While chatting with some guys at the OWASP AppSecEU 08 I noticed that backticks are oftenly overlooked in PHP. I came across backticks myself just some time ago while researching vulnerable functions on php.net for my PHP Scanner and found this entry. So you can use something like
$foo = `command here`;
to execute OS commands just like using system, shell_exec and what have you. This was absolutely new to me, although I’ve been working with PHP for quite a while and can be easily overlooked when reviewing code or filtering on mentioned functions (which is an bad idea anyway )
While talking about backticks I remembered a quite interesting security hole given on the UCSB CTF 07 (in the service “copyright” for those of you who participated or want to have a shot at the image). The service allowed to upload files and the relevant PHP code looked like the following:
$target_path = "../../uploads/". basename( $_FILES['file']['name']); $command = "cp ".escapeshellarg($_FILES['file']['tmp_name'])." ".$target_path; exec($command, $out, $ret);
If you take a closer look at the code you will see that you can execute code by naming the file you are going to upload to something like
since “;” are allowed in filenames and will add a new command after the cp command gets executed. The problem was that we needed slashes in our filename to execute “foo;nc -l -p 2222 -e /bin/bash” or copy some interesting files to the webdir with “../../../../var/www/Site”. Obviously you cant rename your file containing a slash or craft such a request because its still handled as a file by PHP and slashes would be dealed as directorys. Now my mate Freddy had the idea to use backticks again, because they work at the command line just like in PHP to execute commands and return their output:
foo;nc -l -p 2222 -e `nc -l -p 3333`
This code will wait for something passed on port 3333 and then execute the rest of it. So we connect to port 3333, enter
/bin/bash and will finally get a remote shell.
As we figured out afterwards this was a fairly stupid workaround for just using
nc -l -p 2222 -e `which bash`, but was plain fun anyway during the contest.
Interesting to note is also that backticks on commandline work in double quotes, but not in single quotes.