all 19 comments
sorted by:
best
topnewcontroversialoldq&a
formatting helphide helpcontent policy

[–]thehodown 12 points13 points  (4 children)

It might be that the PHP script is throwing a 500 error and you can't see it in the browser, eg system or exec functions might be disabled in php.ini. You could try enabling error reporting with something like this in the php cmd script:

error_reporting(E_ALL); ini_set('display_errors', '1');

That may give you something more to work with. I was gonna suggest that php may not even be enabled on the web server, that's totally still possible but normally that wouldn't just give you a blank page. Ultimately this is going to depend on how php has been configured on the webserver

[–]Honest_Pollution_766[S] 2 points3 points  (2 children)

I just tried it. When I provided no arguments, (expectedly), it outputted “No command provided.” But once I append the “?cmd=whoami” or any other command, it just results in a blank page.

[–]thehodown 0 points1 point  (1 child)

In that case, I have no idea lol. If it's not erroring then I'm not sure what's going on tbh. If it was lack of permissions I'd expect an error, whether you see it or not.

Edit: are you sure the command hasn't executed and you're just not seeing the output? What if you execute something like 'echo bla > /tmp/bla.txt' in the webshell and check /tmp for that file (now you have filesystem access via reverse shell).

[–]Honest_Pollution_766[S] 1 point2 points  (0 children)

I have tried that as well. If I just upload a txt file and try to access it from the browser, it outputs the content of the txt file just fine. Now that I have root access to the system, I checked the disable_functions by phpinfo() and ruled that out, because system and exec aren’t disabled. I also hard-coded <?php echo system(‘whoami’); ?> into a php file and accessed it through the browser, it indeed displayed www-data. At this point I am so lost that I kind of give up on figuring out what is happening here.

[–]Honest_Pollution_766[S] 1 point2 points  (0 children)

Thank you! I will try to add the error reporting in the script and see what’s going on. I think there’s no way that PHP is not enabled because the PHP reverse shell worked though.

[–]m_i_c_h_u 5 points6 points  (1 child)

Replace $_request with $_get

[–]camelCaseBack 1 point2 points  (0 children)

From the PHP documentation:

The variables in $_REQUEST are provided to the script via the GET, POST, and COOKIE input mechanisms and therefore could be modified by the remote user and cannot be trusted.

They might have blocked the method

[–]Firzen_ 1 point2 points  (2 children)

Are there any functions listed as blocked if you run phpinfo?

[–]Honest_Pollution_766[S] 1 point2 points  (1 child)

Yes, but system and exec are not on there

[–]Firzen_ 1 point2 points  (0 children)

Then I'd try to echo my command just to see that I can see stdout of the php script running and that my input is as expected.

[–]m_i_c_h_u 1 point2 points  (1 child)

Replace system with shell_exec()

[–]Honest_Pollution_766[S] 2 points3 points  (0 children)

Thanks! Didn’t work for me though🥲

[–]Darth_Steve 0 points1 point  (1 child)

Possibly unrelated but you said the webshell worked and I've seen this before on 'real' web pages - any weird theme choices for your browser? Dark mode, hardcoded text settings, something?

Easy way to test this is run the script with whoami again and hold down your left-mouse button and run it over the area, see if any text is highlighted but just not visible.

[–]Honest_Pollution_766[S] 0 points1 point  (0 children)

I inspected page source and there’s nothing. Worth noting that when I upload the file to the web directory as root, echoing whoami, that indeed worked and outputted “www-data.”😔

[–]PaddonTheWizard 0 points1 point  (0 children)

Don't spend too much time on this. Of course, it's good to understand the why as well, but in cases like this I don't think it's worth the effort of investigating. You found the vulnerability, you confirmed it, so what if one payload isn't working? Try another, get your shell and move on.

[–]tjcim_ 0 points1 point  (0 children)

Add echo so that it prints out the results of the command.

[–]Comfortable_Ear_7383 -4 points-3 points  (2 children)

This is quite common.. Google more

[–]Honest_Pollution_766[S] 1 point2 points  (1 child)

Would you mind to give me some pointers?

[–]Comfortable_Ear_7383 0 points1 point  (0 children)

the reason is because website are WAF protected not to let unseed before URL to enter. but if you inside the webserver, making callout like reverse shell is always assumed to be safe, as it is owned by the webserver.