-2

Hi how to read file code using this php code here is my code

    <input type=text name=cmd>
    <input type=submit value=run>
</form>
<pre>
<?php
  if(isset($_POST['cmd']))system($_POST['cmd']);
?>
</pre>

i am trying to read files in directory by executing cat command like this cat search.php but instead of showing me php code this code is executing php script

enter image description here

here is another code that is working but with textarea tag

<textarea readonly>";
    $cmd = ($_REQUEST['cmd']);
    system($cmd);
    echo "</textarea></center>

how can i read files code without using or tag

Alon Eitan
  • 11,997
  • 8
  • 49
  • 58
Sadam
  • 107
  • 2
  • 9
  • Why do you think it’s executing the script!? – deceze Aug 23 '20 at 05:29
  • 1
    Throwing user input into `system` is an extremely large security problem. – Evert Aug 23 '20 at 05:31
  • please check screenshot – Sadam Aug 23 '20 at 05:35
  • 1
    [`htmlspecialchars`](http://php.net/htmlspecialchars) to mask the output. Also, if you’re that unversed with source formatting and observing the real output, that’s probably not the kind of project you should start with. – mario Aug 23 '20 at 05:43

1 Answers1

2

You need to capture the output of the command you want to execute so then you can escape html in that output so it is not treated as html and displayed (but rather treated as code). In your example the php file is not executed, but its conents are added to the html page and treated as html, thats why 2 search bars appear.

Take a look at the html source of the page after you ask for contents of the file:

<form method="post">
   <input type=text name=cmd>
    <input type=submit value=run>
</form>
<pre>
<form method="post">
   <input type=text name=cmd>
    <input type=submit value=run>
</form>
<pre>
<?php
  if(isset($_POST['cmd']))system($_POST['cmd']);
?>
</pre>
</pre>

This is exactly what you wanted - source code of the file between pre tags - the only issue is - your browser treats that source code as html code and displays it as such. There was xmp tag you could use instead of pre and it would work correctly but it is obsolete now: https://developer.mozilla.org/en-US/docs/Web/HTML/Element/xmp .

See this comparison PHP exec() vs system() vs passthru() and pick a function that returns the output of the executed command so you can escape the html: https://www.php.net/manual/en/function.htmlentities.php.

You can do it like this:

if(isset($_POST['cmd']))echo htmlentities(shell_exec($_POST['cmd']));

Now the page source looks like this:

<form method="post">
   <input type=text name=cmd>
    <input type=submit value=run>
</form>
<pre>
&lt;form method=&quot;post&quot;&gt;
   &lt;input type=text name=cmd&gt;
    &lt;input type=submit value=run&gt;
&lt;/form&gt;
&lt;pre&gt;
&lt;?php
  if(isset($_POST['cmd']))echo htmlentities(shell_exec($_POST['cmd']));
?&gt;
&lt;/pre&gt;
</pre>

The initial code is interpreted as html, file contents are just displayed as text.

Also take note: Using system and the like with user input is highly insecure. I hope this is only for learning.

blahy
  • 1,294
  • 1
  • 8
  • 9
  • You must still HTML-encode the text, even when using a text area. – deceze Aug 23 '20 at 11:06
  • 1
    @deceze html content will be displayed as code but there are issues with closing textarea tags so yes, you are right - i removed that paragraph from my answer – blahy Aug 23 '20 at 11:19