Re: How does it work, shell_exec and exec of php-fpm in OpenBSD 5.6?
On Mon, 1 Jun 2015 06:05:28 -0400 Josh Grosse j...@jggimi.homeip.net wrote: On Mon, Jun 01, 2015 at 04:45:01AM -0400, dan mclaughlin wrote: On Sun, 31 May 2015 22:20:17 -0500 Okupandolared kan...@darkmail.mx wrote: does not exist, so I can copy /usr/bin/whoami to /var/www/usr/bin/whoami? that try ls and /bin/ls and /var/www/bin/ls and it does not work, /bin/ls exist /var/www/bin/ls exist thanks On 05/31/15 19:43, Zi Loff wrote: On Sun, May 31, 2015 at 09:35:36PM -0500, Okupandolared wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 I like received variables POST and send to KSH script. But it seems that in OpenBSD 5.6 and php-fpm. exec() and exec_shell() not working. Could anyone help me? This link explain in detail what I've tried. http://serverfault.com/questions/695703/php-fpm-does-not-work-me-exec-or-shell-exec thanks If the server is chrooted at /var/www then /usr/bin/whoami (from the server's point of view) actually means /var/www/usr/bin/whoami (from your point of view). Does that file exist? have you tried to copy /bin/sh to /var/www/bin/sh? Also, in a chrooted filesystem, every dynamically linked executable needs access to ld.so and its shared libraries. Which means /var/www/usr/lib and /var/www/usr/libexec will need files populated -- every binary file should be checked wiht ldd(1) to ensure required libraries are made available. shared libraries. Each program should that reminds me, i did a write up on chrooting programs here: https://marc.info/?l=openbsd-miscm=142676615612510w=2 although it got into more, the basics of setting up a chroot jail are there. i also have a script that adds a binary and its dependencies automatically. i'll have to post it later, since i've actually been meaning to recently. just have to make a few adjustments for portability.
Re: How does it work, shell_exec and exec of php-fpm in OpenBSD 5.6?
On Sun, 31 May 2015 22:20:17 -0500 Okupandolared kan...@darkmail.mx wrote: does not exist, so I can copy /usr/bin/whoami to /var/www/usr/bin/whoami? that try ls and /bin/ls and /var/www/bin/ls and it does not work, /bin/ls exist /var/www/bin/ls exist thanks On 05/31/15 19:43, Zé Loff wrote: On Sun, May 31, 2015 at 09:35:36PM -0500, Okupandolared wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 I like received variables POST and send to KSH script. But it seems that in OpenBSD 5.6 and php-fpm. exec() and exec_shell() not working. Could anyone help me? This link explain in detail what I've tried. http://serverfault.com/questions/695703/php-fpm-does-not-work-me-exec-or-shell-exec thanks If the server is chrooted at /var/www then /usr/bin/whoami (from the server's point of view) actually means /var/www/usr/bin/whoami (from your point of view). Does that file exist? have you tried to copy /bin/sh to /var/www/bin/sh?
Re: How does it work, shell_exec and exec of php-fpm in OpenBSD 5.6?
On Mon, Jun 01, 2015 at 04:45:01AM -0400, dan mclaughlin wrote: On Sun, 31 May 2015 22:20:17 -0500 Okupandolared kan...@darkmail.mx wrote: does not exist, so I can copy /usr/bin/whoami to /var/www/usr/bin/whoami? that try ls and /bin/ls and /var/www/bin/ls and it does not work, /bin/ls exist /var/www/bin/ls exist thanks On 05/31/15 19:43, Zi Loff wrote: On Sun, May 31, 2015 at 09:35:36PM -0500, Okupandolared wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 I like received variables POST and send to KSH script. But it seems that in OpenBSD 5.6 and php-fpm. exec() and exec_shell() not working. Could anyone help me? This link explain in detail what I've tried. http://serverfault.com/questions/695703/php-fpm-does-not-work-me-exec-or-shell-exec thanks If the server is chrooted at /var/www then /usr/bin/whoami (from the server's point of view) actually means /var/www/usr/bin/whoami (from your point of view). Does that file exist? have you tried to copy /bin/sh to /var/www/bin/sh? Also, in a chrooted filesystem, every dynamically linked executable needs access to ld.so and its shared libraries. Which means /var/www/usr/lib and /var/www/usr/libexec will need files populated -- every binary file should be checked wiht ldd(1) to ensure required libraries are made available. shared libraries. Each program should
Re: How does it work, shell_exec and exec of php-fpm in OpenBSD 5.6?
