Well, header says it all.
in php, how do I reverse escapeshellarg()?
To be more precise, what is the built-in function (if there is one) that will reverse it.
Most thorough route would be to find out exactly what escapeshellarg() does and do the opposite. In a linux environment, it looks like it's just taking care of single quotes. In a Windows environment, it's doing a bit more. Your reverse function should take that into account as well.
Regarding a built-in function:
The short answer is "there isn't one." The long answer is: there isn't one because escaped shell arguments aren't ever intended to get parsed by PHP (why escape them in the first place?) so nobody ever wrote one and submitted it as a patch to PHP. If you're passing arguments into a CLI PHP application, you don't need to unescape things as that was done already by the interpreter.
Usecase:
When creating a command, all args have to be properly escaped. But when using PS to find if that command is executing, the quotes are stripped. So a comparison is difficult.
In the case where the only programs to check are the ones started by php saving the PID is ok, but if we have to take into account processes which have been started from other means, it is more difficult
Related
So I am using a PHP script to create a webhook with Gitlab. However, I am running into a slight issue. Finding the short commit ID. How would I find this? I can't seem to find it within PHP. Thanks!
The solutions I've seen are using the PHP exec() function which I definitely do not want enabled on my web server.
I expect the commit ID in the webhook to appear as something such as "2e54ar" rather than having the long string of numbers and letters.
By default, a (GitLab or GitHub) webhook would always send a JSON payload including full SHA1 references in it, to avoid any confusion.
If you want short SHA1 (without executing any command), you could simply use substr
I can't build hhvm at the moment for lack of access to a 64-bit VM, so I haven't been able to use the typechecker that they have. Their documentation doesn't seem to describe the operation of the typechecker (hh_server and hh_client?) in any detail.
What I'm wondering, for anyone who's used it, is if the typechecker could be used in this situation:
Let's say someone can't convert their PHP codebase to Hack, so they instead write their PHP with comments in the form of hacklang type annotations, and at build time use a tool to strip the comments out, make a hh file, run the typechecker and report errors.
E.g. original PHP:
<?php
function lar(/* int */ $x)/* : int */
{
return $x;
}
Make a copy of the above, strip out comments, change ?php to ?hh :
<?hh
function lar(int $x): int
{
return $x;
}
Run it through the typechecker and see if it produces errors.
That way you'd get access to legitimate type checking with normal PHP without the need for running it on HHVM. Does the typechecker run in a way amenable to this set up?
I am an engineer at Facebook who works on Hack. You definitely could do this and I wouldn't say it's a bad thing to do, but you'd be missing out on a bunch of great features. The Hack typechecker can be run at build time (hh_server --check /path/to/www), but the best way to run the typechecker is as a daemon. Since the daemon incrementally checks your code in the background, it can report the errors very quickly whenever asked. This allows you to get feedback while you are writing your code rather than after you have finished. This quick feedback loop really helps speed up development.
Some other things that you would be missing out on:
Many language features, like Collections, lambda expressions, runtime enforcement of type annotations, and trailing commas (Paul Tarjan's personal favorite)
HHVM's massive performance boost.
So if you absolutely can't use HHVM then this might be worth considering, but if you can then I strongly recommend HHVM in order to reap the full benefits of Hack.
This is exactly what we did in-house in our development division.
We made a script to convert code between hacklang and php as we wanted to be able to do the type checking without converting our production servers to hhvm (we are planing to do so)
You can find the script on my github page
https://gist.github.com/Chipcius/d3dd4052b07a152870bd#file-hacklang-php-juggler-php
You can convert you files by passing in a directory and a flag to decide the conversion level (decl, partial, strict)
After conversion you can run hh_client just as you were coding hacklang
When you want to turn back you can run the same script on your code with the php flag and it comments out the annotations that need commenting.
workflow example
php hacklang-php-juggler.php <myDir> hack
hh_client
php hacklang-php-juggler.php <myDir> php
I'm building a web application and I'm concern with security.
Is it a way to make a "php injection", in the same way it is possible to make "SQL injection" ? That means client can send some php code which will be executed on the server.
Until we don't use the "eval" function, I would like to say "no" because when we get a value by $_GET and $_POST, all the data are treated as simple string... But maybe I don't see an obvious attack.
In general, not unless you evaluate it with something that might parse and execute PHP. You already mentioned eval, but there are other functions that have eval-like properties (e.g. preg_replace, if the attacker manages to inject the /e modifier) or can otherwise allow unwanted levels of access (e.g. system()).
Also, if an attacker can upload a file and get it interpreted as PHP, he can run PHP code. nginx can be easily misconfigured in a way that allows attackers to execute PHP code in image files. The same goes for getting your web site to include() his code - possibly by overwriting your files with his uploads, or changing the include() arguments to point to a remote site (if that is not disabled in php.ini).
There are a number of ways in which you could, potentially, have a "PHP injection". eval is one of them. shell_exec and related functions are a risk too (always use escapeshellarg!) But the common theme is putting user input somewhere it can be executed. This is the case with SQL injections, where the query is a string that contains user input and is then executed on the MySQL server.
One slightly more obscure example is file uploads. If you allow uploading of files to your server, do NOT allow unfettered access to them! Someone could upload a PHP file, then access it and get full control of your site, so... yeah, be careful with uploads!
