PHP - in-data from AJAX call will not work in SYSTEM()

pizzipie · 06-25-2014, 02:47 PM

This is driving me crazy!! Below are two scripts both use system() to one - unzip a data file and two restore a MySql data fire. I have given all data files 777 priveleges so no permission problems. Here are the two scripts. In the case of the called script all "echo's" are commented out except for the last one (it being the return to AJAX sucess).

(I can't find anywhere what return values of system() are. )

Run from command line: Return values 0 and 0.
This works fine.

Code:

<?php
// Test program to exercise system() function

set_include_path( '../include' );
error_reporting (E_ALL ^ E_NOTICE);

//$myBakup=trim($_POST['bakup']); // bakup file to restore - WILL NOT WORK IF INPUT FROM AJAX CALL IN SCRIPT
//$myDbase=trim($_POST['dbase']); // Mysql dbase - WILL NOT WORK IF INPUT FROM AJAX CALL IN SCRIPT

$myDbase="pizzidb"; // MySql database to restore

$hostname=gethostname();
$usr=substr($hostname, 0,strpos($hostname,"-") ); // whose computer is it?

$myDir="/home/".$usr."/DB-Web/".$myDbase."/"; // create absolute dir address 

chdir($myDir);   // go there to access bakup files

$myBakup="PIZZIDB_DUMP_06.20.14_17.15.00.sql.gz"; // the actual file to be restored input as string here for test purposes.

// if gzip file unzip it

if(preg_match('/.gz$/', $myBakup, $newList)) {
    $command ="/bin/gunzip ".$myBakup;

echo $command."\n\n";

    $bak_result = system($command, $retval);  // bash command

echo "bakresult\n".$retval."\n\n";  // if 0 OK

    $myBakup=substr($myBakup, 0, -3); // strip ".gz" from end of string($myBakup) since we just unzipped it
    }

// Now open MySql with input being our $myBakup file to restore the datebase

$command ="/usr/bin/mysql --host='localhost' --user='rick' --password='rick' < ".$myBakup; // regardless of computer mysql user is 'rick'

echo "\n".$command;

$bak_result = system($command, $retval); // bash command

echo "\nbakresult2\n\n".$retval."\n\n"; // if 0 OK

echo $myBakup; // return text to calling script (AJAX call)
                                           
?>

=========================================================

Called from AJAX script inside .html program: Return values 1, 2
This does NOT work.

Code:

<?php

set_include_path( '../include' );
error_reporting (E_ALL ^ E_NOTICE);

// Called from DataBaseRestore.html via AJAX

$hostname=gethostname();
$usr=substr($hostname, 0,strpos($hostname,"-") ); // whose computer are we on

$myBakup=trim($_POST['bakup']);                   // bakup file to restore
$myDbase=trim($_POST['dbase']);                   // mysql database

$myDir="/home/".$usr."/DB-Web/".$myDbase."/"; 
chdir($myDir);                                    // change to dir the file is in

// if gzip file unzip it

if(preg_match('/.gz$/', $myBakup, $newList)) {    
    $command ="/bin/gunzip ".$myBakup;

echo "command  ".$command."\n\n";

    $bak_result = system($command, $retval);
echo "returnval ".$retval."\n\n";
    $myBakup=substr($myBakup, 0, -3); // take ".gz" from end of $myBakup since we just unzipped it
    }

// Now open mysql with input being our $myBakup file thus restoring the datebase

$command ="/usr/bin/mysql --host='localhost' --user='rick' --password='rick' < ".$myBakup; // regardless of computer mysql user is 'rick'

echo "command  ".$command."\n\n";

$bak_result = system($command, $retval);
echo "returnval ".$retval."\n\n"; 
echo $myBakup;
                                           
?>

dugan · 06-25-2014, 04:50 PM

Please consider the fact that your approach is very insecure.

Code:

curl -d "bakup='whatever; rm -rf $HOME'" /path/to/your/endpoint

pizzipie · 06-25-2014, 06:24 PM

Thanks for the reply,

However, please explain.

What does that code mean and/or what is it supposed to do?

dugan · 06-25-2014, 06:42 PM

It hacks you and erases every file in the home directory of whatever user Apache is running as.

You have:

Code:

$myBakup=trim($_POST['bakup']);
$command ="/usr/bin/mysql --host='localhost' --user='rick' --password='rick' < ".$myBakup;

I use curl to POST the following:

Code:

bakup='whatever; rm -rf $HOME'

Your code will pick that up and set $command as follows:

Code:

$command ="/usr/bin/mysql --host='localhost' --user='rick' --password='rick' < whatever; rm -rf $HOME"

Your script then executes that, deleting every file in the home directory of whatever user the web server is running as. That probably means your entire web root.

Your code is no doubt vulnerable to other attacks, but that was the one that came to mind immediately.

Try adding a level of security with escapeShellCmd, as in the following example:

http://www.linuxquestions.org/questi...9/#post5125013

pizzipie · 06-25-2014, 07:08 PM

Thanks Dugan,

Although I only use this in my home, not on the internet, I will look into this and add that security.

Having read another internet hint I have revised my PHP error detecting code.

I now check error.log and I am seeing no permission errors. Since all my data forms have 777 for permissions I am stumped. I am wondering if I should add my user name to the www-data group. Am I going off the path again?

Thanks R

R

NevemTeve · 06-26-2014, 12:31 AM

The access rights of the script don't really matter; what matters is that it runs as 'www-data' user, so it most likely is not allowed to manipulate your 'normal user's files

pizzipie · 06-28-2014, 12:30 AM

[SOLVED]

Thanks for the help,

It was a permissions problem after all.

R