Corrected for typos. What I'd just Emailed was without any coffee... On Mon, Jun 01, 2015 at 06:05:28AM -0400, Josh Grosse wrote: Also, in a chrooted filesystem, every dynamically linked executable needs access to ld.so and its shared libraries. Which means /var/www/usr/lib and /var/www/usr/libexec will need files populated -- every binary file should be checked with ldd(1) to ensure required libraries are made available.
Re: How does it work, shell_exec and exec of php-fpm in OpenBSD 5.6?
On Mon, Jun 01, 2015 at 11:49:39AM -0500, Okupandolared wrote:
Hi,
I have an web form.
I need send of webform to script bash
webform.html -- PHP proces -- create.sh
create.sh
#!/bin/ksh
# Create user
echo hi!! your pass $1
crypted=$(echo -n $1 | smtpctl encrypt )
maildir=$3/$2/
echo -e $2@$3 recipients
echo -e $2@$3\t$crypted credentials
echo ejabberdctl register $2 $3 $1
echo INSERT INTO mails (userid, domain, password, maildir) VALUES
('$2', '$3','$crypted', '$maildir'); | mysql -umyuser -mypass mail;
Hoho, it won't run in chroot, smtpd doesn't have socket
in chroot, same for ejabberctl.
You need to have some lightweight communication
protocol between chroot and an app outside which would
sanitize input and do the work.
j.
Re: How does it work, shell_exec and exec of php-fpm in OpenBSD 5.6?
On 01/06/15 18:49, Okupandolared wrote:
Hi,
I have an web form.
I need send of webform to script bash
webform.html -- PHP proces -- create.sh
create.sh
#!/bin/ksh
# Create user
echo hi!! your pass $1
crypted=$(echo -n $1 | smtpctl encrypt )
maildir=$3/$2/
echo -e $2@$3 recipients
echo -e $2@$3\t$crypted credentials
echo ejabberdctl register $2 $3 $1
echo INSERT INTO mails (userid, domain, password, maildir) VALUES
('$2', '$3','$crypted', '$maildir'); | mysql -umyuser -mypass mail;
example php
?php
function antiyec($data) {
$data = trim($data);
$data = stripslashes($data);
$data = htmlspecialchars($data);
return $data;
}
$user = antiyec($_POST['user']);
$frase1 = antiyec($_POST['pass']);
$domain = antiyec($_POST['dom']);
$out = shell_exec('ksh create.sh $frase1 $user $domain');
echo pre$out/pre;
?
Can't tell if trolling or just stupid.
On 06/01/15 08:50, Gareth Nelson wrote:
Everyone is missing the bigger picture here:
Why is a PHP script calling the shell? 9 times out of 10, that's a bad idea
and things should be redesigned so that it's not needed.
Re: How does it work, shell_exec and exec of php-fpm in OpenBSD 5.6?
my domain is:
',); DROP mails;--
Sanitise your inputs
---
âLanie, Iâm going to print more printers. Lots more printers. One for
everyone. Thatâs worth going to jail for. Thatâs worth anything.â -
Printcrime by Cory Doctrow
Please avoid sending me Word or PowerPoint attachments.
See http://www.gnu.org/philosophy/no-word-attachments.html
On Mon, Jun 1, 2015 at 6:16 PM, Okupandolared kan...@darkmail.mx wrote:
Really you could use php to insert into mysql,
but as I need to run ejabberdctl and smtpdctl.
I thought it would do everything from bash
I have no idea how it could call smtpctl from php, maybe you go look at
python.
On 06/01/15 10:09, Gareth Nelson wrote:
Why on earth are you using the shell to insert into MySQL?
