Phstorm Flat-file Feedback System

Asphyxia

Owner
Administrator
Apr 25, 2015
1,845
2
2,199
327
enter.php
Code:
<?php
if(isset($_POST['user']))
{
$user = htmlentities($_POST['user']);
$email = htmlentities($_POST['email']);
$feedback = htmlentities($_POST['feedback']);

$myFile = "./entries/".base64_encode($user).".txt";
$fh = fopen($myFile, 'w') or die("can't open file");
$stringData = $email."\n";
fwrite($fh, $stringData);
$stringData = $feedback."\n";
fwrite($fh, $stringData);
fclose($fh);
}
?>
<style>
body {
background-image: url("dice.gif");
background-color: #cccccc;
}
</style>

<div style="background-color: white;padding:10px;text-align:center;">
Your entry has been received, thank you <b><?php echo($user);?></b>!
<p>
<a href="https://r4p3.net">Return to the forum.</a>
</p>
</div>

<?php

if(isset($_POST['forumUser']))
{
echo "test";
}

?>

index.php
Code:
<?php
//Phstorm Flat-file Form

?>

<link rel="stylesheet" href="https://unpkg.com/[email protected]/build/pure-min.css" integrity="sha384-oAOxQR6DkCoMliIh8yFnu25d7Eq/PHS21PClpwjOTeU2jRSq11vu66rf90/cZr47" crossorigin="anonymous">

<div style="padding:15px;">
<form method="post" action="enter.php" class="pure-form pure-form-aligned">
    <fieldset>
        <legend>Please enter to win a virtual dedicated server.</legend>

<br><br>

<?php
if(isset($_GET['forumUser'])&&isset($_GET['forumEmail']))
{
$forumEmail = htmlentities($_GET['forumEmail']);
$forumUser = htmlentities($_GET['forumUser']);
echo "Email:<br><input name=\"email\" type=\"email\" placeholder=".$forumEmail." value=".$forumEmail."><br><br>";
echo "Username:<br><input name=\"user\" type=\"text\" placeholder=".$forumUser." value=".$forumUser.">";
}else{
header("Refresh:0; url=https://r4p3.net");//If missing email or username, redirect
}
?>
<br><br>
What kind of competitions would you like to see in the future?<br>
<textarea name="feedback"></textarea>
<br><br>
        <button type="submit" class="pure-button pure-button-primary">Roll the dice</button>
    </fieldset>
</form>
</div>

Make sure to have a dir "/entries" and chmod -R 777 entries/

Then we must edit the Apache config to find "/var/www/" and change AllowOverride to All.

The dice.gif is simply an animated image of dice, you can find any one!

Inside of /entries/ make sure to create .htaccess (nano .htaccess) and write Deny from all.

Now when you want to find all the results, you can simply cat ./entries/* to see all of them.

The code could probably be cleaned up!
 
Last edited:

null3d

Member
Oct 9, 2015
40
24
43
You really need to take a look at the index.

example.com/index.php?forumEmail=ouch"><script>alert("XSS")</script><!--&forumUser=that hurts"><script>alert("XSS")</script>
 

Asphyxia

Owner
Administrator
Apr 25, 2015
1,845
2
2,199
327
You really need to take a look at the index.

Good catch, I was tired and overlooked the input. Applied htmlentities to index.php also!

Patched and applied.

CVE-1337-null3d, have a free cupcake. :p

I am also encoding the filename w/ Base64.
 
Last edited:

Jackbox

Active Member
Jan 2, 2016
197
96
74
Lastly, here are some tips on reading your entries from terminal! Keep in mind this is only after you have changed to the entries directory like
cd /var/www/html/entries

Write the feedback to termbin:
ls -rt | xargs -d '\n' grep -h -v @ | nc termbin.com 9999

Get a unique email list written to termbin:
ls -rt | xargs -d '\n' grep -h @ | sort | uniq | nc termbin.com 9999

Dissecting a command
Code:
ls -rt | xargs -d '\n' grep -h -v @

ls -rt /// is going to list "reverse", "time modified" order. We want exactly this to know the latest feedback files!

xargs -d '\n' grep -h -v @ /// is going to show all the lines without "@" symbol. The -d '\n' part is critical because we are wanting to strip out the "\n" characters, to then pass into grep for opening all the files in a horizontal list (not vertically separated by \n characters).

Want to know how many entries?
Code:
ls | wc

All of this should get you far enough to make this system useful despite being simplistic.
 
Top