0

I'm attempting to launch a sh file through PHP with arguments, however I cannot get this working at all:

<?php
$ip = $_GET['ip'];
$port = $_GET['port'];

echo shell_exec('sh var/www/html/Grant73565/Grant.sh $ip $port')or die("bash didn't work");
echo('Sent!');
?>

Running the file through ssh manually works fine like:

./Grant.sh 127.0.0.1 80

However in php it just echo's "Bash didn't work".

It's not to-do with the arguments as far as I know as it's not even launching the file without them.

Improve this question
1
  • 4
    do NOT do this. you're opening your server to a complete remote compromise. consider example.com?ip=;rm -rf /. Enjoy having your server completely destroyed Commented Dec 6, 2012 at 20:18

1 Answer 1

Reset to default
1

You need to use double-quotes if you want to include a variable.

echo shell_exec("sh var/www/html/Grant73565/Grant.sh $ip $port") or die("bash didn't work");

With your current code, anybody can alter the http query and execute anything on your server. This is a major security hole.

The solution is to verify the input. The port will always be numeric so that's simple. You can use a regular expression to verify the IP address.

Improve this answer
Sign up to request clarification or add additional context in comments.

4 Comments

I understand the security risk, everything is IP locked anyway. Ill be working on it later. I still get "bash didn't work" with that code.
Are you sure the path is correct? Have you tried to print out the command and running it through a shell?
Yes, doing find / -name Grant.sh returns: /var/www/html/Grant73565/Grant.sh
So.. include the forward slash in the beginning of the php command? Otherwise you're trying to execute a command relative to the script path.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.