First, as a background I am trying to encrypt data we have on the server when a new entity is made. This is on a legacy system which originated as a Perl CGI system, and has a separate portion which is PHP. The Perl part creates the groups, the PHP was later implemented to encrypt it.
I am trying to execute the PHP encryption script from a Perl CGI file. I have tried using:
exec("/path/to/file arg1 arg2")
system("/path/to/file arg1 arg2")
backtick operator /path/to/file arg1 arg2
open ("/path/to/file arg1 arg2 |)
I have also tried pointing directly to /bin/php and passing the file as an argument with each case. The only things I have had happen so far are:
Printing the output of exec/system... produces the Perl file (not even the php file) as text, which I haven't seen any mention of this happening anywhere else, but all I've seen is Perl, not CGI and Perl together.
No data. If I output $! from Perl I get an illegal seek error when using system, but the others leave it blank. All of them return 0 as if the exec/system/... has run, but nothing server side has changed.
From what I have read online I think that CGI may be running in some form of a "protected" mode which disables the exec/system/open/backtick commands on certain files, but am not certain that is the issue. As far as I can tell though, there is no indication of permission being restricted. If anyone has any insights that is much appreciated. If you need anymore information, let me know.
A few notes:
Show us actual, mimimal and complete test programs along with their output so we can see what you are doing.
system shares its filehandles with the parent program, so if the external program sends something to STDOUT, that's where it's going. If that's before you send your CGI headers, then things will get messed up.
backticks will capture standard output, but not standard error. Stuff might still go to an error log.
exec turns your program into some other program. That is, your Perl program does some setup and then becomes the thing that you exec, then never comes back (unless things fail).
Some things to help with debugging:
Make a small CGI program that simply calls another program you know that should work, such as date or something similar. Verify that you can do that much.
#!/usr/bin/perl
print "Content-type: text/plain\n\n";
my $rc = system '/bin/date';
print "result was <$rc>";
Then, run php to show its version. Verify that you can run php.
#!/usr/bin/perl
print "Content-type: text/plain\n\n";
my $rc = system '/usr/bin/php', '-v';
print "result was <$rc>";
Slowly add to the complexity. Find out where things stop working.
If your arguments to PHP come from user input, consider using taint checking and careful cleansing (perlsec). Notice I use the list version of system so the shell doesn't get a chance to interpret metacharacters.
Related
Yes-or-no question: is the original unparsed command line as received by the php exectuable available to the PHP program as a single string in some way? I can fall back to imploding $argv, but I would very much prefer to have the Real Thing.
The PHP tag on stackoverflow is heavily used, but no previous answers provide what you need and no-one has come forward to say it's possible. I also can't find anything in the manual about it, or anywhere else. What you want is 99.99% likely to be impossible, not least because in 99.99% of cases it simply isn't useful.
I work on various programming languages and none of them can read their exact startup command, they just receive the arguments.
You would be better to amend or replace the script which launches your command so it's able to log the PHP command it runs, and/or it could restart the command whenever it fails.
When we run the "top" command from command line we can see the processes and under the COMMAND column we see a generic name.
For e,g if I run a php process in the background like
/usr/bin/php /path/to/myscript.php &
I see just php listed under the COMMAND column when I run top.
Is there a way to change the name of the background process when I run it?
*This question is PHP specific.
A process don't really have a name, it has a pid (of type pid_t which is some integer, the result of fork(2) or related system call). Read credentials(7).
And the displayed php name is the right one, it is the one given to execve(2) as the first argument of index 0 and it is the program name. The kernel don't run directly your PHP script, it is running the php interpreter which takes as input your script (so the actual program which is run is php). And your shell command is explicitly giving /usr/bin/php as the program name. You could use strace(1) to check that.
Your shell is displaying (via jobs -l) the background processes. So you could write your own shell to display them differently.
Perhaps you could write in C some wrapper ELF executable which does the appropriate execve(2).
I'm not sure it is worth the trouble. See also proc(5) to understand how applications (like your shell, or ps, or top) are querying the kernel about processes (using /proc/ file-system).
As commented by melopmane, look also into prctl(2) and PR_SET_NAME
(I never used that). I did however use pthread_setname_np(3) which concerns a thread.
(still, I don't think it is worth the trouble in your case; what is wrong with having a PHP process called php?)
See also setproctitle, or write some PHP extension in C to do that...
But you should not care! and I even think that changing that way the name of your process is confusing to the sysadmin. He wants to know that it is some PHP thing. So even if you could abuse your sysadmin, you should not want to.
BTW, you could check (using proc(5)...) with a command like cat /proc/1234/maps (replace 1234 with the actual pid of your process) that the PHP interpreter is an important part of your virtual address space (so there is no reason to "hide" php as you want to), and you could find your specific php process (if you have many of them) using also pgrep(1).
Is there a way in PHP to make exec() or one of its variants run a system command that needs user input in the execution session. Can be an FTP transfer for example or even just a print statement command with more flag. Say for e.g. in Windows command prompt I do a type bigfile.txt | more It gives me one screen of output and then I use the keyboard to have the next line come up.
Is there a way to capture this behavior using any of the PHP command line execution functions, when running from the browser? If not in standard PHP are there any PEAR/PECL resources which anyone has used before which does this?
You can probably do this with proc_open, which can be used in a non-blocking manner, and gives you input and output pipes.
However, as a rule of thumb, I'd only attempt this as a last resort. Using a non-interactive executable, or a native PHP library will usually be far more maintainable. For example, I'm struggling to come up with a reason you'd ever want to proc_open('mycommand | more') when you can just exec('mycommand')
I am trying to print generated forms / receipts through PHP (the printers will be installed on the server, I am not attempting to print to a user's local printer). I have decided to try the following methodology:
IN PHP:
Generate a PDF file and save it on the server.
