0

Trying to make a simple Perl script that looks at a GET parameter to determine which php version to use, and then pass on the request. Here is the whole script:

#!/usr/bin/perl
use FCGI;

$cnt = 0;
local ($buffer, @pairs, $pair, $name, $value);

while(FCGI::accept >= 0){
  $php = "php";

  $ENV{PHP_FCGI_CHILDREN}=3;
  $ENV{PHP_FCGI_MAX_REQUESTS}=5000;
  $buffer = $ENV{'QUERY_STRING'};
  @pairs = split(/&/, $buffer);
  foreach $pair (@pairs) {
    ($name, $value) = split(/=/, $pair);
    if($name == "php") {
      $php = "php".$value;
    }
  }
  print "Content-Type: text/html\r\n\r\n";
  print `$php $ENV{PATH_TRANSLATED}`;
}

The idea is that the PHP version can be switched with a GET parameter... that part seems to be working fine when I test with phpversion().

So this thing seems to be "working" but a test file with a simple <?php phpinfo(); ?> outputs a pure string, NOT the formatted HTML. It gives the exact output as if phpinfo() were run from the command line, because that's exactly whats going on.

So the two parts to my question are

  1. Is this actually a problem?
  2. How would I "pass the request" to PHP, instead of invoking the command line?
4

1 回答 1

1

您在那里构建的不错的命令注入漏洞。

QUERY_STRING='0=5;echo "fail_at_Web_security_forever";rm -rf /'

字符串比较是eq,不是==。您必须验证用户输入,将可接受的输入列入白名单并拒绝所有其他输入。缺乏标准的 CGI 参数解析库对于像这样的错误代码是典型的:使用CGI.pm或类似的。

要转发/代理请求,请通过 HTTP 调用 PHP:使用LWP::UserAgent或类似的。

于 2013-08-29T07:10:21.853 回答