4

I read a related post and I get the impression that the system() function in php does not use a shell. But then saw the following example posted on owasp - example 6 on the page:

The following PHP code snippet is vulnerable to a command injection attack:

<?php
print("Please specify the name of the file to delete");
print("<p>");
$file=$_GET['filename'];
system("rm $file");
?>

The following request and response is an example of a successful attack: Request

http://127.0.0.1/delete.php?filename=bob.txt;id

Response

Please specify the name of the file to delete

uid=33(www-data) gid=33(www-data) groups=33(www-data)

Without a shell, why would system fall for the semicolon OR does system() function implementation in php identifies the semicolon in that way ?

Community
  • 1
  • 1
Jake
  • 16,329
  • 50
  • 126
  • 202

2 Answers2

4

It does use the shell. I didn't see any answer in the question you linked to that said it doesn't.

The documentation says:

system() is just like the C version of the function in that it executes the given command and outputs the result.

Since the C function uses the shell, so does the PHP function.

The documentation is slightly misleading, because the C function doesn't return any of the output of the command, while the PHP function returns the last line of the output.

Barmar
  • 741,623
  • 53
  • 500
  • 612
  • I was confused because php has a function called `shell-exec()` (http://php.net/manual/en/function.shell-exec.php) .. I thought why would they need two of them ? – Jake Sep 08 '15 at 15:08
  • I don't know why PHP has all those different functions for executing commands. But as far as I can tell, they all use the shell. – Barmar Sep 08 '15 at 15:11
  • 1
    They differ slightly in how they return the output. `shell_exec` returns all the output as a string, `system` returns just the last line, `exec` returns the last line and appends all the output lines to an array passed by value. – Barmar Sep 08 '15 at 15:12
2

Yes, and this example will show you :

echo system("echo $0");
Halayem Anis
  • 7,654
  • 2
  • 25
  • 45