I would redesign this whole setup under the guidance of someone more
experienced to be honest, there's MANY mistakes you're making here, and
thus likely other mistakes
---
ââ¬ÅLanie, Iââ¬â¢m going to print more printers. Lots more printers.
One for
everyone. Thatââ¬â¢s worth going to jail for. Thatââ¬â¢s worth
anything.â⬠-
Printcrime by Cory Doctrow
Please avoid sending me Word or PowerPoint attachments.
See http://www.gnu.org/philosophy/no-word-attachments.html
On Mon, Jun 1, 2015 at 4:05 PM, Jiri B ji...@devio.us wrote:
On Mon, Jun 01, 2015 at 11:49:39AM -0500, Okupandolared wrote:
Hi,
I have an web form.
I need send of webform to script bash
webform.html -- PHP proces -- create.sh
create.sh
#!/bin/ksh
# Create user
echo hi!! your pass $1
crypted=$(echo -n $1 | smtpctl encrypt )
maildir=$3/$2/
echo -e $2@$3 recipients
echo -e $2@$3\t$crypted credentials
echo ejabberdctl register $2 $3 $1
echo INSERT INTO mails (userid, domain, password, maildir) VALUES
('$2', '$3','$crypted', '$maildir'); | mysql -umyuser -mypass mail;
Hoho, it won't run in chroot, smtpd doesn't have socket
in chroot, same for ejabberctl.
You need to have some lightweight communication
protocol between chroot and an app outside which would
sanitize input and do the work.
j.
Re: How does it work, shell_exec and exec of php-fpm in OpenBSD 5.6?
thank you all for the support,
I think in another way, as well sanitize my form.
maybe python goes outside the chroot.
Thanks again
On 06/01/15 10:21, Sebastien Marie wrote:
Hi,
Just to report how it is a bad idea... at least two sql injection and
one shell injection in your files.
On Mon, Jun 01, 2015 at 11:49:39AM -0500, Okupandolared wrote:
Hi,
I have an web form.
I need send of webform to script bash
webform.html -- PHP proces -- create.sh
create.sh
#!/bin/ksh
# Create user
echo hi!! your pass $1
crypted=$(echo -n $1 | smtpctl encrypt )
maildir=$3/$2/
echo -e $2@$3 recipients
echo -e $2@$3\t$crypted credentials
echo ejabberdctl register $2 $3 $1
echo INSERT INTO mails (userid, domain, password, maildir) VALUES
('$2', '$3','$crypted', '$maildir'); | mysql -umyuser -mypass mail;
sql injection on $2 and $3 as ' isn't escaped by antiyec function
example php
?php
function antiyec($data) {
$data = trim($data);
$data = stripslashes($data);
$data = htmlspecialchars($data);
return $data;
}
$user = antiyec($_POST['user']);
$frase1 = antiyec($_POST['pass']);
$domain = antiyec($_POST['dom']);
$out = shell_exec('ksh create.sh $frase1 $user $domain');
shell injection on user, pass and dom variables, as ; isn't escaped by
antiyec function
echo pre$out/pre;
?
On 06/01/15 08:50, Gareth Nelson wrote:
Everyone is missing the bigger picture here:
Why is a PHP script calling the shell? 9 times out of 10, that's a bad idea
and things should be redesigned so that it's not needed.
yes it is a bad idea.
Re: How does it work, shell_exec and exec of php-fpm in OpenBSD 5.6?
If you made these mistakes you'll have made others - get guidance from
someone who knows what they're doing and have them audit your whole system.
---
âLanie, Iâm going to print more printers. Lots more printers. One for
everyone. Thatâs worth going to jail for. Thatâs worth anything.â -
Printcrime by Cory Doctrow
Please avoid sending me Word or PowerPoint attachments.
See http://www.gnu.org/philosophy/no-word-attachments.html
On Mon, Jun 1, 2015 at 6:31 PM, Okupandolared kan...@darkmail.mx wrote:
thank you all for the support,
I think in another way, as well sanitize my form.
maybe python goes outside the chroot.
Thanks again
On 06/01/15 10:21, Sebastien Marie wrote:
Hi,
Just to report how it is a bad idea... at least two sql injection and
one shell injection in your files.