Call a perl script to print said PDF file.
IN perl:
Use system() to "open" Reader and print the given PDF silently.
What works:
I can generate PDFs in PHP.
I can call a perl script.
If the script has errors, they report to the browser window. ie: If I purposely change file paths it fails, and reports the appropriate reason.
functions such as printf seem to work fine as the output displays in the browser.
The exact same perl script (with the "non-functioning" line mentioned below) works properly when executed from the command line or the IDE.
What doesn't work:
In perl: system('"C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\AcroRd32.exe" /N /T "C:\\test.pdf" 0-XEROX');
What happens:
NOTHING! I get no errors. It just flat out refuses to open Adobe Reader. All code below this line seems to run fine. It's like the function is being ignored. I am at a loss as to why, but I did try a few things.
What I've tried:
Changed permissions of the AcroRd32.exe to Everyone - Full Control.
Output the $? after the system() call. It is 1, but I don't know what 1 means in this case.
Verified that there are no disable_functions listed in php (though I think this is unrelated as shell_exec seems to be working, since some of the perl code is ran).
Various other configurations that at least got me to the point where I can confirm that PHP is in fact calling the perl script, it just isn't running the system() call.
Other info:
Apache 2.2.1.7
PHP 5.35
Perl 5.12.3 built for MSWin32-x86-multi-thread
WampServer 2.1
I'm at a loss here, and while it seems like this is an Apache / permissions problem, I cannot be sure. My experience with Apache is limited, and most of what I find online is linux commands that don't work in my environment.
Try this:
my #args = ('C:/Program Files (x86)/Adobe/Reader 10.0/Reader/AcroRd32.exe');
if (system(#args) != 0) {
# Can't run acroread. Oh Noes!!!
die "Unable to launch acrobat reader!\n";
}
The thing about system() is that it does two different things
depending on the number and type(s) of argument it gets. If the
argument is an array or if there are multiple arguments, Perl assumes
the first is the program to run with the rest as its arguments and it
launches the program itself.
If, however it's just one string, Perl handles it differently. It
runs your command-line interpreter (typically CMD.EXE on Windows) on
the string and lets it do what it wants with it. This becomes
problematic pretty quickly.
Firstly, both Perl and the shell do various kinds of interpolation on
the string (e.g. replace '//' with '/', tokenize by space, etc.) and
it gets very easy to lose track of what does what. I'm not at all
surprised that your command doesn't work--there are just so many
things that can go wrong.
Secondly, it's hard to know for sure what shell actually gets run on
Windows or what changes Perl makes to it first. On Unix, it usually doesn't matter--every shell does more or
less the same with simple commands. But on Windows, you could be
running raw CMD.EXE, GNU Bash or some intermediate program that
provides Unix-shell-like behaviour. And since there are several
different ports of Perl to Windows, it could well change if you
switch.
But if you use the array form, it all stays in Perl and nothing else
happens under the hood.
By the way, the documentation for system() and $? can be found here and here. It's well worth reading.
Hello I have a couple questions about PHP exec() and passthru().
1)
I never used exec() in PHP but I have seen it is sometimes used with imagemagick. I am now curious, what is some other common uses where exec is good in a web application?
2)
About 6 years ago when I first started playing around with PHP I did not really know anything, just very basic stuff and I had a site that got compromised and someone setup there own PHP file that was using the passthru() function to pass a bunch of traffic throught my site to download free music or video and I got hit with a 4,000$ bandwidth charge from my host! 6 years later, I know soo much more about how to use PHP but I still don't know how this ever happened to me before. How can someone beable to add a file to my server through bad code?
1] Exec() is really useful when you:
A) Want to run a program/utility on the server that php doesn't have a command equivalent for. For example ffmpeg is common utility run via an exec call (for all sorts of media conversion).
B) Running another process - which you can block or NOT block on - that's very powerful. Sometimes you qant a pcnt_fork though, or similar, along with the correct CL args for non blocking.
C) Another example is when I have to process XSLT 2.0 - I have to exec() a small java service I have running to handle the transformations. Very handy. PHP doesn't support XSLT 2.0 transformations.
2] Damn that's a shame.
Well, lots of ways. Theres a family of vulnerability called, "remote file include vulns", that basically allow an attacker to include arbitrary source and thus execute it on your server.
Take a look at: http://lwn.net/Articles/203904/
Also, mentioned above, say your doing something like (Much simplified):
exec("someUnixUtility -f $_GET['arg1']");
Well, imagine the attacker does, url.come?arg1="blah;rm -rf /", your code will basically boil down to:
exec("someUnixUtility -f blah; rm -rf /");
Which in unix, you separate commands w/the ; So yeah - that could be a lot of damage.
Same with a file upload, imagine you strip the last four chars (.ext), to find the extension.
Well, what about something like this "exploit.php.gif", then you strip the extension, so you have exploit.php and you move it into your /users/imgs/ folder. Well, all the attacker has to do now is browse to users/imgs/exploit.php and they can run any code they want. You've been owned at that point.
Use exec or when you want to run a different program.
The documentation for passthru says:
Warning
When allowing user-supplied data to be passed to this function, use escapeshellarg() or escapeshellcmd() to ensure that users cannot trick the system into executing arbitrary commands.
Someone had probably found a security hole in your script which allowed them to run arbitrary commands. Use the given functions to sanitise your inputs next time. Remember, nothing sent from the client can ever be trusted.
exec() allows you to use compiled code that is on your server, which would run faster than php, which is interpreted.
So if you have a large amount of processing that needs to be done quickly, exec() could be useful.