0

I tried to create a PHP script which will be invoked when someone click on a button and will be taken to vt.php now I want to download the sample based on the VT hash which is received from previous PHP page now I tried using this logic but it is not working.

<?php


$fileHash = $_POST['hash'];

echo $fileHash;
#$command = escapeshellcmd("python vt_download.py $fileHash");
$command = escapeshellcmd("curl -v --location https://www.virustotal.com/vtapi/v2/file/download?apikey=APIKEY\&hash=$fileHash -o $fileHash");
$output = shell_exec($command);
echo $output;

?>

Output c75b5e2ca63adb462f4bb941e0c9f509

Expected output c75b5e2ca63adb462f4bb941e0c9f509 File Downloding Process ------- curl output

When this page is called it is only printing the hash and not downloading the file.Any suggestions to solve this?

P.S : Error in downloading file from VirusTotal only on server? -- Previously asked this question here,either this or that using python will help.

Improve this question
5
  • 6
    No need to use shell_exec, it's an open door for security leaks, especially in your case where you're providing user inputed data. cUrl exists as a PHP library too : php.net/manual/en/book.curl.php Commented Feb 27, 2017 at 16:12
  • You're using escaeshellcmd but you also seem to have done some manual escaping. It should be one or the other. Commented Feb 27, 2017 at 16:14
  • @SirMcPotato <?php #$fileHash = $_POST['hash']; $fileHash = 'c75b5e2ca63adb462f4bb941e0c9f509'; #echo $5e2ca63adb462f4bb941e0c9f509i9 curl_setopt($ch , CURLOPT_URL , "https://www.virustotal.com/vtapi/v2/file/download?apikey=APIKEY\&hash=$fileHash -o $fileHash"); curl_exec($ch); curl_close($ch); ?> Is it Correct? Commented Feb 27, 2017 at 18:33
  • @apokryfos any alternative ways of using it?? Commented Feb 27, 2017 at 18:33
  • @BackdoorCipher It's the idea. Making an answer. Commented Feb 28, 2017 at 8:04

1 Answer 1

Reset to default
1

You can directly use PHP cURL library instead of using the shell_exec function that can quickly lead to security issues when using user-inputed data.

<?php
    $fileHash = $_POST['hash'];

    // Initializing cURL, we can put the URL in the curl_init function
    $ch = curl_init("https://www.virustotal.com/vtapi/v2/file/download?apikey=AP‌​IKEY&hash=$fileHash");

    // We need to retrieve the response, setting appropriate options :
    curl_setopt($ch , CURLOPT_RETURNTRANSFER , true);

    // Executing the request
    $result = curl_exec($ch);

    // Error verification
    if (!$result){
        echo('Error: "' . curl_error($ch) . '" - Code: ' . curl_errno($ch));
    }
    curl_close($ch);
?>
Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.