On Mon, Jun 01, 2015 at 11:49:39AM -0500, Okupandolared wrote:
Hi,
I have an web form.
I need send of webform to script bash
webform.html -- PHP proces -- create.sh
create.sh
#!/bin/ksh
# Create user
echo hi!! your pass $1
crypted=$(echo -n $1 | smtpctl encrypt )
maildir=$3/$2/
echo -e $2@$3 recipients
echo -e $2@$3\t$crypted credentials
echo ejabberdctl register $2 $3 $1
echo INSERT INTO mails (userid, domain, password, maildir) VALUES
('$2', '$3','$crypted', '$maildir'); | mysql -umyuser -mypass mail;
sql injection on $2 and $3 as ' isn't escaped by antiyec function
example php
?php
function antiyec($data) {
$data = trim($data);
$data = stripslashes($data);
$data = htmlspecialchars($data);
return $data;
}
$user = antiyec($_POST['user']);
$frase1 = antiyec($_POST['pass']);
$domain = antiyec($_POST['dom']);
$out = shell_exec('ksh create.sh $frase1 $user $domain');
shell injection on user, pass and dom variables, as ; isn't escaped by
antiyec function
echo pre$out/pre;
?
On 06/01/15 08:50, Gareth Nelson wrote:
Everyone is missing the bigger picture here:
Why is a PHP script calling the shell? 9 times out of 10, that's a bad
idea
and things should be redesigned so that it's not needed.
yes it is a bad idea.
Re: How does it work, shell_exec and exec of php-fpm in OpenBSD 5.6?
Why on earth are you using the shell to insert into MySQL?
I would redesign this whole setup under the guidance of someone more
experienced to be honest, there's MANY mistakes you're making here, and
thus likely other mistakes
---
âLanie, Iâm going to print more printers. Lots more printers. One for
everyone. Thatâs worth going to jail for. Thatâs worth anything.â -
Printcrime by Cory Doctrow
Please avoid sending me Word or PowerPoint attachments.
See http://www.gnu.org/philosophy/no-word-attachments.html
On Mon, Jun 1, 2015 at 4:05 PM, Jiri B ji...@devio.us wrote:
On Mon, Jun 01, 2015 at 11:49:39AM -0500, Okupandolared wrote:
Hi,
I have an web form.
I need send of webform to script bash
webform.html -- PHP proces -- create.sh
create.sh
#!/bin/ksh
# Create user
echo hi!! your pass $1
crypted=$(echo -n $1 | smtpctl encrypt )
maildir=$3/$2/
echo -e $2@$3 recipients
echo -e $2@$3\t$crypted credentials
echo ejabberdctl register $2 $3 $1
echo INSERT INTO mails (userid, domain, password, maildir) VALUES
('$2', '$3','$crypted', '$maildir'); | mysql -umyuser -mypass mail;
Hoho, it won't run in chroot, smtpd doesn't have socket
in chroot, same for ejabberctl.
You need to have some lightweight communication
protocol between chroot and an app outside which would
sanitize input and do the work.
j.
Re: How does it work, shell_exec and exec of php-fpm in OpenBSD 5.6?
Really you could use php to insert into mysql,
but as I need to run ejabberdctl and smtpdctl.
I thought it would do everything from bash
I have no idea how it could call smtpctl from php, maybe you go look at
python.
On 06/01/15 10:09, Gareth Nelson wrote:
Why on earth are you using the shell to insert into MySQL?
I would redesign this whole setup under the guidance of someone more
experienced to be honest, there's MANY mistakes you're making here, and
thus likely other mistakes
---
“Lanie, I’m going to print more printers. Lots more printers. One for
everyone. That’s worth going to jail for. That’s worth anything.� -
Printcrime by Cory Doctrow
Please avoid sending me Word or PowerPoint attachments.
See http://www.gnu.org/philosophy/no-word-attachments.html
On Mon, Jun 1, 2015 at 4:05 PM, Jiri B ji...@devio.us wrote:
On Mon, Jun 01, 2015 at 11:49:39AM -0500, Okupandolared wrote:
Hi,
I have an web form.
