PHP Snippet #07

This challenge covers the review of a snippet of code written in PHP

< 1 Hr.


The Code Review Snippet challenge gives you a snippet of PHP code that contains a security vulnerability. The task is to find the issue without watching the video initially. The provided code checks if the `$_GET["count"]` parameter is set and falls within a specified range before using it in a system command to ping ``. However, this code is vulnerable to command execution attacks because it does not verify whether `$_GET["count"]` is an integer.

In the video, the vulnerability is explained in detail. The code checks if `$_GET["count"]` is greater than zero and less than or equal to four, but it does not ensure that it is an integer. As a result, a malicious user can inject additional commands by including a semicolon in the `count` parameter. For example, a value of `1;touch /tmp/command_execution` would be cast to `1` for the comparisons but would execute the additional `touch` command when concatenated to the ping command, resulting in unintended command execution.

Want to learn more? Get started with PentesterLab Pro! GO PRO