Jump to content

problem with dollar sign php in password form


amresmat
Go to solution Solved by Psycho,

Recommended Posts

Hello

I have a PHP script which take the username and password, send it to python script to hash it
i didn't write the php script i found it on the internet, i'm novice in php

 

the php script is a simple form so users can insert their username and passsword, php took these inputs from the form and send it to the pythin script.

my problem is with when the password contain $$ or in general $ it get translated to random number when sent to the script for example PA$$W0RD will be PA2356W0RD, if in the password field i surrounded password with single quotes the password got passed to python script as it is, so how to make php script take the dollar sign as it is without converting to number, or how to make the php script surrounds the password with single quotes when passing it to the python script.

 

PHP Code

<?php
///////////////////////////////////////////////////////////////
// PHP script to change Linux password
// SEE following URL mor more info:
// http://www.cyberciti.biz/tips/change-linux-or-unix-system-password-using-php-script.html
// Written by nixCraft <http://www.cyberciti.biz/>
// Distributed under GNU/GPL v2.0+
///////////////////////////////////////////////////////////////


// change .. me! - shell script name
$shellscript = "python /home/rconfig/www/test1.py";

// Make sure form is submitted by user
if(!(isset($_POST['pwdchange']))) {
 // if not display them form
 writeHead("Hash password");
 writeForm();
 writeFoot();
}
else {
 // try to change the password
 $callshell=true;
 // get username and password
 $_POST['username'] = stripslashes(trim($_POST['username']));
 $_POST['passwd'] = stripslashes(trim($_POST['passwd']));

// if user skip our javascript ...
// make sure we can only change password if we have both username and password
 if(empty($_POST['username'])) {
   $callshell=false;
 }
 if(empty($_POST['passwd'])) {
   $callshell=false;
 }
 if ( $callshell == true ) {
  // command to change password
  $cmd="$shellscript " . $_POST['username'] . " " . $_POST['passwd'];
  // call command
  // $cmd - command, $output - output of $cmd, $status - useful to find if command failed or not
   exec($cmd,$output,$status);
   if ( $status == 0 ) { // Success - password Hash
   writeHead("Password Hashed");
   echo '<h3>Password Hashed</h3>Setup a <a href='. $_SERVER['PHP_SELF'] . '>new password</a>';
   writeFoot();
   }
   else { // Password failed
      writeHead("Password hashing failed");
      echo '<h3>Password hashing failed</h3>';
      echo '<p>System returned following information:</p><pre>';
      print_r($output);
      echo '</pre>';
      echo '<p><em> Please try again, if the the propblem still exist contact the concerned team for more info <a href='.$_SERVER['PHP_SELF'].'again</a></em></p>';
      writeFoot();
   }
 }
 else {
   writeHead("Something was wrong -- Please try again");
   echo 'Error - Please enter username and password';
   writeForm();
   writeFoot();
 }
}

// display html head
function writeHead($title) {
echo '
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<html>
<head>
<title> ' .$title. '</title>
<style type="text/css" media="screen">
.passwdform {
   position: static;
   overflow: hidden;
}

.passwdleft {
   width: 25%;
   text-align: right;
   clear: both;
   float: left;
   display: inline;
   padding: 4px;
   margin: 5px 0;
}

.passwdright {
   width: 70%;
   text-align: left;
   float: right;
   display: inline;
   padding: 4px;
   margin: 5px 0;
}

.passwderror {
   border: 1px solid #ff0000;
}

.passwdsubmit {
}
</style>

</head>

<body>';

}
// display html form
function writeForm() {
echo '
<h3>Use following form to change password:</h3>

<script>
function checkForm() {
if (document.forms.changepassword.elements[\'username\'].value.length == 0) {
    alert(\'Please enter a value for the "User name" field\');
    return false;
}
if (document.forms.changepassword.elements[\'passwd\'].value.length == 0) {
    alert(\'Please enter a value for the "Password" field\');
    return false;
}
  return true;
}
</script>

<div class="contactform">
<form action="' . $_SERVER[PHP_SELF]. '" method="post" onSubmit="return checkForm()" name="changepassword">
<div class="passwdleft"><label for="lblusername">User Name: </label></div>
<div class="passwdright"><input type="text" name="username" id="lblusername" size="30" maxlength="50" value="" /> (required)</div>
<div class="passwdleft"><label for="lblpasswd">Password: </label></div>
<div class="passwdright"><input type="password" name="passwd" id="lblpasswd" size="30" maxlength="50" value="" /> (required)</div>
<div class="passwdright"><input type="submit" name="Submit" value="Change password" id="passwdsubmit" />
<input type="hidden" name="pwdchange" value="process" /></div>
</form>
</div>
';

}
// display footer
function writeFoot(){
echo '</body>
</html>
';
}
?>

i can post the python script if needed.

