I am trying to test the interaction of PHP with the bash shell (version 4.2). My bash shell is not fixed for shellshock (yes, I know how to fix it, I test in VM, I am more focused on PHP interaction with the shell).
I have a simple PHP program that takes an argument from a query string, adds it to the environment via putenv() , and then runs the command using system() . The script looks like this:
<?php function getParam() { $arg = NULL; if (isset($_GET["arg"]) && !empty($_GET["arg"])) { $arg = $_GET["arg"]; } return $arg; } $arg = getParam(); putenv("ARG=$arg"); system("set"); ?>
system() , as you can see, uses the set command to print shell variables. At first I tried to use the following:
curl http:
At the output, I see the following line:
ARG=123
In the spirit of shellshock, I then changed my argument as follows:
curl http://localhost/myphp.php?arg="()%20%7B%20echo%20hello;%20%7D;"
The argument is mainly given as:
arg=() { echo hello; };
When I run the script, I do not see ARG in my release for set.
But then I changed the curl request as follows:
curl http://localhost/myphp.php?arg="()%20%7B%20echo%20hello;%20%7D;%20echo%20PID:%20;%20echo%20%24%24%20;%20echo%20Set:%20;%20set%20"
This time the argument is set as:
arg=() { echo hello; }; echo PID:; echo $$; echo Set:; set
This time, I still do not see ARG on the output from system() , but I see additional output due to an argument like:
PID:0 Set: // Omitted some output ARG () { echo hello }
So my question is why I don't see the ARG argument in set through system() , but see it in the set output via a parameter?
Edit
To paraphrase the question to make it more understandable: in PHP code, I call system(set) (last line) VS, I pass set as part of the query string. A set made using system() does not show the presence of ARG in the VS set shell variables executed from the query string, it shows (although the PID is output as 0 - so this must be taken into account to explain this).
Here is the full conclusion: http://pastebin.com/raw.php?i=WcBXgYAj
If I change system(set) to system(env) , I see the result: http://pastebin.com/raw.php?i=q1r6Z3Zi