thank you <b><?php echo($user);?></b>!
<p>
<a href="https://r4p3.net">Return to the forum.</a>
</p>
</div>

<?php

if(isset($_POST['forumUser']))
{
echo "test";
}

?>

index.php

<?php
//Phstorm Flat-file Form

?>

<link rel="stylesheet" href="https://unpkg.com/[email protected]/build/pure-min.css" integrity="sha384-oAOxQR6DkCoMliIh8yFnu25d7Eq/PHS21PClpwjOTeU2jRSq11vu66rf90/cZr47" crossorigin="anonymous">

<div style="padding:15px;">
<form method="post" action="enter.php" class="pure-form pure-form-aligned">
    <fieldset>
        <legend>Please enter to win a virtual dedicated server.</legend>

<br><br>

<?php
if(isset($_GET['forumUser'])&&isset($_GET['forumEmail']))
{
$forumEmail = htmlentities($_GET['forumEmail']);
$forumUser = htmlentities($_GET['forumUser']);
echo "Email:<br><input name=\"email\" type=\"email\" placeholder=".$forumEmail." value=".$forumEmail."><br><br>";
echo "Username:<br><input name=\"user\" type=\"text\" placeholder=".$forumUser." value=".$forumUser.">";
}else{
header("Refresh:0; url=https://r4p3.net");//If missing email or username, redirect
}
?>
<br><br>
What kind of competitions would you like to see in the future?<br>
<textarea name="feedback"></textarea>
<br><br>
        <button type="submit" class="pure-button pure-button-primary">Roll the dice</button>
    </fieldset>
</form>
</div>

Make sure to have a dir "/entries" and chmod -R 777 entries/

Then we must edit the Apache config to find "/var/www/" and change AllowOverride to All.

The dice.gif is simply an animated image of dice, you can find any one!

Inside of /entries/ make sure to create .htaccess (nano .htaccess) and write Deny from all.

Now when you want to find all the results, you can simply cat ./entries/* to see all of them.

The code could probably be cleaned up!

 

[null3d]

You really need to take a look at the index.

example.com/index.php?forumEmail=ouch"><script>alert("XSS")</script><!--&forumUser=that hurts"><script>alert("XSS")</script>

 

[Asphyxia]

You really need to take a look at the index.

Good catch, I was tired and overlooked the input. Applied htmlentities to index.php also!

Patched and applied.

CVE-1337-null3d, have a free cupcake.

I am also encoding the filename w/ Base64.

 

[Jackbox]

Lastly, here are some tips on reading your entries from terminal! Keep in mind this is only after you have changed to the entries directory like
cd /var/www/html/entries

Write the feedback to termbin:
ls -rt | xargs -d '\n' grep -h -v @ | nc termbin.com 9999

Get a unique email list written to termbin:
ls -rt | xargs -d '\n' grep -h @ | sort | uniq | nc termbin.com 9999

Dissecting a command

ls -rt | xargs -d '\n' grep -h -v @

ls -rt /// is going to list "reverse", "time modified" order. We want exactly this to know the latest feedback files!

xargs -d '\n' grep -h -v @ /// is going to show all the lines without "@" symbol. The -d '\n' part is critical because we are wanting to strip out the "\n" characters, to then pass into grep for opening all the files in a horizontal list (not vertically separated by \n characters).

Want to know how many entries?

ls | wc

All of this should get you far enough to make this system useful despite being simplistic.