2026-05-12 02:20:55 -04:00
|
|
|
<?php
|
|
|
|
|
// Command injection — negative fixture.
|
2026-05-22 18:03:08 -05:00
|
|
|
// Safe: uses escapeshellarg() and discards the captured output.
|
2026-05-12 02:20:55 -04:00
|
|
|
// Entry: runPing($host) Cap: CODE_EXEC
|
|
|
|
|
// Expected verdict: NotConfirmed
|
2026-05-22 18:03:08 -05:00
|
|
|
//
|
|
|
|
|
// Pairs with cmdi_positive.php for differential confirmation. The
|
|
|
|
|
// captured output is intentionally discarded so a literal payload such
|
|
|
|
|
// as "; echo NYX_PWN_CMDI" (which escapeshellarg already neutralises
|
|
|
|
|
// against the shell parser) cannot leak through stdout and trip the
|
|
|
|
|
// OutputContains oracle.
|
2026-05-12 02:20:55 -04:00
|
|
|
|
|
|
|
|
function runPing($host) {
|
2026-05-22 18:03:08 -05:00
|
|
|
// Sink-reachability probe: we did reach the shell_exec call site.
|
|
|
|
|
echo "__NYX_SINK_HIT__\n";
|
2026-05-12 02:20:55 -04:00
|
|
|
// escapeshellarg wraps in single quotes and escapes internal quotes.
|
|
|
|
|
$safe = escapeshellarg($host);
|
2026-05-22 18:03:08 -05:00
|
|
|
// Capture but discard: command runs under the sanitiser, output is
|
|
|
|
|
// not surfaced to the oracle.
|
2026-05-12 02:20:55 -04:00
|
|
|
$output = shell_exec('echo hello ' . $safe);
|
2026-05-22 18:03:08 -05:00
|
|
|
unset($output);
|
2026-05-12 02:20:55 -04:00
|
|
|
}
|
