Good day guys.
The issue I am having is specifically with handling this specific input case.
A part of my project I need to do is to take argument though command line into a PHP script. for eg ./do_op_2.php "`rm -rf ~/`;" .
I have tried using escapeshellarg($argv[1]), escapesellcmd($argv[1]); but to no avail it still executes the command. I have tried iterating through the string looking for ` and ; before anything happens, it is still executed.
If there are any more specific questions please do ask, I am willing to give more information.
Code for those who are curious.
#!/usr/bin/php
<?php
unset($argv[0]);
$argv[1] = escapeshellarg($argv[1]);
$argv[1] = escapeshellcmd($argv[1]);
function add($a, $b)
{
if (is_numeric($a) && is_numeric($b))
return ($a + $b);
else
return (0);
}
function minus($a, $b)
{
if (is_numeric($a) && is_numeric($b))
return ($a - $b);
else
return (0);
}
function mult($a, $b)
{
if (is_numeric($a) && is_numeric($b))
return ($a * $b);
else
return (0);
}
function divide($a, $b)
{
if (is_numeric($a) && is_numeric($b))
return ($a / $b);
else
return (0);
}
function mod($a, $b)
{
if (is_numeric($a) && is_numeric($b))
return ($a % $b);
else
return (0);
}
function ft_split($str)
{
$ret = array_filter(preg_split('/\s+/', $str));
return ($ret);
}
if ($argc == 2)
{
$split = ft_split(trim($argv[1], " \t"));
if (is_numeric($split[0]) && is_numeric($split[2]))
{
if ($split[1] == "+")
echo add(trim($split[0], " \t"), trim($split[2], " \t")) . "\n";
else if ($split[1] == "-")
echo minus(trim($split[0], " \t"), trim($split[2], " \t")) . "\n";
else if ($split[1] == "*")
echo mult(trim($argv[0], " \t"), trim($split[2], " \t")) . "\n";
else if ($split[1] == "/")
echo divide(trim($split[0], " \t"), trim($split[2], " \t")) . "\n";
else if ($split[1] == "%")
echo mod(trim($split[0], " \t"), trim($split[2], " \t")) . "\n";
else
echo "Syntax Error\n";
}
else
echo "Syntax Error\n";
}else
echo "Incorrect Parameters\n";
?>
The only thing I can think of is command substitution (see also parameter substitution) - something which happens in bash and other shells. If this is what's going on, then your reporting of the situation is a little misleading (read on).
It's very unlikely that PHP will be doing this, it'll be done by the shell, and there is no way to modify your code to prevent this... It's a feature of the shell.
For example a variable, using ${...}:
$ FOO="test"
$ echo ${FOO}
test
It's also possible to run a command and use the output (stdout) as the value with $(...):
$ echo $(date)
Tue 2 Oct 12:02:59 BST 2018
Another variant of this is using backticks:
$ echo `date`
Tue 2 Oct 12:04:03 BST 2018
You've listed the following in your question:
./do_op_2.php '`rm -rf ~/`;'
The use of single quotes (') should prevent the shell from substituting the backticks:
$ echo '${FOO}'
${FOO}
$ echo '`date`'
`date`
But using double quotes (") will not prevent this:
$ echo "${FOO}"
test
$ echo "`date`"
Tue 2 Oct 12:05:17 BST 2018
I can only presume that you've reported single quotes, but actually used double quotes when you observed this behaviour. Your comment supports this theory.
For eg. ./do_op_2.php "`rm -rf test.doc`;" will delete test.doc instead of ignoring the command.
Related
I am trying to do SQL-injection attack on a local website on my localhost. I am trying to get all the products from product table using the wildcard ';-- but there seems to be some problem with the query. It's giving me this error
'Warning: mysqli_fetch_assoc() expects parameter 1 to be
mysqli_result, boolean given in C:\wamp64\www\tplus\products.php on
line 151'
Here is my PHP code
<?php
//$search_value = mysqli_real_escape_string($conn,$_GET['search']);
$search_value = $_GET['search'];
$result = mysqli_query($conn,"SELECT * FROM products where p_name LIKE '%".$search_value."%'");
while ($row = mysqli_fetch_assoc($result))
{
echo "<tr>";
echo "<td>";
echo $row['p_name'];
echo "</td>";
echo "<td>";
echo $row['p_price'];
echo "</td>";
echo "<td>";
echo $row['p_brand'];
echo "</td>";
echo "<td>";
echo $row['p_info'];
echo "</td>";
echo "</tr>";
}
?>
Try this
if (!$result) {
die(echo 'MySQL Error: ' . mysqli_error())
}
You need to check if
"SELECT * FROM products where p_name LIKE '%".$search_value."%'"
is a valid SQL statement.
