forked from ewilded/shelling
-
Notifications
You must be signed in to change notification settings - Fork 0
/
arginj_wget_singlequote.php
62 lines (50 loc) · 1.65 KB
/
arginj_wget_singlequote.php
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
<?php
# filename: arginj_wget_singlequote.php
# vulnerable to argument injection
#
error_reporting(E_ALL);
//ini_set('display_errors',true);
function cmd_exec($cmd, &$stdout, &$stderr)
{
$outfile = tempnam(".", "cmd");
$errfile = tempnam(".", "cmd");
$descriptorspec = array(
0 => array("pipe", "r"),
1 => array("file", $outfile, "w"),
2 => array("file", $errfile, "w")
);
$proc = proc_open($cmd, $descriptorspec, $pipes);
if (!is_resource($proc)) return 255;
fclose($pipes[0]); //Don't really want to give any input
$exit = proc_close($proc);
$stdout = file($outfile);
$stderr = file($errfile);
unlink($outfile);
unlink($errfile);
return $exit;
}
# wget has nice, injection-friendly syntax (many might not be aware of while writing code that calls it):
# Option Syntax
# Since Wget uses GNU getopt to process command-line arguments, every option has a long form along with the short one. Long
# options are more convenient to remember, but take time to type. You may freely mix different option styles, or specify
# options after the command-line arguments. Thus you may write:
# wget -r --tries=10 http://fly.srk.fer.hr/ -o log
$command = 'wget';
$escaped_arg = escapeshellarg($_GET['url']); // while escapeshellarg should be used instead
$all=$command." '".$escaped_arg."'";
echo "Command after concatenation: $all\n";
$output='';
$error='';
cmd_exec($all,$output,$error);
echo "Output:\n";
foreach($output as $out)
{
echo "$out<br />";
}
echo "Error:\n";
foreach($error as $err)
{
echo "$err<br />";
}
?>
<a href="?url=">clickme</a>