Does any one know anything about running commands?[SOLVED?]

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
PanK
Forum Commoner
Posts: 36
Joined: Mon Nov 22, 2004 1:24 pm
Location: Richmond Hill, ON, Canada

Does any one know anything about running commands?[SOLVED?]

Post by PanK »

Hi All. I have a php form, Code is given, and I can NOT change it:

Code: Select all

<html> <head>  <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">  <title>Echo test</title> </head> 
<body>  
<p> Entered value dispayed here:
<? 
if (isset($testecho))
{ 
   echo $testecho;
}
?> 
</p><br>  
<form action="testecho.php" method="get">   
<input type="text" name="testecho" value="<?= $testecho ?>">   
<input type="submit" value="enter" name="enter">  
</form> 
</body></html>
If I have - echo `$testecho`; end in the form enter UNIX command it runs.
How should I enter command into the form to make it run when I have "echo $testecho;"?

If I have - echo $testecho; And enter whoami i get -
Entered value dispayed here: whoami
BUT if I have - echo `$testecho`; And enter whoami i get -
Entered value dispayed here: username



Thanx alot!
Last edited by PanK on Wed Nov 24, 2004 3:59 pm, edited 3 times in total.
rehfeld
Forum Regular
Posts: 741
Joined: Mon Oct 18, 2004 8:14 pm

Post by rehfeld »

have a read up on register globals

http://us2.php.net/manual/en/security.globals.php



Code: Select all

&lt;html&gt; &lt;head&gt;  &lt;meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"&gt;  &lt;title&gt;Echo test&lt;/title&gt; &lt;/head&gt; 
&lt;body&gt;  
&lt;p&gt; Entered value dispayed here:
&lt;?php 
if isSet($_GET&#1111;'testecho'])) {
    echo $_GET&#1111;'testecho'];
}
?&gt;
&lt;/p&gt;&lt;br&gt;  
&lt;form action="testecho.php" method="get"&gt;   
&lt;input type="text" name="testecho" value="&lt;?php if isSet($_GET&#1111;'testecho'])) echo $_GET&#1111;'testecho']; ?&gt;"&gt;   
&lt;input type="submit" value="enter" name="enter"&gt; 
&lt;/form&gt; 
&lt;/body&gt;&lt;/html&gt;
PanK
Forum Commoner
Posts: 36
Joined: Mon Nov 22, 2004 1:24 pm
Location: Richmond Hill, ON, Canada

Post by PanK »

My question was: How should I enter command into the form to make it run when I have "echo $testecho;"?
I do not need any changes in my code.
rehfeld
Forum Regular
Posts: 741
Joined: Mon Oct 18, 2004 8:14 pm

Post by rehfeld »

sorry i dont understand.

are you running this from the command line?

or do you want to submit a value via the html form, and have php execute it?
i dont get what "run" means
PanK
Forum Commoner
Posts: 36
Joined: Mon Nov 22, 2004 1:24 pm
Location: Richmond Hill, ON, Canada

Post by PanK »

submit a value via the html form, and have php execute it
rehfeld
Forum Regular
Posts: 741
Joined: Mon Oct 18, 2004 8:14 pm

Post by rehfeld »

look at

eval()

exec()

shell_exec()
PanK
Forum Commoner
Posts: 36
Joined: Mon Nov 22, 2004 1:24 pm
Location: Richmond Hill, ON, Canada

Post by PanK »

I want to know what to enter in the text field, and NOT how to change the code.

With echo `$testecho`; it runs scripts. And I have echo $testecho;.
rehfeld
Forum Regular
Posts: 741
Joined: Mon Oct 18, 2004 8:14 pm

Post by rehfeld »

you cant do that


imagine all the websites that could be easily hacked if what your trying to do was allowed.
PanK
Forum Commoner
Posts: 36
Joined: Mon Nov 22, 2004 1:24 pm
Location: Richmond Hill, ON, Canada

Post by PanK »

I heard that there is some way to do it.

If I have - echo $testecho; And enter whoami i get -
Entered value dispayed here: whoami
BUT if I have - echo `$testecho`; And enter whoami i get -
Entered value dispayed here: username

So having echo `$testecho`; you are able to execute commands.
rehfeld
Forum Regular
Posts: 741
Joined: Mon Oct 18, 2004 8:14 pm

Post by rehfeld »

yes but you said it yourself many times, you cannot change the code

so you cant do that


again, if php allowed such a thing, think of the security problems. nearly every website in existance would be wide open to hackers.
Post Reply