The Threat of shell_exec()
Just built a website? Think it's safe? If you're using shared hosting, think again. On many shared servers, it's a cinch to get a list of every file the web server can see, including configuration files. Hey and guess what, if you've got the config files for every site on the server, you know every site's database login credentials and could wipe out all their data or, better yet, make yourself admin accounts on every site. Everyone on your server has this power.
Are you vulnerable? Try it and find out. Log into your FTP account, and create (or find) a web accessible directory that is also world-writeable. Make a PHP file in that directory and put this in it (btw, this is Linux specific):
This is a big task, so on servers with lots of sites it could time out. You may want to try "echo shell_exec('pwd')" first, so you know what directory the sites are hosted in, and then change the ls command to only read that directory (i.e., 'ls -AR /www' instead of 'ls -AR /'). Or maybe even remove the 'R' from the command.
Now go through that list looking for config files, and try some file_get_contents(). ;-) (Actually, don't do that. You could get in trouble.)
Are you vulnerable? Try it and find out. Log into your FTP account, and create (or find) a web accessible directory that is also world-writeable. Make a PHP file in that directory and put this in it (btw, this is Linux specific):
<?php
$f = fopen('list.txt',w);
if (fwrite($f,shell_exec('ls -AR /'))) echo '<a href="list.txt">download list</a>';
fclose($f);
?>
This is a big task, so on servers with lots of sites it could time out. You may want to try "echo shell_exec('pwd')" first, so you know what directory the sites are hosted in, and then change the ls command to only read that directory (i.e., 'ls -AR /www' instead of 'ls -AR /'). Or maybe even remove the 'R' from the command.
Now go through that list looking for config files, and try some file_get_contents(). ;-) (Actually, don't do that. You could get in trouble.)
Labels: PHP