PHP Code Executer

**fileserverdirect** · 09-04-2007, 02:45 PM

Hi,
I am making A "Test-It" php tester, where a code is provided in a textarea and the user can edit the code as they like and then a new, simple php page opens, like this:

PHP Code:


<?php

//this is the page that executes whatever the user writes

$code=$_POST['code']

some_function_to_execute_code($code);

?>

<br>This is just a test document

I will also have to use the "eregi" function to see if they are trying to change my site from the inside, e.g. make chmod 777 and add stupid text to the index file or even delete something, or find out my Database info by typing "echo $dbhost;" or somthing. Is there a way?

**Twey** · 09-04-2007, 03:22 PM

No. It's a Turing-complete language, there are too many possibilities. For example, you may be able to detect echo $dbhost;, but it's unlikely that you'd be able to detect:

Code:

$c1 = 'echo';
$c2 = 'd';
$c3 = 'h';
$c4 = 's';
$c5 = 'o';
$c6 = 't';
$c7 = 'b';
eval(implode(' ', array($c1, '$' . implode('', array($c2, $c7, $c3, $c5, $c4, $c6)))) . ';');

**fileserverdirect** · 09-04-2007, 03:49 PM

Thanks, but I figured out A way around this, over every page with information there will be the folwing:

PHP Code:


<?

define(IN_WEBSITE, "true);

$ipaddr=$_SERVER['REMOTE_ADDRESS'];

if(!isset(IN_WEBSITE)

{

echo "ERROR: You are trying to acess this page\\'s  variables form an outside source, Your ip,<b>$ipaddr</b>, is sent to the webmaster, your ip may be banned";

mail("me@myemail", "Website Intruder", "The Intruder\'s ip: $ipaddr\r\nPage:$_SERVER['PHP_SELF']\\r\\nThanks, Your Website");

}

else

{

//website

}

?>

BTW: What I ment by "Is there a way?" is that Is there a way to execute code from a string?
P.S. I could always disable impload.

**Twey** · 09-04-2007, 05:09 PM

Thanks, but I figured out A way around this, over every page with information there will be the folwing:

All the attacker has to do is write define(IN_WEBSITE, true); and they're done. They can discover this information by reading the source of any page: print file_get_contents('index.php');

**fileserverdirect** · 09-06-2007, 12:19 AM

Doesn't print file_get_contents('index.php'); only show the html of the document. If so than anyone could find out what google's or ebay's secert (if they were good enogh). besides, there's always encryption (which Is probally not Ideal for a constantly-updated site.
EDIT: I got the Idea for the try-it from W3 School's HTML Try-it thingey. That page is run by .asp so anyone could simply type in an asp code and boom. (I can't give an example because I don't know any asp).

**Twey** · 09-06-2007, 12:30 AM

Doesn't print file_get_contents('index.php'); only show the html of the document.

No, because it's accessing the file directly, not processing it as PHP.

If so than anyone could find out what google's or ebay's secert (if they were good enogh).

Simple: they don't let people execute code on their servers.

besides, there's always encryption (which Is probally not Ideal for a constantly-updated site.

Also not possible: if the code runs with the permissions of the process that's used to decrypt the code, the malicious user can access the key and decrypt the pages too.

EDIT: I got the Idea for the try-it from W3 School's HTML Try-it thingey. That page is run by .asp so anyone could simply type in an asp code and boom.

It doesn't process ASP. The ASP examples are not editable.

**fileserverdirect** · 09-07-2007, 12:00 AM

Well, you got me, I guess I won't have a try-it where the user can FULLY edit the code. Here is another what if,(you're problally tired of me by now) what if you could for example have a user type in (a single line one) in what they want to say, (this would be a basic HELLO WORLD Script) and the php script outputed the code to say hello world or whatever they inserted. It would not display a test document so people couldn't echo "" . $dbhost . "";, but just a block of code THEY can test. This is a fool-prof alternative.

**Twey** · 09-07-2007, 02:37 AM

A single block of code like:

Code:

shell_exec('rm -rf /var/www');

perhaps?

**fileserverdirect** · 09-07-2007, 02:11 PM

Well then I will just eregi for it and the echo will be enclosed in single quotes so no code can be exicuted and if they try to type a " ' . shell_exec('rm -rf /var/www') . ' " I will check for a single quote and place a "\" before it, and if they try to double slash, a slash will be takken off. If there is any more suggestions, please post.

**Twey** · 09-07-2007, 02:18 PM

So you're now just echoing the input data directly rather than parsing it?

Thread: PHP Code Executer

Thread Tools

Search Thread

PHP Code Executer

Bookmarks

Bookmarks

Posting Permissions