-1

I have written a script for doing a traceroute to a host/ip and for some reason it is coming out as tracing from my server not from the local user that is using it. If I pull up a traceroute in my terminal the out put is completely different.

It can be tried here http://beta.tracert.us I have tried to mess with the code and can't seem to get it. I'm just trying to get this up as a utility for work and for the people who would use it as other utilities are a bit laggy here at work.
Any and all help is appreciated greatly

<!DOCTYPE html>
<html lang="en">
<head>

<meta charset="utf-8" />

<title>TraceRoutes For ALL</title>
<link href='http://fonts.googleapis.com/css?family=Geo' rel='stylesheet' type='text/css'>
<link rel="stylesheet" type="text/css" href="http://fonts.googleapis.com/css?family=Josefin+Sans">
<style type="text/css">

 input.fname {
    border-radius: 10px;
    border: true;
    font-size: 80px;
    font-family: Josefin Sans;
    border-color:#111111 #111111 #111111 #111111;
 }
body {
        border-radius: 10px;
    border: true;
    font-size: 60px;
    font-family: Josefin Sans;
    border-color:#111111 #111111 #111111 #111111;
}
div.traced {
        font-size: 20px;
        font-family: Josefin Sans;
</style>

<?php 
// Get Variable from form via register globals on/off 
//------------------------- 
$unix      =  1; //set this to 1 if you are on a *unix system       
$windows   =  0; //set this to 1 if you are on a windows system 
// ------------------------- 
// nothing more to be done. 
// ------------------------- 
//globals on or off ? 
$register_globals = (bool) ini_get('register_gobals'); 
$system = ini_get('system'); 
$unix = (bool) $unix; 
$win  = (bool)  $windows; 
// 
If ($register_globals) 
{ 
   $ip = getenv(REMOTE_ADDR); 
   $self = $PHP_SELF; 
}  
else  
{ 
   $submit = $_GET['submit']; 
   $host   = $_GET['host']; 
   $ip     = $_SERVER['REMOTE_ADDR']; 
   $self   = $_SERVER['PHP_SELF']; 
}; 
// form submitted ? 
If ($submit == "Traceroute!")  
{ 
      // replace bad chars 
      $host= preg_replace ("/[^A-Za-z0-9.]/","",$host); 
      echo '<center>';
      echo '<body bgcolor="#FFFFFF" text="#000000"></body>'; 
      echo("Trace Output:<br>");  
      echo '<pre>';            
      echo '<form name="test" action="ses.php" method="post">';
      echo '<textarea rows="30" cols="120" readonly name="form">';
      //check target IP or domain 
      if ($unix)  
      { 
         system ("traceroute $host"); 
         system("killall -q traceroute");// kill all traceroute processes in case there are some stalled ones or use echo 'traceroute' to execute without shell 
      } 
      else 
      { 
         system("tracert $host"); 
      } 

      echo '</textarea>';
      echo '</pre>'; 
      echo '</form>';
      echo '<div class="traced">';
      echo '<a href="http://beta.tracert.us">Need to trace again?</a></br>';
      echo '</br>Email this or send it</br>';   
      echo '<a href="http://gmail.com" target="_blank">Gmail</a> | <a href="http://yahoomail.com" target="_blank">Yahoo</a> | <a href="http://hotmail.com" target="_blank">Hotmail</a></br>';
      echo 'Traceroute complete</br><hr>';
      echo '<a href="http://coinchat.org/r:mrmuffins">Chat for Bitcoins</a>';
      echo '</div>';
}  
else  
{ 
    echo '<body bgcolor="#FFFFFF" text="#000000"></body>'; 
    echo '<center>';
    echo '<p><font size="30">Your IP is: </font><font size="25" color="red">'.$ip.'</font></p>'; 
    echo '<div id="form1">';
    echo '<form methode="post" action="'.$self.'">'; 
    echo '   Enter IP or Host </br><input type="text" class="fname" name="host" placeholder="Enter domain/IP"></input>'; 
    echo '  </br> <input type="submit" name="submit" value="Traceroute!"></input>'; 
    echo '</form>'; 
    echo '</div>';
    echo '<br><b>'.$system.'</b>'; 
    echo 'This may take up to 30 seconds to output.  Please be patient.';
    echo '<center>';
    echo '</body></html>'; 
} 
?>
Wayne Whitty
  • 19,513
  • 7
  • 44
  • 66
cmtzco
  • 171
  • 1
  • 8
  • 1
    You cannot run a command on a user's machine. Otherwise it would be a **HUGE** security hole. – zerkms Sep 07 '13 at 10:45

1 Answers1

1

A traceroute can only be executed from the machine that is running the code.

Is the client running the code? Probably not, your server is. So you cannot get what you want.

Something more important: You have a very bad code excution vulnerability! You have to validate that the string containing the IP address contains nothing else.

Please do not use that script online. You will get hacked.

Sven
  • 69,403
  • 10
  • 107
  • 109
  • So wait when you say that I am using bad code execution where exactly are my vulnerabilities, forgive me for not knowing:(. I'm just starting out. "You have to validate that the string containing the IP address contains nothing else." What do you mean by nothing else? @sven – cmtzco Sep 07 '13 at 10:54
  • Ok, very hidden in your code you have this: `$host= preg_replace ("/[^A-Za-z0-9.]/","",$host); ` - I'm thinking "Why the hell do you accept text characters as an IP", but effectively this acts as a safeguard, yes. The question is: Do you know ALL characters that are evil when put into a shell command? Probably not. Use `escapeshellarg()` http://de3.php.net/escapeshellarg to BE SURE. That way, I wouldn't complain about insecurity, and your regular expression only acts as a validation for IP adresses and a smaller part of domain names. If you fix the domain part, you cannot "unfix" security. – Sven Sep 07 '13 at 11:02
  • Yes so the characters are allowed due to it using domains as well, http://ideone.com/1732Kc i have forked it, I added line 54 and modified line 62. Would that be the correct way to implement it. @sven – cmtzco Sep 07 '13 at 11:16