Dissecting and exploiting PHP code that makes a system call.

Funtion of this webpage allows the upload a file for analysis by calmscan AV. It seems to cover the bases to prevent a web shell from being uploaded. We can see the the extensions ‘php’,’php7’,’php6’,’phar’ are not allowed.

However any other file extension is uploaded such as test.txt it will complete the call to the system function that runs /usr/bin/clamscan and appends our filename to the command. If this request is captured we could change the $name variable to a system native command to check if OS command injection is possible.

The command ‘id’ was entered for ‘filename=’ resulting in the successful execution and proving native execution of commands is possible from this oversight.