Vulnerability Development mailing list archives

Previous By Date Next
Previous By Thread Next

PHP : eval() ?

From: frog frog <leseulfrog () hotmail com>
Date: 18 Jul 2002 20:32:27 -0000


Hi :)

I'v try to use eval() function to inject bad PHP code.
Then I've made this file (script.php):
<?
$evalue = "echo \" test $nickname \";";
eval($evalue);
?>

I've write in my webbrowser :
http://[website]/script.php?nickname=test";system(\$cmd);%20echo%
20"hop&cmd=ls
The server replace " by \", then I was thinking that the value of $evalue 
will be :
echo \" test test\";system(\$cmd);echo \"hop \";
and then that the eval() function execute the 3 lines.
But no !
The script execute this :
echo "test test \";system(\ls);echo \"hop ";

Is it possible to inject bad php code with this php file ? How can I do ?
If it is not possible, can I've an example of a bad using of the eval() 
function ?

Thank you
Sorry for my poor english

frog
Previous By Date Next
Previous By Thread Next

Current thread: