How to concatenate 2 function in php - php

I have an application with the following code:
<?php
if(isset($_GET['function'])){
$_GET['function']();
}
?>
So if i entered this url: http://localhost/?function=phpinfo
I will see the phpinfo function output on the screen.
can i have a way to concatenate 2 function in the url like this example:
http://localhost/?function=shell_exec('ls') AND phpinfo
So i want to see the first function output..
If you may asking why i need this, is because i am pen testing an web application with this situation..
By the way any suggestion to hack this situation will help.
Thanks for the help..

You cannot concatenate functions as it's not code injection per se, ie: you cannot affect the way the parser reads the code. Further more in the example you provided you have no control over any parameters passed to the function, so what you are proposing is not feasible.
You would have to find a way to pass control to a function which performs unsafe operations directly on user supplied input ($_GET, $_POST, etc) in order to leverage this weakness remote code execution. Depending on the complexity of the application you may be able to identify a function which calls system, eval, unserialize, or another dangerous function on user supplied data.

Related

How safe is a PHP function from being called by exploitative means?

Background
I use .htaccess to redirect every URI to a single PHP file that displays the right page by calling different functions with different inputs based on the requested URI. I found myself checking user input twice. Once in the handling PHP file that checks first if everything is fine before calling the display function and than again within the display function, to make sure nobody exploits the function by calling it with wrong parameters (e.g. with the username of someone else). This means, that I need twice as many mysql querys etc. for checking valid inputs.
I can't just check within a function because based on those checks, the handling PHP file calls different functions. So I have to perform the checks at least there. But the more I think about it, the more I wonder, if it is necessary to check again within a function. I started this because I was worried that somebody might call one of my functions with improper input, but I guess if somebody can call one of my PHP functions and pass wrong parameters, I'm pretty much screwed already right? Because as far as I understand PHP, this would mean that this person already has access to my server at least via a shell or something like that.
I should further add, that I never ever call a function via a variable like discussed in this thread: Call PHP function from URL
Question
Is it a security risk, not to check the parameters passed to a function within that function, if you already checked it before the function call?
Good rule of thumb - Pretend EVERYONE is out to pwn your app! (Yes get out your tin foil hat!). Good practice would be to clean the data for example putting data in a database, you should still clean it coming back out of the database.
Unless you are in a position where one of your functions is providing the parameters and there is no way to access the (potentially insecure) function except through the preparation function then I would advise cleaning all data
HTHs - Thanks,
//P
Check out Private Public and Protected Functions

