Skip to main content

PHP - Command injection

Find a vulnerability in this service and exploit it. The flag is on the index.php file.

1

Let's input 127.0.0.1 as the input field is suggesting.

2

We can see that our input is used to execute a ping command.

We know the flag is on the index.php file. In order to cat the flag we need to use the ; separator.

User Input

127.0.0.1 ; cat index.php

3

Looks like our input was processed properly. Let's check the source code.

4

The source code reveals an interesting piece of code.

PHP code

<?php 
$flag = "".file_get_contents(".passwd")."";
if(isset($_POST["ip"]) && !empty($_POST["ip"])){
$response = shell_exec("timeout -k 5 5 bash -c 'ping -c 3 ".$_POST["ip"]."'");
echo $response;
}
?>

The line shell_exec("timeout -k 5 5 bash -c 'ping -c 3 ".$_POST["ip"]."'") executes a shell command based on user input ($_POST["ip"]).

The line "".file_get_contents(".passwd")."" reads the content of a file named .passwd and appends it to the $flag variable.

Let's modify our input to cat the .passwd file.

User Input

127.0.0.1 ; cat .passwd

5

Flag

S3rv1ceP1n9Sup3rS3cure