This PHP code snippet demonstrates potential vulnerabilities for Remote Code Execution (RCE) and Local File Inclusion (LFI) if not properly handled.
The provided PHP code contains two sections, each representing a common vulnerability:
-
Local File Inclusion (LFI): This vulnerability arises from the
$fileparameter being directly incorporated into thefile_get_contents()function without proper validation. If an attacker can manipulate the$fileparameter, they could potentially include sensitive files from the server. -
Remote Code Execution (RCE): The
$commandparameter, if not properly sanitized, can lead to remote code execution. The code uses thesystem()function to execute shell commands based on the input provided through the$commandparameter. If an attacker can inject malicious commands, they could execute arbitrary code on the server.
To demonstrate these vulnerabilities, follow the instructions below:
- LFI: Put in the input the name of the file or the path of the file. It will send something like this:
http://example.com/vulnerable.php?file=/etc/passwd. Ensure that the file you're trying to include exists and is accessible.
- RCE: Put in the input the command you want to execute on the server. It will send something like this:
http://example.com/vulnerable.php?command=ls -la. This executes thels -lacommand on the server.
To mitigate these vulnerabilities, follow these best practices:
- LFI: Validate and sanitize user input before using it to include files. Whitelist acceptable file paths and ensure that the user-supplied file actually exists and is allowed to be included.
- RCE: Sanitize user input thoroughly. Avoid using functions like
system()to execute commands directly. If command execution is necessary, use functions likeescapeshellcmd()to escape potentially dangerous characters.
Always keep your software up-to-date and follow secure coding practices to minimize the risk of such vulnerabilities.
Note: This code is for educational purposes only. Never deploy such vulnerable code in a production environment.