I need send of webform to script bash
webform.html -- PHP proces -- create.sh
create.sh
#!/bin/ksh
# Create user
echo hi!! your pass $1
crypted=$(echo -n $1 | smtpctl encrypt )
maildir=$3/$2/
echo -e $2@$3 recipients
echo -e $2@$3\t$crypted credentials
echo ejabberdctl register $2 $3 $1
echo INSERT INTO mails (userid, domain, password, maildir) VALUES
('$2', '$3','$crypted', '$maildir'); | mysql -umyuser -mypass mail;
Hoho, it won't run in chroot, smtpd doesn't have socket
in chroot, same for ejabberctl.
You need to have some lightweight communication
protocol between chroot and an app outside which would
sanitize input and do the work.
j.
Re: How does it work, shell_exec and exec of php-fpm in OpenBSD 5.6?
Hi,
Just to report how it is a bad idea... at least two sql injection and
one shell injection in your files.
On Mon, Jun 01, 2015 at 11:49:39AM -0500, Okupandolared wrote:
Hi,
I have an web form.
I need send of webform to script bash
webform.html -- PHP proces -- create.sh
create.sh
#!/bin/ksh
# Create user
echo hi!! your pass $1
crypted=$(echo -n $1 | smtpctl encrypt )
maildir=$3/$2/
echo -e $2@$3 recipients
echo -e $2@$3\t$crypted credentials
echo ejabberdctl register $2 $3 $1
echo INSERT INTO mails (userid, domain, password, maildir) VALUES
('$2', '$3','$crypted', '$maildir'); | mysql -umyuser -mypass mail;
sql injection on $2 and $3 as ' isn't escaped by antiyec function
example php
?php
function antiyec($data) {
$data = trim($data);
$data = stripslashes($data);
$data = htmlspecialchars($data);
return $data;
}
$user = antiyec($_POST['user']);
$frase1 = antiyec($_POST['pass']);
$domain = antiyec($_POST['dom']);
$out = shell_exec('ksh create.sh $frase1 $user $domain');
shell injection on user, pass and dom variables, as ; isn't escaped by
antiyec function
echo pre$out/pre;
?
On 06/01/15 08:50, Gareth Nelson wrote:
Everyone is missing the bigger picture here:
Why is a PHP script calling the shell? 9 times out of 10, that's a bad idea
and things should be redesigned so that it's not needed.
yes it is a bad idea.
--
Sébastien Marie
Re: How does it work, shell_exec and exec of php-fpm in OpenBSD 5.6?
On Mon, Jun 01, 2015 at 11:49:39AM -0500, Okupandolared wrote:
Hi,
I have an web form.
I need send of webform to script bash
webform.html -- PHP proces -- create.sh
create.sh
#!/bin/ksh
# Create user
echo hi!! your pass $1
crypted=$(echo -n $1 | smtpctl encrypt )
maildir=$3/$2/
echo -e $2@$3 recipients
echo -e $2@$3\t$crypted credentials
echo ejabberdctl register $2 $3 $1
echo INSERT INTO mails (userid, domain, password, maildir) VALUES
('$2', '$3','$crypted', '$maildir'); | mysql -umyuser -mypass mail;
example php
?php
function antiyec($data) {
$data = trim($data);
$data = stripslashes($data);
$data = htmlspecialchars($data);
return $data;
}
$user = antiyec($_POST['user']);
$frase1 = antiyec($_POST['pass']);
$domain = antiyec($_POST['dom']);
$out = shell_exec('ksh create.sh $frase1 $user $domain');
echo pre$out/pre;
?
If you have MySQL as backend for your email accounts, you can just do
the same with ejabberd. And after that, there is no reason why you can't
do the whole thing on PHP alone.
But as everyone pointed out, you need to do some serious reading and/or
get someone who knows how to set this up properly.
On 06/01/15 08:50, Gareth Nelson wrote:
Everyone is missing the bigger picture here:
Why is a PHP script calling the shell? 9 times out of 10, that's a bad idea
and things should be redesigned so that it's not needed.
