Shell Injection

Hi all,

Can someone please tell me what is wrong with this and how it could be fixed? I understand that someone can inject malicious code by inputting a command like ';' or |.

But where does the problem exist and how can it be fixed?


if(isset($_POST["test"])) {
$exec = shell_exec("ping -c 3 -s 64 -t 64 ".$_POST["test"]);
echo(cxa2r($exec));

echo('form name=test' action="index.php" method="post">
address: input type="text" name="ip" value="localhost">
input type="submit" value="HIT"
</form>');

Open in new window

LVL 1
logicsolutionsAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Dan CraciunIT ConsultantCommented:
Run this on your server:
ping -c 3 -s 64 -t 64 8.8.8.8

Then run this:
ping -c 3 -s 64 -t 64 8.8.8.8 | echo "you're pwned"

Then this:
ping -c 3 -s 64 -t 64 8.8.8.8 | cat /etc/passwd

All these options are available with your code.

On most hosts shell_exec is disable, so your code simply won't work.

If this is your server and it's public facing, you're pretty much giving an attacker the ability to run arbitrary commands on your system.

HTH,
Dan
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Dave BaldwinFixer of ProblemsCommented:
$_POST["test"] comes from a form on a web page where somebody can type in whatever they want including the examples Dan gave.  The code you have posted is not doing anything to limit what is being passed which makes you vulnerable.  You need to put code in between lines 1 and 2 that filters or limits the acceptable content for $_POST["test"].
0
logicsolutionsAuthor Commented:
Like

escapeshellarg

Open in new window


or

escapeshellcmd

Open in new window

0
Dan CraciunIT ConsultantCommented:
Like
$test = escapeshellarg($_POST["test"]);
$exec = shell_exec("ping -c 3 -s 64 -t 64 ".$test);

Open in new window

0
Ray PaseurCommented:
A safe solution might be to create a list of acceptable commands.  Put these commands in an array, with numeric indexes.  Then use a number that corresponds to the commands in the request.  Translate the numeric value of $_POST['test'] into the array position that contains your acceptable command, and run that command.  By doing it this way you will be certain that your script is only using acceptable values in the command.

Also, there must be a 1:1 correspondence between the name= attribute in the HTML form input control and the array index in $_POST.  The code snippet posted with the question does not have a name= attribute that will give meaning to $_POST['test'].  You would probably want to have an HTML input control in the form.  Some good "getting started" resources are here:
http://www.experts-exchange.com/articles/11769/And-by-the-way-I-am-New-to-PHP.html
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
PHP

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.