
You thought that “This should never happen was bad”? search – eval($_GET) - callaars
https://github.com/search?utf8=%E2%9C%93&q=eval%28%24_GET%29&type=Code&ref=searchresults
======
Bognar
Actually I thought "This should never happen" was good. This is pretty bad,
though.

~~~
gravypod
Yea, it's people throwing in checks for cases that should never happen, but
probably have saved a lot of money and time for people who were running those
products.

This is just horrible.

------
kbenson
Thankfully, most of these I've seen in the first four pages are for things
marked as a web shell, or a security scanner, etc, so it's purposeful and not
meant for serious webapp use.

Still, kind of scary to see. It's like a listening netcat piping to bash in a
loop. Sure there should be a firewall in front...

~~~
gravypod
If you're going to be doing any of these, there should at least be some form
of authentication within the project.

Leaving this open is just hoping someone runs "rm -rf /"

------
chc
It looks like the vast majority are from forks of PHP Vulnerability Hunter,
and a few more are from other vulnerability tests. So I guess this isn't
actually that common?

------
throwaway2016a
Also bad

[https://github.com/search?utf8=%E2%9C%93&q=include%28%24_GET...](https://github.com/search?utf8=%E2%9C%93&q=include%28%24_GET%29&type=Code&ref=searchresults)

There is a simple Google search that allows you to find thousands of websites
that do this. Which I won't put since it essential gives you a list of
websites ripe for take over.

~~~
deepsun
Should be "include($_GET" (with quotes)

------
blakesterz
Aren't those almost all "php-vulnerability-hunter – ArbitraryPhpGet.php" ?
That seems like, well, not so bad.

------
goshx
Try looking for database connections too.

~~~
paralelogram
[https://github.com/search?p=2&q=mysql_connect+root+NOT+local...](https://github.com/search?p=2&q=mysql_connect+root+NOT+localhost+NOT+%22127.0.0.1%22+NOT+%22192.168%22&ref=searchresults&type=Code&utf8=%E2%9C%93)

------
ams6110
Years ago I worked on a web app that had a "hidden" page that would do
something like:

    
    
      SQL.exec($_GET['sql'])
    

Was used for support to be able to access customer data to be able to
reproduce bugs, etc.

------
asfakeaccount
I'm not familiar with PHP. Can someone explain this to a newbie?

~~~
cokernel
The function eval[1] evaluates a string as code. The special variable $_GET[2]
contains HTTP GET variables, which may be freely set by a remote user.

So if your PHP file executes eval($_GET['code']), then arbitrary folks can
submit whatever code they want as a parameter -- as in /index.php?code=blah --
and have your webserver run it for them.

[1]
[http://php.net/manual/en/function.eval.php](http://php.net/manual/en/function.eval.php)
[2]
[http://php.net/manual/en/reserved.variables.get.php](http://php.net/manual/en/reserved.variables.get.php)