 

Thanks

 

Link to comment
Share on other sites

How are you verifying "where" the dollar signs are getting modified? I can think of no reason why PHP would modify the value in that manner, so my guess is that the problem is with how the dollar sign is interpreted in Python. I don't know Python at all, but a quick Google search found several pages regarding special string interpretations for dollar signs within strings for Python.

 

 

If having single quotes around the value works and does not change the value that Python interprets, you could add quotes around the value before you pass it. If not, then you really need to be looking for a Python solution. But, why are you using Python to hash the password when you can do it within PHP anyway. Seems like an over-complication.

Edited by Psycho
Link to comment
Share on other sites

How are you verifying "where" the dollar signs are getting modified? I can think of no reason why PHP would modify the value in that manner, so my guess is that the problem is with how the dollar sign is interpreted in Python. I don't know Python at all, but a quick Google search found several pages regarding special string interpretations for dollar signs within strings for Python.

 

 

If having single quotes around the value works and does not change the value that Python interprets, you could add quotes around the value before you pass it. If not, then you really need to be looking for a Python solution. But, why are you using Python to hash the password when you can do it within PHP anyway. Seems like an over-complication.

 

thanks for your reply, yes if the password is surrounded by single quotes it will be taken as it is, if a user entered the password between single quotes it will work fine with no mistakes but it would be wierd to ask users to write their passwords surrounded by single quotes, i think yes it is python problem with dollar sign not php that why i want php to enclose the password in single quotes then pass it to the python script

 

I know i can hash and do all stuff with php, but i know python, i don't know php that's why i did this with python.

Link to comment
Share on other sites

$cmd="$shellscript " . $_POST['username'] . " " . $_POST['passwd'];

...

exec($cmd,$output,$status);

Seriously, WTF? Do you understand that this piece of code gives any website visitor direct access to a system shell?

 

This script is malware. It's a backdoor. You need to delete it right now.

 

You can't just download some PHP code you found on some fishy website. Do you not understand how dangerous this is? I mean, you wouldn't download an executable file from an untrusted source, would you?

 

If you don't know PHP, then either learn it or don't use it. But downloading random PHP code from the Internet is definitely not an option.

Link to comment
Share on other sites

$cmd="$shellscript " . $_POST['username'] . " " . $_POST['passwd'];

...

exec($cmd,$output,$status);

Seriously, WTF? Do you understand that this piece of code gives any website visitor direct access to a system shell?

 

This script is malware. It's a backdoor. You need to delete it right now.

 

You can't just download some PHP code you found on some fishy website. Do you not understand how dangerous this is? I mean, you wouldn't download an executable file from an untrusted source, would you?

 

If you don't know PHP, then either learn it or don't use it. But downloading random PHP code from the Internet is definitely not an option.

 

 

i know anybody can try to execute something since the php code is used to execute shell script, like for example adding semicolon then add a script or command

but dun't worry this won't be used for public accessibilty at all, it is just private for other purposes, no risk at all i'm not that stupid :)

Link to comment
Share on other sites

Passing uncontrolled input to a shell isn't a good idea on any planet. I wouldn't be surprised if the issue with the dollar signs is a symptom of this severe bug.

 

If you think you should keep the script, I can't stop you from doing that. Unfortunately, there are no laws against terrible code. But if you care just a tiny, tiny bit about things like quality or correctness, flush this sh*t down the toilet.

Link to comment
Share on other sites

  • Solution

. . .  it would be wierd to ask users to write their passwords surrounded by single quotes, i think yes it is python problem with dollar sign not php that why i want php to enclose the password in single quotes then pass it to the python script

 

And, why would you ask the user to put the quotes? You should do it programatically.

$_POST['passwd'] = "'" . stripslashes(trim($_POST['passwd'])) . "'";

Although I'm not real confident that will really work. You are trying to fix the problem in the wrong place and it would probably be best achieved within the Python script. Plus, to Jacques1 point, you state this is for 'private' purpose, but yet you state you have users that you don't want to have to dictate format. Rather than ignore the comments given you really need to take them into serious consideration. If you need help - then ask.