The indication is that it is not - hence the error.
Perhaps output that string and check where the SQL statement is incorrect.
Below is some code I have written for my ever growing bird-related chat bot.
If I use the mIRC consolse, I can execute the alias blocks (eg. //fchirp [user] ), but for some reason, the bot doesn't acknowledge somebody typing "!chirp" from the main chat window. It doesn't even execute the first //echo statement in the on-text-event.
The weirdest part is: this code worked before and I've been using it regularly. I haven't changed any part of what is shown here aside from the //echo statements which I use for debugging.
addWorms and giveWorms are both aliases I wrote and function correctly on their own. The main issue I'm running into is get the bot to do anything at all when someone types"!chirp". (It should be noted that other unrelated on-text-events earlier in the code work just fine with identical syntax.)
alias fchirp {
/writeini chirp.ini $1 First $adate
/writeini chirp.ini $1 Last $adate
/writeini chirp.ini $1 Count 1
msg $chan /w $1 Welcome to the Nest! Thanks for checking in! :D
addWorms $1
msg $chan /w $1 Type !worms to see how many you have!
//echo -a first chirp
}
alias chirp {
var %a $readini(chirp.ini, $1, Count)
var %count $calc( %a + 1 )
if ( $readini(worms.ini, $1, Breed) == $null ) {
addWorms $1
//echo -a addWorms done
}
if ( $readini(chirp.ini, $1, Last) === $adate ) { msg $chan /w $nick You've already checked in today! BabyRage | halt }
/writeini chirp.ini $1 Last $adate
/writeini chirp.ini $1 Count %count
//echo -a last/count updated
if ( $calc( $readini(chirp.ini, $1, Count) % 5 ) == 0 ) {
giveWorms $1 10
msg $chan /w $1 Welcome back! Lucky day!
}
else {
giveWorms $1 5
msg $chan /w $1 Welcome back! Here's your worms! Don't forget to !hunt ! ^_^
}
//echo -a giveWorms
}
on *:TEXT:!chirp:#: {
//echo -a acknowledged
if ( $readini(chirp.ini, $nick, First) != $null ) {
//echo -a true
chirp $nick
}
else {
//echo -a false
fchirp $nick
}
msg $chan /w $nick Don't forget to !hunt for worms! :D
}
The Event catching can be interfere by two main reasons.
Error
You have an error above your code on the same remote file. e.g. missing bracket or syntax error.
Other event already been captured
mIRC will not process event that already been matched by another pattern on the same file.
example.ini
ON *:TEXT:* dog *: echo -ag This will be called if we wrote the word dog in a sentence.
ON *:TEXT:*:#: echo -ag This will be called
ON *:TEXT:*test*: echo -ag This will never be called. Even if we wrote the word test in sentence.
You can merge your TEXT events to handle both actions, although if they aren't logic related, i would separated them for another remote file.
on *:TEXT:*:#: {
if ($1- == !chirp) {
; In here put your code.
}
; Another code over here..
; Count some stuff in here..
}
Remark: / is useless on alias/popup/remote code, and it is just for identifying text vs commands for console mIRC window.
I have a script that seeds my database, but I want to only redirect the stderr to the user.
I'm trying this:
echo "Seeding pokemon"
mongo mongodb_1:27017/pokemon pokemon.js > /dev/null 2>&1
But I'm not getting the error output.If I remove the redirection, the error outputs to my console.
Mongo Shell does not currently support separate output stream for errors.
Have can subscribe to SERVER-18643 to get notified once this is implemented.
Workaround suggested in the above ticket is to tag your output inside the Mongo Shell:
...
print("<STDOUT>")
print(multiline_json)
print("</STDOUT>")
print("<STDERR>")
print(multiline_json)
print("</STDERR>")
...
Then you can redirect to the correct output stream using the following script:
#!/bin/bash
COMMAND="mongo <args>"
OUTPUT=$(${COMMAND})
function STDERR {
cat - 1>&2
}
function STDFILE {
if [ -z "$1" ]; then
return
fi
cat - >> $1
}
WRITE_ERR=0;
for line in $OUTPUT; do
if [[ "$line" == "<STDERR>"* ]]; then
WRITE_ERR=1
continue
elif [[ "$line" == "</STDERR>"* ]]; then
WRITE_ERR=0
continue
fi
if [ "$WRITE_ERR" -eq "1" ]; then
printf "%s\n" "$line" | STDERR
else
printf "%s\n" "$line"
fi
done
I've following code to compare two dates in PHP,which one while be appropriate method
<?php
$var = date('d-m-Y',strtotime('29-05-2012'));
$var1 = date('d-m-Y',strtotime('27-06-2012'));
echo $var; //29-05-2012
echo $var1; //27-06-2012
if($var1 >= $var) //method 1
{
echo 'var1 is future date';
}
if(strtotime($var1) >= strtotime($var)) //method 2
{
echo 'var1 is future date(second if)';
}
?>
In above two methods,method-1 is not working,is it not a correct way to compare two dates in PHP ?