---
“Lanie, I’m going to print more printers. Lots more printers. One for
everyone. That’s worth going to jail for. That’s worth anything.� -
Printcrime by Cory Doctrow
Please avoid sending me Word or PowerPoint attachments.
See http://www.gnu.org/philosophy/no-word-attachments.html
On Mon, Jun 1, 2015 at 1:47 PM, dan mclaughlin thev...@openmailbox.org
wrote:
On Mon, 1 Jun 2015 06:05:28 -0400 Josh Grosse j...@jggimi.homeip.net
wrote:
On Mon, Jun 01, 2015 at 04:45:01AM -0400, dan mclaughlin wrote:
On Sun, 31 May 2015 22:20:17 -0500 Okupandolared kan...@darkmail.mx
wrote:
does not exist,
so I can copy /usr/bin/whoami to /var/www/usr/bin/whoami?
that try ls and /bin/ls and /var/www/bin/ls
and it does not work,
/bin/ls exist
/var/www/bin/ls exist
thanks
On 05/31/15 19:43, Zi Loff wrote:
On Sun, May 31, 2015 at 09:35:36PM -0500, Okupandolared wrote:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
I like received variables POST and send to KSH script.
But it seems that in OpenBSD 5.6 and php-fpm.
exec() and exec_shell() not working.
Could anyone help me?
This link explain in detail what I've tried.
http://serverfault.com/questions/695703/php-fpm-does-not-work-me-exec-or-shel
l-exec
thanks
If the server is chrooted at /var/www then /usr/bin/whoami
(from the
server's point of view) actually means /var/www/usr/bin/whoami
(from
your point of view). Does that file exist?
have you tried to copy /bin/sh to /var/www/bin/sh?
Also, in a chrooted filesystem, every dynamically linked executable
needs access
to ld.so and its shared libraries. Which means /var/www/usr/lib and
/var/www/usr/libexec will need files populated -- every binary file
should be
checked wiht ldd(1) to ensure required libraries are made available.
shared libraries. Each program should
that reminds me, i did a write up on chrooting programs here:
https://marc.info/?l=openbsd-miscm=142676615612510w=2
although it got into more, the basics of setting up a chroot jail are
there.
i also have a script that adds a binary and its dependencies automatically.
i'll have to post it later, since i've actually been meaning to recently.
just have to make a few adjustments for portability.
--
Re: How does it work, shell_exec and exec of php-fpm in OpenBSD 5.6?
This was an example I wrote this email really is not implemented anywhere.
But thanks for observation.
If I decide to put it online. think of this security issue?
On 06/01/15 10:20, Gareth Nelson wrote:
my domain is:
',); DROP mails;--
Sanitise your inputs
---
“Lanie, I’m going to print more printers. Lots more printers. One for
everyone. That’s worth going to jail for. That’s worth anything.” -
Printcrime by Cory Doctrow
Please avoid sending me Word or PowerPoint attachments.
See http://www.gnu.org/philosophy/no-word-attachments.html
On Mon, Jun 1, 2015 at 6:16 PM, Okupandolared kan...@darkmail.mx wrote:
Really you could use php to insert into mysql,
but as I need to run ejabberdctl and smtpdctl.
I thought it would do everything from bash
I have no idea how it could call smtpctl from php, maybe you go look at
python.
On 06/01/15 10:09, Gareth Nelson wrote:
Why on earth are you using the shell to insert into MySQL?
I would redesign this whole setup under the guidance of someone more
experienced to be honest, there's MANY mistakes you're making here, and
thus likely other mistakes
---
“Lanie, I’m going to print more printers. Lots more printers. One for
everyone. That’s worth going to jail for. That’s worth anything.†-
Printcrime by Cory Doctrow
Please avoid sending me Word or PowerPoint attachments.
See http://www.gnu.org/philosophy/no-word-attachments.html
On Mon, Jun 1, 2015 at 4:05 PM, Jiri B ji...@devio.us wrote:
On Mon, Jun 01, 2015 at 11:49:39AM -0500, Okupandolared wrote:
Hi,
I have an web form.
