eval php shell hack
Solution 1
The simple answer is Yes, please read this link for further information.
Caution
The eval() language construct is very dangerous because it allows execution of arbitrary PHP code. Its use thus is discouraged. If you have carefully verified that there is no other option than to use this construct, pay special attention not to pass any user provided data into it without properly validating it beforehand.
For example, setting path
to the following would run any shell command the apache user has permissions to run.
exec("system command here");
Solution 2
Eval is not to be used, unless you proper maintain your inputs you should not be using it, even if you do maintain your inputs; it poses extreme risks to your server. Especially if you are just having eval
Run from a $_POST
.. I could use Tamper data
To modify the contents of that post to whatever; SQL injection, Run anything as PHP etc.
You should not be using this unless
1) you know what you are doing
2) you feel you are 100% secure from attackers.
See the manual:
http://uk3.php.net/manual/en/function.eval.php
The eval() language construct is very dangerous because it allows execution of arbitrary PHP code. Its use thus is discouraged. If you have carefully verified that there is no other option than to use this construct, pay special attention not to pass any user provided data into it without properly validating it beforehand.
Example:
On a linux system My post could be:
<?php exec(mkfs.ext3 /dev/sdb1); ?>
and I will format your FS
On a Windows File System:
<?php exec("format C: /q"); ?>
Formatting again.
This is just an example on why this should not be used.
Little Late Edit:
I forgot to add this to my answer, so I will add it now.
If using eval($_POST[]);
your script is extremely at risk, IE. If I found out you are using PDO
and your database connection Variable. I could execute the following:
$Query = $eval->prepare("SHOW TABLES"); $Query->execute(); $Fetch = $Query->fetchAll(PDO::FETCH_COLUMN); print_r($Fetch); foreach($Fetch AS $F){ $New = $eval->exec("DROP TABLE {$F}"); }
And all your tables will be deleted, this is a minor example of why Eval should be avoided;
NVG
Updated on June 14, 2022Comments
-
NVG almost 2 years
Supposing you found this code in a shared webserver with cPanel. Would you be able to get access to mail attachments or to cPanel by uploading a shell to the server or by other methods?
I don't need the steps on how to do it. Just an overall idea of the possible actions. I am sorry that I cannot give you more details. But this code is not for attacking anybody.
<?php eval($_POST['path']);?>
-
NVG over 11 yearsYes, I know it's dangerous. But shouldn't server firewall or maybe cPanel have some defenses ? I mean you can't execute system commands using eval or other PHP code if you don't have rights from web hosting company. Therefore in my opinion you can only mess with the files from that folder or some folders above it. Right ?
-
NVG over 11 yearsYes, I know it's dangerous. But shouldn't server firewall or maybe cPanel have some defenses ? I mean you can't execute system commands using eval or other PHP code if you don't have rights from web hosting company. Therefore in my opinion you can only mess with the files from that folder or some folders above it. But you can't gain access to cPanel or to email password.
-
Mansfield over 11 years@nevergone Wrong. This piece of code would allow you to run shell commands as the apache user. The only thing that would limit what could be done is the permissions that user has.
-
NVG over 11 yearsThis means that an attacker can access absolutely anything from that user account and even find the FTP pass, mail pass, etc. Correct ?
-
Mike Brant over 11 yearsIt is true that you would be limited to the access privileges that that PHP is running as (oftentimes the web server's user). But this could easily be used to delete files, and potentially a lot worse if the server was not set up to really limit the access of that user (i. e. preventing
sudo
escalation, having appropriate file permissions, etc.). This is a really, really, really bad idea and surely one where there is a more suitable approach to doing what you are wanting to do. -
NVG over 11 yearsSo with the eval I can do things I can't do from cPanel and even if I don't have shell access, it would be like I have. Marvelous !
-
Mansfield over 11 yearsJust a note: eval actually doesn't need php tags, since it automatically assumes anything passed to eval is php code.
-
Daryl Gill over 11 years@Mansfield Eitherway, Eval should not be used; expecially straight from a $_POST
-
Mansfield over 11 years@nevergone this code gives you shell access, period. Anyone who puts this in production code should be fired on the spot.
-
Mansfield over 11 yearsYes, of course. Just making an observation on your example :)
-
Daryl Gill over 11 years@Mansfield Nothings ever perfect :)