You would call it PHP injection if the PHP script ”constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment”[1].
So for PHP as the processor, any function, whose parameter are being interpreted as PHP, directly or indirectly, may be prone to PHP injection. This includes obviously the eval function, but also functions like create_function, and preg_replace with PREG_REPLACE_EVAL modifier.
Furthermore, this also includes routines that generate PHP code for being written to file like configuration files during an application setup. Or routines that execute PHP via php -r …, even when escaped via escapeshellarg.
Have a look at the observed examples for CWE-94: Improper Control of Generation of Code ('Code Injection').
I need to understand the below code
eval(base64_decode($_REQUEST['comment']));
It utilized the CPU , the page only contain this code
That could literally run anything, so there's no way of knowing. It takes the input from $_REQUEST['comment'], base64 decodes it, then runs it as PHP code.
For example, if cGhwaW5mbygpOw== was passed, it would execute phpinfo();.
On a side note, those sorts of code snippets are usually a red flag and are commonly used as back-doors.
This code base64_decodes some input, and then evaluates it as PHP code. What ultimately ends up being executed depends on the contents of the comment field.
I am guessing that you found this inserted into the code on your page, and it means that your site was in some way compromised. It means that literally anyone can write any PHP code to do anything, base64_encode() it, and post it to your site in the 'comment' field, and the server will execute it.
When you actually notice that it's using a lot of resources then it is probably being used to send spam or DOS someone, but as long as that code is there it's probably being used to compromise your server.
Basically, if you ever find something that starts with eval(base64_decode(... it will be doing bad things.
Source: 5 years as a sysadmin for a web hosting company.
I am trying to trace the flow of execution in some legacy code. We have a report being accessed with
http://site.com/?nq=showreport&action=view
This is the puzzle:
in index.php there is no $_GET['nq'] or $_GET['action'] (and no
$_REQUEST either),
index.php, or any sources it includes, do not include showreport.php,
in .htaccess there is no url-rewriting
yet, showreport.php gets executed.
I have access to cPanel (but no apache config file) on the server and this is live code I cannot take any liberty with.
What could be making this happen? Where should I look?
Update
Funny thing - sent the client a link to this question in a status update to keep him in the loop; minutes latter all access was revoked and client informed me that the project is cancelled. I believe I have taken enough care not to leave any traces to where the code actually is ...
I am relieved this has been taken off me now, but I am also itching to know what it was!
Thank you everybody for your time and help.
There are "a hundreds" ways to parse a URL - in various layers (system, httpd server, CGI script). So it's not possible to answer your question specifically with the information you have got provided.
You leave a quite distinct hint "legacy code". I assume what you mean is, you don't want to fully read the code, understand it even that much to locate the piece of the application in question that is parsing that parameter.
It would be good however if you leave some hints "how legacy" that code is: Age, PHP version targeted etc. This can help.
It was not always that $_GET was used to access these values (same is true for $_REQUEST, they are cousins).
Let's take a look in the PHP 3 manual Mirror:
HTTP_GET_VARS
An associative array of variables passed to the current script via the HTTP GET method.
Is the script making use of this array probably? That's just a guess, this was a valid method to access these parameter for quite some time.
Anyway, this must not be what you search for. There was this often misunderstood and mis-used (literally abused) feature called register globals PHP Manual in PHP. So you might just be searching for $nq.
Next to that, there's always the request uri and apache / environment / cgi variables. See the link to the PHP 3 manual above it lists many of those. Compare this with the current manual to get a broad understanding.
In any case, you might have grep or a multi file search available (Eclipse has a nice build in one if you need to inspect legacy code inside some IDE).
So in the end of the day you might just look for a string like nq, 'nq', "nq" or $nq. Then check what this search brings up. String based search is a good entry into a codebase you don't know at all.
I’d install xdebug and use its function trace to look piece by piece what it is doing.
EDIT:
Okay, just an idea, but... Maybe your application is some kind of include hell like application I’m sometimes forced to mess at work? One file includes another, it includes another and that includes original file again... So maybe your index file includes some file that eventually causes this file to get included?
Another EDIT:
Or, sometimes application devs didn’t know what is a $_GET variable and parsed the urls themselves -> doing manual includes based to based urls.
I don't know how it works, but I know that Wordpress/Silverstipe is using is own url-rewriting to parse url to find posts/tags/etc. So the url parsing maybe done in a PHP script.
Check your config files (php.ini and .htaccess), you may have auto_prepend_file set.
check your crontab, [sorry I don't know where you would find it in cpanel]
- does the script fire at a specific time or can you see it definitely fires only when you request a specific page?
-sean
EDIT:
If crontab is out, take a look at index.php [and it's includes] and look for code that either loops over the url parameters without specifically noting "nq" and anything that might be parsing the query string [probably something like: $_SERVER['QUERY_STRING'] ]
-sean
You should give debug_backtrace() (or debug_print_backtrace() a try. The output is similar to the output of an Exception-stacktrace, thus it should help you to find out, what is called when and from where. If you don't have the possibility to run the application on a local development system, make sure, that nobody else can see the output
Are you sure that you are looking at the right config or server? If you go the url above you get an error page that seems to indicate that the server is actually a microsoft iis server and not an apache one.