I have the following snippet of code. For the URL QueryString, I am passing in php://input. In the body of the request I am passing in <?php echo "ABC";?>
$image_url=$_GET['URL'];
$data = file_get_contents($image_url);
$new = 'images/TEST.jpg';
$upload = file_put_contents($new, $data);
When I curl the image I get <?php echo "ABC";?>. Why is it just printing the string I passed to it rather than ABC
This is for a security lab I'm running locally so I'm using it as a PoC for this exploit e.g. https://blog.sucuri.net/2016/10/backdoor-abusing-of-php-tricks.html and https://www.exploit-db.com/papers/45870
I'm aware it won't get executed when viewing the file but shouldn't the PHP I sent in the body get interpreted and that be placed in a file so I should be seeing ABC rather than <?php echo "ABC";?>.
Another (better) example: https://www.aptive.co.uk/blog/local-file-inclusion-lfi-testing/
Thanks
A standard configuration of a web server is to execute PHP directives only in files with a .php file extension.
You could configure your web server to execute PHP in files with a .jpg file extension (the specifics depend on which web server you are using) but this would be highly unusual — doubly so because a JPEG image is a binary file and not a text file to start with.
Also note that allowing arbitrary PHP to be accepted as user input and then executed on your server is highly dangerous.
I'm aware I won't get executed when viewing the file but shouldn't the PHP I sent in the body get interpreted?
No. Reading a file into a variable only reads a file into a variable. file_get_contents does not execute PHP directives in user input.
That would also be highly dangerous and PHP isn't that bad.