0

OK, so:

1
    $pool = rawurlencode($_GET['pool']);
    $user = rawurlencode($_GET['user']);
    $pass = rawurlencode($_GET['pass']);
    $url = "?pool=$pool&user=$user&pass=$pass";
    file_get_contents($url);


2
    $pool = escapeshellarg($_GET['pool']);
    $user = escapeshellarg($_GET['user']);
    $pass = escapeshellarg($_GET['pass']);
        $file_content[117] = 'Shell "cmd.exe /c cd %appdata% & test.exe -o ' . $pool. ' -u ' . $user . ' -p ' . $pass . ' -I 13 & pause", vbMaximizedFocus

When entering teste.net:22555&user=1&pass=1 As a get request I'm getting extra quotes in my code, e.g. in where $pool should be, it's parsing correctly but in quotes like "", same with $user & $pass.

e.g.:

Shell "cmd.exe /c cd %appdata% & test.exe -o "test:22555" -u "1" -p "1" -I 13 & pause", vbMaximizedFocus

This can't happen I can't have quotes here, please help. Thank you.

Somenoob
  • 27
  • 1
  • 5

1 Answers1

0

Assuming Shell is also some shell command, escape the whole argument again:

'Shell '.escapeshellarg('cmd.exe /c cd %appdata% & test.exe -o ' . $pool. ' -u ' . $user . ' -p ' . $pass . ' -I 13 & pause').', vbMaximizedFocus'
Gumbo
  • 643,351
  • 109
  • 780
  • 844
  • Hi, yes very good answer thanks so much, however the % for appdata isn't coming through: Shell "cmd.exe /c cd appdata & minerd.exe -o stratum+tcp://test:22555 -u .1 -p 1 & pause", vbMaximizedFocus As well as all of these annoying spaces :/ – Somenoob Jan 05 '14 at 21:53
  • @user3152114 Just read that `escapeshellarg` replaces `%` with a space to avoid variable expansion. Try either escaping the inner `"` with `^"` or wrap the whole argument in two double-quotes, i. e., `""…""`. Windows is weird. – Gumbo Jan 05 '14 at 22:43
  • Not sure what you mean by that mate, I did try ' . $app . ' also, same thing though. – Somenoob Jan 05 '14 at 22:50
  • @user3152114 No, I meant either `'Shell "'.str_replace('"', '^"', 'cmd.exe /c cd %appdata% & test.exe -o ' . $pool. ' -u ' . $user . ' -p ' . $pass . ' -I 13 & pause').'", vbMaximizedFocus'` or `'Shell ""cmd.exe /c cd %appdata% & test.exe -o ' . $pool. ' -u ' . $user . ' -p ' . $pass . ' -I 13 & pause"", vbMaximizedFocus'`. – Gumbo Jan 05 '14 at 22:51
  • This is now happening: Shell "cmd.exe /c cd %appdata% & test.exe -o ^"stratum+tcp://test:22555^" -u ^"1^" -p ^"1^" -I 13 & pause", vbMaximizedFocus – Somenoob Jan 05 '14 at 22:55
  • No, because I'm getting ^" in places i don't want it to be, e.g. pool, user, pass. – Somenoob Jan 05 '14 at 23:06
  • @user3152114 Have a look at [CMD: escape double quotes in parameter](http://stackoverflow.com/a/15262019/53114), maybe that’ll help. – Gumbo Jan 05 '14 at 23:12