 

But, I will ask the same question as before. Why are you using a Python script to hash the password when you can do that easier in PHP?

 

EDIT: Never mind, I see you are changing a Linux password. I thought this was a password for the user in the DB. Although, I would look for a way to do it in PHP if possible. I really don't have knowledge of something like that.

Edited by Psycho
Link to comment
Share on other sites

Here is a rewrite of your script that resolves many of the problems in the logic and security. It *may* also resolve the issue with the dollar signs. The function escapeshellarg() is a PHP function to escape a value for use as a sell argument. If not, you can try adding the quotes to the value before you send it to the Python script

 

I didn't test this, so there may be a few syntax errors to resolve

 

<?php
///////////////////////////////////////////////////////////////
// PHP script to change Linux password
// SEE following URL mor more info:
// http://www.cyberciti.biz/tips/change-linux-or-unix-system-password-using-php-script.html
// Written by nixCraft <http://www.cyberciti.biz/>
// Distributed under GNU/GPL v2.0+
///////////////////////////////////////////////////////////////
 
$title = '';
$resultMessage = '';
$displayForm = false;
 
// Make sure form is submitted by user
if(!(isset($_POST['pwdchange'])))
{
    // if not display them form
    $title = "Hash password";
    $displayForm = true;
}
else
{
    // try to change the password
    // get username and password
    $username = escapeshellarg(stripslashes(trim($_POST['username'])));
    $password = escapeshellarg(stripslashes(trim($_POST['passwd'])));
 
    // if user skip our javascript ...
    // make sure we can only change password if we have both username and password
    if (!empty($username) && !empty($password))
    {
        // Define shell script
        $shellscript = "python /home/rconfig/www/test1.py";
        // command to change password
        $cmd = "$shellscript {$username} {$password}";
        // call command
        // $cmd - command, $output - output of $cmd, $status - useful to find if command failed or not
        exec($cmd, $output, $status);
        if ( $status == 0 )
        {
            // Success - password Hash
            $title = "Password Hashed");
            $resultMessage .= "<h3>Password Hashed</h3>Setup a <a href='{$_SERVER['PHP_SELF']}'>new password</a>\n";
        }
        else
        {
            // Password failed
            $title = "Password hashing failed";
            $resultMessage .= "<h3>Password hashing failed</h3>\n"
            $resultMessage .= "<p>System returned following information:</p>\n";
            $resultMessage .= "<pre>" . print_r($output, 1) . "</pre>\n";
            $resultMessage .= "<p><em> Please try again, if the the propblem still exist contact the concerned team for more info";
            $resultMessage .= "<a href='{$_SERVER['PHP_SELF']}'>again</a></em></p>\n";
        }
    }
    else
    {
       $title = "Something was wrong -- Please try again";
       $resultMessage .= "Error - Please enter username and password\n";
       $displayForm = true;
    }
}
 
// display html form
function writeForm($display)
{
    if(!$display) { return; }
    echo "<h3>Use following form to change password:</h3>\n";
    echo "<script>\n";
    echo "function checkForm() {\n";
    echo "    if (document.forms.changepassword.elements[\'username\'].value.length == 0) {\n";
    echo "        alert(\'Please enter a value for the \"User name\" field\');\n";
    echo "        return false;\n";
    echo "    }\n";
    echo "    if (document.forms.changepassword.elements[\'passwd\'].value.length == 0) {\n";
    echo "        alert(\'Please enter a value for the \"Password\" field\');\n";
    echo "        return false;\n";
    echo "    }\n";
    echo "    return true;\n";
    echo "}\n";
    echo "</script>\n";
    echo " <div class=\"contactform\">\n";
    echo "<form action='{$_SERVER[PHP_SELF]}' method='pos' onSubmit='return checkForm()' name='changepassword'>\n";
    echo "<div class='passwdleft'><label for='lblusername'>User Name: </label></div>\n";
    echo "<div class='passwdright'><input type='text' name='username' id='lblusername' size='30' maxlength='50' value=' /> (required)</div>\n";
    echo "<div class='passwdleft'><label for='lblpasswd'>Password: </label></div>\n";
    echo "<div class='passwdright'><input type='password' name='passwd' id='lblpasswd' size='30' maxlength='50' value='' /> (required)</div>\n";
    echo "<div class='passwdright'><input type='submit' name='Submit' value='Change password' id='passwdsubmit' />\n";
    echo "<input type='hidden' name='pwdchange' value='process' /></div>\n";
    echo "</form>\n";
    echo " </div>\n";
 
