showmetheexploit
Do you accept the challenge?
Comment in the YouTube comments or on reddit at: https:www.reddit.com/r/PHPhelp/comments/ct0m88/i_need_a_benign_exploit_serious/ There will be a ton of caveats at the bottom of this post, but I will get right to the TLDR; I'm not saying this is GOOD php, but I'd like to know if it is DANGEROUS php. Not just "looks dangerous", but I'd like someone to show me what could possibly be sent to $_GET that would actually cause a problem (without uploading a previous exploit).
Ideally I would like to see someone
- trigger notepad.exe to run as a benign exploit.
- delete index.php or sound.php
- modify index.php or sound.php I chose notepad because it's already in the windows path, so no folder traversal necessary.
What could I send to sound.php?sound= to cause a problem?
$mp3 = htmlentities($_GET['sound']); obviously not right, but dangerous? $player = 'cmdmp3.exe';
if(file_exists("sounds/$mp3.mp3")){ shell_exec($player.' sounds/'.$mp3.'.mp3'); die(); }else{ die(); }
Here are the caveats.
-
Obviously I didn't properly sanitize the shell code. That's fixed now in a later rev.
-
That said with the if file_exists statement and the mp3 pinned to the end, what in the world could you get to trigger "true" on the if statement that would also be dangerous in the shell_exec.
-
To be clear. I'm not saying "not possible" I'm saying "I don't know what I don't know."
-
This code section of the code was posted for running on local networks and I use it in air-gapped networks. There was never a suggestion to stick it on your godaddy account and it wouldn't even work on a cloud server because it needs speakers connected to the server. I use this for escape rooms and arduino/pi based interactive games.
-
It's super easy to say "that looks exploitable" than to actually have an idea of how to exploit it.
-
I don't consider uploading another malicious file and using this to run it an exploit. If you can upload random, executable code to an apache server, it's game over for security anyway. You would just upload exploit.php and run it. You don't need to daisy chain it with this.
I can't say enough how much I appreciate people taking the time to read this far. I genuinely want to learn.