Escape Function to perform Remote Code Execution in PHP compiler
1 min read
Summary
The submitted code and narrative demonstrate a clever technique for evading basic input validation in a PHP compiler in order to execute remote code.
The attacker attempted to execute the malicious command exec('ls'), but because this was blocked by the server, they prepended the exec command with an evasion string, $ex = "e"."x"."e"."c", which is then executed and results in the malicious exec command being run.
This particular PHP compiler does not use virtualization, which allows the attacker to traverse the filesystem to determine the true location of the compiled code, thereby giving them the ability to upload and execute files on the server, as demonstrated by the proof of concept code.
To mitigate this kind of attack in the future, the contributor provides several recommendations, such as using a virtual server for the compiler and disabling any dangerous functions.