I need send of webform to script bash
webform.html -- PHP proces -- create.sh
create.sh
#!/bin/ksh
# Create user
echo hi!! your pass $1
crypted=$(echo -n $1 | smtpctl encrypt )
maildir=$3/$2/
echo -e $2@$3 recipients
echo -e $2@$3\t$crypted credentials
echo ejabberdctl register $2 $3 $1
echo INSERT INTO mails (userid, domain, password, maildir) VALUES
('$2', '$3','$crypted', '$maildir'); | mysql -umyuser -mypass mail;
Hoho, it won't run in chroot, smtpd doesn't have socket
in chroot, same for ejabberctl.
You need to have some lightweight communication
protocol between chroot and an app outside which would
sanitize input and do the work.
j.
Re: How does it work, shell_exec and exec of php-fpm in OpenBSD 5.6?
Hi,
I have an web form.
I need send of webform to script bash
webform.html -- PHP proces -- create.sh
create.sh
#!/bin/ksh
# Create user
echo hi!! your pass $1
crypted=$(echo -n $1 | smtpctl encrypt )
maildir=$3/$2/
echo -e $2@$3 recipients
echo -e $2@$3\t$crypted credentials
echo ejabberdctl register $2 $3 $1
echo INSERT INTO mails (userid, domain, password, maildir) VALUES
('$2', '$3','$crypted', '$maildir'); | mysql -umyuser -mypass mail;
example php
?php
function antiyec($data) {
$data = trim($data);
$data = stripslashes($data);
$data = htmlspecialchars($data);
return $data;
}
$user = antiyec($_POST['user']);
$frase1 = antiyec($_POST['pass']);
$domain = antiyec($_POST['dom']);
$out = shell_exec('ksh create.sh $frase1 $user $domain');
echo pre$out/pre;
?
On 06/01/15 08:50, Gareth Nelson wrote:
Everyone is missing the bigger picture here:
Why is a PHP script calling the shell? 9 times out of 10, that's a bad idea
and things should be redesigned so that it's not needed.
---
“Lanie, I’m going to print more printers. Lots more printers. One for
everyone. That’s worth going to jail for. That’s worth anything.� -
Printcrime by Cory Doctrow
Please avoid sending me Word or PowerPoint attachments.
See http://www.gnu.org/philosophy/no-word-attachments.html
On Mon, Jun 1, 2015 at 1:47 PM, dan mclaughlin thev...@openmailbox.org
wrote:
On Mon, 1 Jun 2015 06:05:28 -0400 Josh Grosse j...@jggimi.homeip.net
wrote:
On Mon, Jun 01, 2015 at 04:45:01AM -0400, dan mclaughlin wrote:
On Sun, 31 May 2015 22:20:17 -0500 Okupandolared kan...@darkmail.mx
wrote:
does not exist,
so I can copy /usr/bin/whoami to /var/www/usr/bin/whoami?
that try ls and /bin/ls and /var/www/bin/ls
and it does not work,
/bin/ls exist
/var/www/bin/ls exist
thanks
On 05/31/15 19:43, Zi Loff wrote:
On Sun, May 31, 2015 at 09:35:36PM -0500, Okupandolared wrote:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
I like received variables POST and send to KSH script.
But it seems that in OpenBSD 5.6 and php-fpm.
exec() and exec_shell() not working.
Could anyone help me?
This link explain in detail what I've tried.
http://serverfault.com/questions/695703/php-fpm-does-not-work-me-exec-or-shel
l-exec
thanks
If the server is chrooted at /var/www then /usr/bin/whoami
(from the
server's point of view) actually means /var/www/usr/bin/whoami
(from
your point of view). Does that file exist?
have you tried to copy /bin/sh to /var/www/bin/sh?
Also, in a chrooted filesystem, every dynamically linked executable
needs access
to ld.so and its shared libraries. Which means /var/www/usr/lib and
/var/www/usr/libexec will need files populated -- every binary file
should be
checked wiht ldd(1) to ensure required libraries are made available.
shared libraries. Each program should
that reminds me, i did a write up on chrooting programs here:
https://marc.info/?l=openbsd-miscm=142676615612510w=2
although it got into more, the basics of setting up a chroot jail are
there.
i also have a script that adds a binary and its dependencies automatically.
i'll have to post it later, since i've actually been meaning to recently.
just have to make a few adjustments for portability.