executing code from database

I have a PHP code stored in the database, I need to execute it when retrieved.
But my code is a mix of HTML and PHP, mainly used in echo "";
A sample that looks like my code:
echo "Some Text " . $var['something'] . " more text " . $anotherVar['something2'];
How can I execute a code like the either if I add the data to the DB with echo""; or without it.
Any ideas?
UPDATE:
I forgot to mention, I'm using this on a website that will be used on intranet and security will be enforced on the server to ensure data safety.
I have a PHP code stored in the database
STOP now.
Move the code out of the database.
And never mix your code with data again.
It's not only a bad idea but also invitation to several type of hacking attempts.
You can do with eval(). but never use it . The eval() is very dangerous because it allows execution of arbitrary PHP code. Its use thus is discouraged. If you have carefully verified that there is no other option than to use this construct, pay special attention not to pass any user provided data into it without properly validating it beforehand.
See eval. It lets you pass a string containing PHP and run it as if you'd written it directly into your file.
It's not a common practice to store executable PHP in a database; is the code you store really that different that it makes more sense to maintain many copies of it rather than adapting it to do the same thing to static data in the database? The use of eval is often considered bad practice as it can lead to problems with maintenance, if there's a way of avoiding it, it's normally worth it.
You can execute code with eval():
$code_str = "echo 'Im executed'";
eval($code_str );
BUT PAY ATTENTION that this is not safe: if someone will get access on your database he will be able to execute any code on your server
use the eval() function.
heres some info
http://www.php.net/manual/en/function.eval.php
something along the lines of:
eval($yourcode);
If that is the last resort, you want it to be secure as it will evaluate anything and hackers love that. Look into Suhosin or other paths to secure this in production.
As everyone'd indicated using eval() is a bad approach for your need. But you can have almost the same result by using whitelist approach.
Make a php file , db_driven_functions.php for instance. get your data from db. and map them in an array as below
//$sql_fn_parameters[0] = function name
//$sql_fn_parameters[1,2,3.....] = function parameters
Then define functions those include your php code blocks.for instance
my_echo($sql_fn_parameters){
echo $sql_fn_parameters[1];//numbered or assoc..
}
then pull the data which contains function name
after controlling if that function is defined
function_exists("$sql_fn_parameters[0]")
call function
call_user_func_array() or call_user_func()
( any you may also filter parameters array $sql_sourced_parameters_array does not contain any risky syntaxes for more security.)
And have your code controlled from db without a risk.
seems a little bit long way but after implementing it's really a joy to use an admin panel driven php flow.
BUT building a structure like this with OOP is better in long term. (Autoloading of classes etc. )
Eval is not safe obviously.
The best route IMO
Save your data in a table
Run a stored procedure when you are ready to grab and process that data
You should not abuse the database this way. And in general, dynamic code execution is a bad idea. You could employ a more elegant solution to this problem using template engines like Smarty or XSLT.
There are a few way to achieve this:
1) By using evil
eval($data);
That's not a typo, eval is usually considered evil and for good reasons. If you think you have fully validated user data to safely use eval, you are likely wrong, and have given a hacker full access to your system. Even if you only use eval for your own data, hacking the database is now enough to gain full access to everything else. It's also a nightmare to debug code used in eval.
2) Save the data to a file, then include it
file_put_contents($path, $data); include $path;
There are still the same security concerns as eval but at least this time the code is easier to debug. You can even test the code before executing it, eg:
if (strpos(exec('php -l '.$path), 'No syntax errors detected') === false))
{
include $path;
}
The downside to this method, is the extra overhead involved in saving the code.
3) Execute the code straight from the database.
You'd need to use database software that allows this. As far as I am aware, this is only includes database software that stores the content as text files. Having database software with "php eval" built in would not be a good thing. You could try txt-db-api. Alternatively, you could write your own. It would like become very difficult to maintain if you do though but is something to consider if you know exactly how you want your data to be structured and are unlikely to change your mind later.
This could save a lot of overhead and have many speed benefits. It likely won't though. Many types of queries run way faster using a traditional database because they are specifically designed for that purpose. If there's a possibility of trying to write to a file more than once at the same time, then you have to create a locking method to handle that.
4) Store php code as text files outside of the database
If your database contains a lot of data that isn't php code, why even store the php code in the database? This could save a lot of overhead, and if you're database is hacked, then it may no longer be enough to gain full access to your system.
Some of the security considerations
Probably more than 99% of the time, you shouldn't even be attempting to do what you are doing. Maybe you have found an exception though, but just being an intranet, isn't enough, and certainly doesn't mean it's safe to ignore security practices. Unless everyone on the intranet needs full admin access, they shouldn't be able to get it. It's best for everyone to have the minimum privileges necessary. If one machine does get hacked, you don't want the hacker to have easy access to everything on the entire intranet. It's likely the hacker will hide what they are doing and will introduce exploits to later bypass your server security.
I certainly need to do this for the CMS I am developing. I'm designing it mainly to produce dynamic content, not static content. The data itself is mostly code. I started off with simple text files, however it slowly evolved into a complicated text file database. It's very fast and efficient, as the only queries I need are very simply and use indexing. I am now focusing on hiding the complexity from myself and making it easy to maintain with greater automation. Directly writing php code or performing admin tasks requires a separate environment with Superuser access for only myself. This is only out of necessity though, as I manage my server from within, and I have produced my own debugging tools and made an environment for code structured a specific way that hides complexity. Using a traditional code editor, then uploading via ssh would now be too complicated to be efficient. Clients will only be able to write php code indirectly though and I have to go to extreme lengths to make that possible, just to avoid the obvious security risks. There are not so obvious ones too. I've had to create an entire framework called Jhp and every piece of code, is then parsed into php. Every function has to pass a whitelist, is renamed or throws an error, and every variable is renamed, and more. Without writing my own parser and with just a simple blacklist, it would never be even a tiny bit secure. Nothing whatsoever client-side can be trusted, unless I can confirm on every request that it has come entirely from myself, and even then my code error checks before saving so I don't accidentally break my system, and just in case I still do, I have another identical environment to fix it with, and detailed error information in the console that even works for fatal errors, whilst always been hidden from the public.
Conclusion
Unless you go to the same lengths I have (at minimum), then you will probably just get hacked. If you are sure that it is worth going to those lengths, then maybe you have found an exception. If your aim is to produce code with code, then the data is always going to be code and it cannot be separated. Just remember, there are a lot more security considerations other than what I have put in this answer and unless the entire purpose of what you are doing makes this a necessity, then why bother at all mix data with code?

