PHP - Command injection
Last updated
Last updated
Find a vulnerability in this service and exploit it. The flag is on the index.php file.
Let's input 127.0.0.1
as the input field is suggesting.
We can see that our input is used to execute a ping
command.
We know the flag is on the index.php
file. In order to cat
the flag we need to use the ;
separator.
Looks like our input was processed properly. Let's check the source code.
The source code reveals an interesting piece of code.
The line shell_exec("timeout -k 5 5 bash -c 'ping -c 3 ".$_POST["ip"]."'")
executes a shell command based on user input ($_POST["ip"]).
The line "".file_get_contents(".passwd").""
reads the content of a file named .passwd
and appends it to the $flag
variable.
Let's modify our input to cat
the .passwd
file.