Remote Code Execution (RCE)

https://gitlab.com/jobertabma/vulnerable-code/-/tree/master/rce?ref_type=heads

Step 1: Understand the Vulnerability

• The provided code in index.php contains a Remote Code Execution (RCE) vulnerability due to the use of the eval() function. The eval() function executes a string of PHP code, which can be manipulated by an attacker if not properly sanitized.

  index.php Breakdown

Step 2: Create and Run the Bash Script

1.Create the Bash Script: Create a file named rce.sh and add the provided Bash script to it.

#!/bin/bash

echo $1 > _tmp/strip

php -S 127.0.0.1:8080 -t rce &

open 'http://127.0.0.1:8080/?variable=empty; phpinfo()'

wait

- Explanation of the Script:

• echo $1 > _tmp/strip: This line writes the first argument passed to the script into a file named strip in the _tmp directory.

• php -S 127.0.0.1:8080 -t rce & starts a PHP built-in server at 127.0.0.1:8080, serving the rce directory in the background.

• open 'http://127.0.0.1:8080/?variable=empty; phpinfo()' opens the URL http://127.0.0.1:8080/?variable=empty; phpinfo().

• This URL exploits the vulnerability by setting $_GET['variable'] to empty; phpinfo().

• The eval statement in index.php will then execute echo $empty; phpinfo();, resulting in the execution of phpinfo()

• wait: This line waits for the background process (the PHP server) to finish

2.Make the Script Executable: Change the script's permissions to make it executable.

chmod +x path-traversal.sh

3. Run the script:

Expected Outcomes:

• When you run the provided automation script, the expected outcome is that the PHP phpinfo() function will be executed, and its output will be displayed in the web browser. Here is the step-by-step expected outcome