PHP backticks in GET/POST request

Question

Using PHP 5.6, I stumbled upon the command execution via backticks and I was wondering how that could prove to be a vulnerability in PHP powered websites.

I can understand that the following code:

<?php
$output = `ls -al`;
echo "<pre>$output</pre>";
?>

allows the $output variable contents to be executed in shell.

My question now is, are the backticks needed to be hardcoded around the variable value or can they be also part of the value?

For example, in the previous code block the backticks are hardcoded around the value but what if the $output variable was set via a GET/POST REQUEST like so:

http://example.com/index.php?arg=`exec code`

or

http://example.com/index.php?arg=%60exec%20code%60

and in php:

<?php
$output = $_REQUEST['arg']
echo "<pre>$output</pre>";
?>

Is that vulnerable code?

Thank you in advance

"Using PHP 5.6" — That's been dead and unsupported for years. Upgrade to PHP 8.1. — Quentin, Feb 17 '22 at 12:29
@LawrenceCherone yes definitely due to not escaping user input but do you mean that it is vulnerable also to code execution? — user1639153, Feb 17 '22 at 20:26

score 0 · Answer 1 · answered Feb 17 '22 at 12:28

Special characters in user input are not evaluated unless you do something to evaluate them.

That means injecting the string into context where it will be evaluated (e.g. the eval function for evaluate as PHP, mysqli::query() where it will be evaluated as SQL by the database server, or <script> where it will be evaluated as JS by the browser.

PHP backticks in GET/POST request

1 Answers1