Is this vulnerable?

Viewing 6 reply threads
  • Author
    Posts
    • #8770
      eyenit0
      Participant

      Can someone tell me if this code is vulnerable to command injection? At first I was sure it was but even though I’m able to enter whatever I want into the command string that gets passed to the System() call through a GET parameter, it doesn’t get executed. I thought maybe the quotes around the variables prevented it from being successful?

      $cmd = “/usr/bin/php /usr/share/www/execution.php ‘$user_input’ ‘$option1′”;

      system($cmd);

    • #54053
      KrisTeason
      Participant

      This looks vulnerable. How does the user’s input make it over to the $cmd variable? via a $_POST parameter? Try manipulating the request with a proxy and see if you can change it’s value to get a command executed. If you can break out of the quote, you can append (with &&) additional commands that can get executed.

      This video will help:

    • #54054
      hayabusa
      Participant

      Scratch my previous reply. I’m blind…

      That said, can you run the EXACT command on the command-line, on the host, and have it executed?

    • #54055
      eyenit0
      Participant

      Sorry for the extremely late reply. Holidays and all that had me spinning in circles. I just got back to this at work today and found that if I edit the PHP and remove the single quotes around $user_input then I can inject a command successfully via that parameter. So I guess those single quotes are protecting the query. I’m not sure if there’s a way around that but that’s where it stands right now.

    • #54056
      hayabusa
      Participant

      Perhaps magic quotes was in play:

      http://php.net/manual/en/security.magicquotes.php

    • #54057
      eyenit0
      Participant

      Thanks for the suggestion, I hadn’t thought of that. I just checked though and it’s off. I wonder if there’s some sort of other protection somewhere that I can’t see. If I run the command from the CLI directly it works fine, but when I pass my input as a parameter it does not. I’ll try to dig deeper on it if I can get the time.

    • #54058
      jmicgas
      Participant

      I guess it is not. Unless the code is flagged as malware by your antivirus you are on safer side.

Viewing 6 reply threads
  • You must be logged in to reply to this topic.

Copyright ©2020 Caendra, Inc.

Contact Us

Thoughts, suggestions, issues? Send us an email, and we'll get back to you.

Sending

Sign in with Caendra

Forgot password?Sign up

Forgot your details?