Is this vulnerable?

This topic contains 6 replies, has 4 voices, and was last updated by  jmicgas 4 years, 5 months ago.

  • Author
    Posts
  • #8770
     eyenit0 
    Participant

    Can someone tell me if this code is vulnerable to command injection? At first I was sure it was but even though I’m able to enter whatever I want into the command string that gets passed to the System() call through a GET parameter, it doesn’t get executed. I thought maybe the quotes around the variables prevented it from being successful?

    $cmd = “/usr/bin/php /usr/share/www/execution.php ‘$user_input’ ‘$option1′”;

    system($cmd);

  • #54053
     KrisTeason 
    Participant

    This looks vulnerable. How does the user’s input make it over to the $cmd variable? via a $_POST parameter? Try manipulating the request with a proxy and see if you can change it’s value to get a command executed. If you can break out of the quote, you can append (with &&) additional commands that can get executed.

    This video will help:

  • #54054
     hayabusa 
    Participant

    Scratch my previous reply. I’m blind…

    That said, can you run the EXACT command on the command-line, on the host, and have it executed?

  • #54055
     eyenit0 
    Participant

    Sorry for the extremely late reply. Holidays and all that had me spinning in circles. I just got back to this at work today and found that if I edit the PHP and remove the single quotes around $user_input then I can inject a command successfully via that parameter. So I guess those single quotes are protecting the query. I’m not sure if there’s a way around that but that’s where it stands right now.

  • #54056
     hayabusa 
    Participant

    Perhaps magic quotes was in play:

    http://php.net/manual/en/security.magicquotes.php

  • #54057
     eyenit0 
    Participant

    Thanks for the suggestion, I hadn’t thought of that. I just checked though and it’s off. I wonder if there’s some sort of other protection somewhere that I can’t see. If I run the command from the CLI directly it works fine, but when I pass my input as a parameter it does not. I’ll try to dig deeper on it if I can get the time.

  • #54058
     jmicgas 
    Participant

    I guess it is not. Unless the code is flagged as malware by your antivirus you are on safer side.

You must be logged in to reply to this topic.

Copyright ©2019 Caendra, Inc.

Contact Us

Thoughts, suggestions, issues? Send us an email, and we'll get back to you.

Sending

Sign in with Caendra

Forgot password?Sign up

Forgot your details?