14

I have the following PHP script (file.php) which shows the current time and displays the user's input:

Current time:

<?php

$time=time();
$actual_time=date('H:i:s',$time);
echo $actual_time;

//show user input
$enter=@$_POST['enter'];
echo '<br>Input: '.$enter;

?>

<form action="" method="POST">
    <input type="text" name="enter">
    <input type="submit" value="Refresh">
</form>

By default the page shows this: default

If I enter e.g. <strong>test</strong>, I see this: enter_htmlcode1

And if I enter <iframe src="file.php"></iframe>, I can reload the page in a smaller window: enter_htmlcode2

So, now, how could I display the raw PHP script (file.php) by submitting some certain HTML code in the INPUT text field?

Improve this question
12
  • 3
    highlight_file() Commented Dec 8, 2015 at 14:21
  • 1
    iframe is not your answer. Commented Dec 8, 2015 at 14:23
  • 2
    You won't see anything...... unless you bother to echo it, and recognise that file.php should be a string containing the file name: <?php echo highlight_file('file.php'); ?>.... this is where actually reading the documentation helps you Commented Dec 8, 2015 at 14:27
  • 1
    What do you try to achieve? If you want to attack the site - no you can not achieve this (with this sources) - at most it will be XSS. If you try to show sources for a legimate reason - you have to change a code and use for example <?php echo highlight_file('file.php'); ?> Commented Dec 11, 2015 at 7:49
  • 3
    @Andy It is a very simple difinition of insecurity. Some sites have public source code - and are secure. Many sites use Open Source software - for example - Wordpress, Wikipedia, or Stackoverflow and are nevertheless secure. Your source code has XSS - one of Top 10 vulnerabilities on the web. It does not allow to reveal your source code, but some other stuff. More information at OWASP Cross-site Scripting Commented Dec 11, 2015 at 10:28

6 Answers 6

Reset to default
10
+50 
<?php

// Disable a WebKit security feature
// which would prevent from showing the source code.
header('X-XSS-Protection: 0');

if (isset($_GET['source']) || isset($_POST['source'])) {
        $source = file_get_contents(__FILE__);

        // To prevent this control from showing up
        // in the output source code
        // enable the code below.
        /*
        $lines_to_remove = 26;
        $source = explode("\n", $source, $lines_to_remove);
        $source = $source[$lines_to_remove - 1];
        */

        $source = highlight_string($source, true);
        echo $source;

        return;
}

?>
Current time:

<?php


$time=time();
$actual_time=date('H:i:s',$time);
echo $actual_time;

//show user input
$enter=@$_POST['enter'];
echo '<br>Input: '.$enter;

?>

<form action="" method="POST">
    <input type="text" name="enter">
    <input type="submit" value="Refresh">
</form>

enter image description here

Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

thx! for completeness: the input has to be <iframe src="file.php?source"></iframe>
3

First

htmlspecialchars — Convert special characters to HTML entities

$new = htmlspecialchars("<a href='test'>Test</a>", ENT_QUOTES);
echo $new;

//This would be the output
&lt;a href=&#039;test&#039;&gt;Test&lt;/a&gt;

//browser will display
<a href='test'>Test</a>

Second

htmlentities -Convert all applicable characters to HTML entities

$str = "A 'quote' is <b>bold</b>";

echo htmlentities($str);

// Outputs: A 'quote' is &lt;b&gt;bold&lt;/b&gt;

echo htmlentities($str, ENT_QUOTES);
// Outputs: A &#039;quote&#039; is &lt;b&gt;bold&lt;/b&gt;

In browser it woulbe displayed:

A 'quote' is <b>bold</b>
Improve this answer

Comments

2

Parsing the input as plain text should display the file:

<?php

$time=time();
$actual_time=date('H:i:s',$time);
echo $actual_time;

//show user input
$enter=@$_POST['enter'];

header("Content-Type: text/plain");

echo '<br>Input: '.$enter;

?>

Of course you would then have to customize your script to detect when the user wants to display the file, and only then change the content type (or else the other html inputs will not work).

Improve this answer

4 Comments

Well, it works.. but I was actually hoping to display the file without modifying it.
Modifying which file? You are talking about file.php? Because unless the script is file.php, you will not be modifying it.
yes, I mean the file file.php. What I am intending to do, is to give an input and then return the file on the screen.
@Andy wants to use an exploit to see the file, I suppose?
2

Submitting html or php code to then display:

<?php

$time=time();
$actual_time=date('H:i:s',$time);
echo $actual_time;

//show user input
$enter=@$_POST['enter'];
echo '<br>Input: <pre>'.htmlspecialchars($enter).'</pre>';

?>

<form action="test.php" method="POST">
    <input type="text" name="enter">
    <input type="submit" value="Refresh">
</form>

Opening a file and then display:

<?php
    $myfile = fopen("test.php", "r") or die("Unable to open file!");
    echo '<pre>'.htmlspecialchars(fread($myfile,filesize("test.php"))).'</pre>';
    fclose($myfile);
?>
Improve this answer

Comments

1

File name : test1.php

Write below code in this file :

<?php
$time=time();
$actual_time=date('H:i:s',$time): ;
echo $actual_time;

$enter=@$_POST['enter'];
if (isset($enter)) {
    $doc = new DOMDocument();
    @$doc->loadHTML($enter);
    $tags = $doc->getElementsByTagName('iframe');
    foreach ($tags as $tag) {
           $file_name = $tag->getAttribute('src');
    }
    if(isset($file_name)){
        $result ='<iframe src='.$file_name.'></iframe>';        
    }else{
        $result = $enter;   
    }
}
echo '<br>Input: '.$result;
?>
<form action="" method="POST">
    <input type="text" name="enter">
    <input type="submit" value="Refresh">
</form>

Create a new file : test6.php

Write code below in this file :

<?php
    $myfile = fopen("test1.php", "r") or die("Unable to open file!");
    echo '<pre>'.htmlspecialchars(fread($myfile,filesize("test1.php"))).'</pre>';
    fclose($myfile);
?>

Hit file : test1.php

write in input tag : <iframe src="test6.php"></iframe>

It will work !!

Improve this answer

Comments

0

I don't completely understand what you are trying to achieve, however, I assume the highlight_file() function should help.

echo highlight_file('file.php',true);
Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.