No, the first method is incorrect because $var1 and $var are strings, so you can't compare them like that.
However, strtotime() creates unix timestamps (integers), so you can and should compare them like that.
Just leave the date as string, and convert with strtotime in if ().
$a = '29-5-2012';
$b = '27-6-2012';
if (strtotime($a) >= strtotime($b)) {
echo "$a is future date.";
} else {
echo "$b is future date.";
}
// 27-6-2012 is future date.
Depending on you php version >= 5.3 you can try date_diff()
$time1 = strtotime('29-05-2012'); # <--- past
$time2 = strtotime('27-06-2012'); # <--- future
echo max($time1,$time2);
echo "<br />";
echo min($time1,$time2);
why not:
if (mktime(0,0,0,12,31,2012) > mktime(0,0,0,6,25,2011)) {
echo "12/31/2012 is after 6/25/2011";
}
$date1=date('d/m/y');
$tempArr=explode('_', '31_12_11');
$date2 = date("d/m/y", mktime(0, 0, 0, $tempArr[1], $tempArr[0], $tempArr[2]));
I pass two Date::Manip::Date objects, perfectly valid dates to my sub:
sub get_duration {
my $duration;
my #val;
my $from = $_[0]->new_date();
my $to = $_[1]->new_date();
# $from->parse("2012-03-06");
# $to->parse("2012-03-07");
print $from . " ".$to. "<-- <br />";
my #f = $from->value();
if ($f[0] == 2012) {
$from->config("ConfigFile",$HOLIDAYS_2012);
} elsif ($f[0] == 2013) {
$from->config("ConfigFile",$HOLIDAYS_2013);
} elsif ($f[0] == 2014) {
$from->config("ConfigFile",$HOLIDAYS_2014);
} elsif ($f[0] == 2015) {
$from->config("ConfigFile",$HOLIDAYS_2015);
}
my #t = $to->value();
if ($t[0] == 2012) {
$to->config("ConfigFile",$HOLIDAYS_2012);
} elsif ($t[0] == 2013) {
$to->config("ConfigFile",$HOLIDAYS_2013);
} elsif ($t[0] == 2014) {
$to->config("ConfigFile",$HOLIDAYS_2014);
} elsif ($t[0] == 2015) {
$to->config("ConfigFile",$HOLIDAYS_2015);
}
print "from " . #f ." to ". #t."<br>";
my $delta = $from->calc($to, "business");
print $from->calc($to, "business") . " <-";
#val = $delta->value();
if ($to->is_business_day()) {
$duration = $val[3]+1;
} else {
$duration = $val[3];
}
return $duration;
}
I get the output
Date::Manip::Date=HASH(0xacdf7a0) Date::Manip::Date=HASH(0xacdfb50)<--
from 0 to 0
<-
Software error:
Can't call method "value" on an undefined value at '#val = $delta->value();'
That is the two dates are passed all right, I got NO errors when it tries to set their config files, Regardless, the value arrays #t and #f are empty and it breaks down as soon as I try to get the delta.
However if I uncomment the two lines
$from->parse("2012-03-06");
$to->parse("2012-03-07");
(hence ignoring the parameters)
It works just fine as intended.
There's something I'm missing about passing objects in Perl I suspect?
Firstly
&get_overlap_duration($saved[$i][5], $saved[$i][6], $saved[$i][7], $saved[$i][8])
Is called
I've printed the #saved values and they're correct, they're strings:
2012-03-06, 2012-03-08, 2012-03-05, 2012-03-07
Then inside get_overlap_duration those strings are
my $from1 = new Date::Manip::Date;
my $to1 = new Date::Manip::Date;
my $from2 = new Date::Manip::Date;
my $to2 = new Date::Manip::Date;
$from1->parse($_[0]);
$to1->parse($_[1]);
$from2->parse($_[2]);
$to2->parse($_[3]);
Then there's there is a call for get_duration for instance $duration = get_duration($from2, $to1);
I've checked the server error log there were no complaints apart from the software error displayed in the browser.
The problem is that on the following line:
my $delta = $from->calc($to, "business");
It's not returning a valid object. Which likely means that something in the calc() function is failing. Since "business" is not a valid date. And if you read the Date::Manip::Calc man page, the mode parameter is only legal when you pass in two date objects before that and you've only passed one.