A code review penetration test of an old PHP application reveled a simple RCE.
Start with a search for sensitive functions being called “shell_exec”
This is the function used by PHP to execute shell commands.
So if it is ever seen in code, it should be a focus point.
<?
phpheader("Content-Type: application/json");
if( isset($_GET["query"]) ){
$query = $_GET["query"];if( isset($_GET["customer"]) ) {
$customer = $_GET["customer"];
} else {
$customer = "default"…