Re: How does it work, shell_exec and exec of php-fpm in OpenBSD 5.6?
Everyone is missing the bigger picture here: Why is a PHP script calling the shell? 9 times out of 10, that's a bad idea and things should be redesigned so that it's not needed. --- âLanie, Iâm going to print more printers. Lots more printers. One for everyone. Thatâs worth going to jail for. Thatâs worth anything.â - Printcrime by Cory Doctrow Please avoid sending me Word or PowerPoint attachments. See http://www.gnu.org/philosophy/no-word-attachments.html On Mon, Jun 1, 2015 at 1:47 PM, dan mclaughlin thev...@openmailbox.org wrote: On Mon, 1 Jun 2015 06:05:28 -0400 Josh Grosse j...@jggimi.homeip.net wrote: On Mon, Jun 01, 2015 at 04:45:01AM -0400, dan mclaughlin wrote: On Sun, 31 May 2015 22:20:17 -0500 Okupandolared kan...@darkmail.mx wrote: does not exist, so I can copy /usr/bin/whoami to /var/www/usr/bin/whoami? that try ls and /bin/ls and /var/www/bin/ls and it does not work, /bin/ls exist /var/www/bin/ls exist thanks On 05/31/15 19:43, Zi Loff wrote: On Sun, May 31, 2015 at 09:35:36PM -0500, Okupandolared wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 I like received variables POST and send to KSH script. But it seems that in OpenBSD 5.6 and php-fpm. exec() and exec_shell() not working. Could anyone help me? This link explain in detail what I've tried. http://serverfault.com/questions/695703/php-fpm-does-not-work-me-exec-or-shel l-exec thanks If the server is chrooted at /var/www then /usr/bin/whoami (from the server's point of view) actually means /var/www/usr/bin/whoami (from your point of view). Does that file exist? have you tried to copy /bin/sh to /var/www/bin/sh? Also, in a chrooted filesystem, every dynamically linked executable needs access to ld.so and its shared libraries. Which means /var/www/usr/lib and /var/www/usr/libexec will need files populated -- every binary file should be checked wiht ldd(1) to ensure required libraries are made available. shared libraries. Each program should that reminds me, i did a write up on chrooting programs here: https://marc.info/?l=openbsd-miscm=142676615612510w=2 although it got into more, the basics of setting up a chroot jail are there. i also have a script that adds a binary and its dependencies automatically. i'll have to post it later, since i've actually been meaning to recently. just have to make a few adjustments for portability.
Re: How does it work, shell_exec and exec of php-fpm in OpenBSD 5.6?
On Sun, May 31, 2015 at 09:35:36PM -0500, Okupandolared wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 I like received variables POST and send to KSH script. But it seems that in OpenBSD 5.6 and php-fpm. exec() and exec_shell() not working. Could anyone help me? This link explain in detail what I've tried. http://serverfault.com/questions/695703/php-fpm-does-not-work-me-exec-or-shell-exec thanks If the server is chrooted at /var/www then /usr/bin/whoami (from the server's point of view) actually means /var/www/usr/bin/whoami (from your point of view). Does that file exist? --
Re: How does it work, shell_exec and exec of php-fpm in OpenBSD 5.6?
does not exist, so I can copy /usr/bin/whoami to /var/www/usr/bin/whoami? that try ls and /bin/ls and /var/www/bin/ls and it does not work, /bin/ls exist /var/www/bin/ls exist thanks On 05/31/15 19:43, Zé Loff wrote: On Sun, May 31, 2015 at 09:35:36PM -0500, Okupandolared wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 I like received variables POST and send to KSH script. But it seems that in OpenBSD 5.6 and php-fpm. exec() and exec_shell() not working. Could anyone help me? This link explain in detail what I've tried. http://serverfault.com/questions/695703/php-fpm-does-not-work-me-exec-or-shell-exec thanks If the server is chrooted at /var/www then /usr/bin/whoami (from the server's point of view) actually means /var/www/usr/bin/whoami (from your point of view). Does that file exist?