Own SuperGlobal Variable in PHP?

I was reading something about SuplerGlobals like $_SERVER or (see more detail PHP Manual Superglobals) the other day, now, I'm asking me:
Is it possible to implement own SuperGlobals?
Beside of Constants...
So for example user A writes something in the Variable which, if User B is calling it can see.
Something like a server wide Session Variable or something.
Please don't be to hard, if its a silly question :)
I know there are couple of ways outside, like SQL, Xml and Stuff, but maybe...
Your whole idea of PHP superglobals it wrong.
These variables are always available in terms of just one script runtime, no the whole site.
PHP doesn't have context which can be shared between users. You should some replacement like SQL server or file. You may also check some extensions like memcache which might help you achieve your goal.
I was reading something about SuplerGlobals like $_SERVER or (see more detail PHP Manual Superglobals) the other day, now, I'm asking me:
Is it possible to implement own SuperGlobals? Beside of Constants...
Yes it is possible if you've got the PHP runkit extension.
So for example user A writes something in the Variable which, if User B is calling it can see
That's not what superglobals do - they are variables which exist in global scope (i.e. for the duration of an instance of a script).
If you want to share data between different invocations then you need to send it to your storage tier or (in the case of data for a single client) out to the browser.
Since what you are describing here is effectively a shared session, then the sensible place to implement this would be in the session handler.
This is not possible, you can only see your own session data.
To achieve this you would need to store the data somewhere else. in text files or in a MySQL database would be the most common.
i suppose you can use (asterix)export yourvar="something"(asterix) and to receive it using getenv
sry, dont know how to embed asterix=`, but it is better to avoid it...
If you use apache following could be used:
http://php.net/manual/en/function.apache-setenv.php
same idea, enveroinment variable

Php page to execute a script

can i create a page with a simple text area form, which will be entered PHP CODE and then, when i click to submit, it executes it? just like a Script page?
and most of all it is secure to put it? even in a admin protected page?
thankyou!
You sure can:
eval($_POST['txtScript']); //post method, with textarea named txtScript
However, it is extremely dangerous to permit this. Someone could wipe the current working directory via array_map("unlink", glob('*.*')); among the many, many other malicious things that could be done.
If you are allowing someone to author PHP code on a form and then, on submission, taking that PHP code and executing it, you're opening yourself up to HUGE, HUGE security risks. Is it possible to do? Sure, but I would highly recommend against doing it.
If you're absolutely sure you need to do this, read about the eval function. PHP: eval
you want to use PHP:eval, and no it is not safe even behind a login wall. Better put some predefined function that can be logged.
And of course, by definition anything you put as accessible is quite unsafe anyway.

Executing PHP via command line

I want to be able to execute PHP via command line with a $_GET variable. I understand I can do this with exec, but I'd like to understand more of the security risk and what things I should look out for. The parameter I want to pass is a MySQL auto_incremented ID returned from MySQL, so I'm not concerned with user input. But by merely allowing this to happen what things should be considered in regards to security?
The script will accept an order ID and send the customer an email invoice. This allows me to perform this function from multiple sections of the site only maintaining the code in 1 location.
I don't think you really need to execute this from command line. Create a PHP function and include it in your multiple sections instead: it will be faster. Per example:
function sendInvoice($orderId) {
// do something
}
Then call it:
include_once('send_invoice.inc.php');
sendInvoice(42);
This still allows code reuse and a single place where to maintain the code.
Why can't you use argv/argc?
$id = isset($argv[1]) ? (int)$argv[1] : (int)$_REQUEST['id'];
For cmdline scripts $argv is the answer. But you can indeed inject $_GET variables as well. Just pre-define the QUERY_STRING environment variable accordingly:
putenv("QUERY_STRING=id=$id");
exec("php script.php");
Regarding security, cmdline php scripts could be more worriesome on shared hosting servers if they initiate administrative actions. But there is not much you can do about that. Keep strictly cmdline scripts out of the document_root, and apply file or directory permission if anyhow possible.

Categories