}
 
?>
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<html>
<head>
<title><?php echo $title; ?></title>
    <style type="text/css" media="screen">
    .passwdform {
       position: static;
       overflow: hidden;
    }
 
    .passwdleft {
       width: 25%;
       text-align: right;
       clear: both;
       float: left;
       display: inline;
       padding: 4px;
       margin: 5px 0;
    }
 
    .passwdright {
       width: 70%;
       text-align: left;
       float: right;
       display: inline;
       padding: 4px;
       margin: 5px 0;
    }
 
    .passwderror {
       border: 1px solid #ff0000;
    }
 
    .passwdsubmit {
    }
    </style>
</head>
 
<body>
    <?php echo $resultMessage; ?>
    <?php writeForm($displayForm); ?>
</body>
</html>
Edited by Psycho
Link to comment
Share on other sites

And, why would you ask the user to put the quotes? You should do it programatically.

$_POST['passwd'] = "'" . stripslashes(trim($_POST['passwd'])) . "'";

Although I'm not real confident that will really work. You are trying to fix the problem in the wrong place and it would probably be best achieved within the Python script. Plus, to Jacques1 point, you state this is for 'private' purpose, but yet you state you have users that you don't want to have to dictate format. Rather than ignore the comments given you really need to take them into serious consideration. c

 

But, I will ask the same question as before. Why are you using a Python script to hash the password when you can do that easier in PHP?

 

EDIT: Never mind, I see you are changing a Linux password. I thought this was a password for the user in the DB. Although, I would look for a way to do it in PHP if possible. I really don't have knowledge of something like that.

thanks that worked and solved the problem, as i said i don't know php i know python that is why i used python script, if you can tell me how to use this php to hash password with sha512 plus salt linux style and save the username and hash in a file that would be great :)

 

all i want from this scrips and the users is just the hash and it won't be used for changing linux password , no user will change password or something serious also the server containing this script does not contain anything important, also nobody will have access to this hashing script form before my acknowledge.

 

i did get that code from the link that expalin how to use it to change linux password, but all i want is the php part, i put my own script for my purpose i don't need it to change linux password

 

"If you need help - then ask" i did ask for help and i really appreciate your helo :)

 

hope these answered your questions, i'm going to read your last reply thanks again

Edited by amresmat
Link to comment
Share on other sites

 the problem with it is that username and password appear on the url after pressing submit button.

 

Just a typo. Change this

 

echo "<form action='{$_SERVER[PHP_SELF]}' method='pos' onSubmit='return checkForm()' name='changepassword'>\n";

 

to This:

 

echo "<form action='{$_SERVER[PHP_SELF]}' method='post' onSubmit='return checkForm()' name='changepassword'>\n";

 

Note: the method value should be 'post' not 'pos'

Link to comment
Share on other sites

 

   echo "<h3>Use following form to change password:</h3>\n";
    echo "<script>\n";
    echo "function checkForm(formObj)\n";
    echo "{\n";
    echo "    if(!formObj.elements['username'].value.length || !formObj.elements['passwd'].value.length)\n";
    echo "    {\n";
    echo "        alert('Please enter values for the \"User name\" and \"Password\" fields');\n";
    echo "        return false;\n";
    echo "    }\n";
    echo "    return true;\n";
    echo "}\n";
    echo "</script>\n";
    echo " <div class='contactform'>\n";
    echo "<form action='{$_SERVER[PHP_SELF]}' method='pos' onSubmit='return checkForm(this)' name='changepassword'>\n";
    echo "<div class='passwdleft'><label for='lblusername'>User Name: </label></div>\n";
    echo "<div class='passwdright'><input type='text' name='username' id='lblusername' size='30' maxlength='50' value='' /> (required)</div>\n";
    echo "<div class='passwdleft'><label for='lblpasswd'>Password: </label></div>\n";
    echo "<div class='passwdright'><input type='password' name='passwd' id='lblpasswd' size='30' maxlength='50' value='' /> (required)</div>\n";
    echo "<div class='passwdright'><input type='submit' name='Submit' value='Change password' id='passwdsubmit' />\n";
    echo "<input type='hidden' name='pwdchange' value='process' /></div>\n";
    echo "</form>\n";
    echo " </div>\n";
Link to comment
Share on other sites

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.