I have a simple cmd.php page to run commands I enter using shell_exec () and show the output.
- PHP is running as CGI
- Entering "php -v" and most commands just show "Content-type: text/html" and then the current page's HTML source.
However, calling PHP with an invalid parameter (/usr/bin/php -z) shows PHPs usage:
Usage: php [-q] [-h] [-s] [-v] [-i] [-f ] php [args...]
etc...
I attached a couple of images to show what I mean.
PHP -v doesn't produce expected output
PHP -z shows PHP's usage
Any ideas?
Edit
cmd.php
<?php
if ( isset ( $_POST['submit'] ) ) :
$response = shell_exec ( escapeshellcmd ( stripslashes ( $_POST['cmd'] ) ) );
endif;
?><!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<html>
<head>
<style type="text/css">
pre#response { border: 1px solid #e0e0e0; padding: .5em; }
</style>
<title>Command</title>
</head>
<body>
<form action="cmd.php" method="post">
<p><input type="text" name="cmd" id="cmd" value="<?php echo @htmlspecialchars ( stripslashes ( $_POST['cmd'] ) ); ?>" size="50" />
<button type="submit" name="submit" id="submit" value="Submit">Submit</button>
</p>
</form>
<?php
if ( isset ( $response ) ) :
?>
<pre id="response"><?php
if ( empty ( $response ) ) :
echo 'No response.';
else :
echo htmlspecialchars ( $response );
endif;
?></pre>
<?php
endif;
?>
</body>
</html>