HackTheBox 'Void Whispers' PHP App Vulnerable to Shell Command Injection via IFS Bypass
A HackTheBox challenge called 'Void Whispers' featured a PHP mail-settings panel that passed a user-supplied sendmail path directly into a shell_exec() call without proper sanitization. The only input validation was a regex blocking literal whitespace characters, which was trivially bypassed using Bash's built-in ${IFS} variable, which expands to whitespace at shell execution time. By injecting commands after a semicolon in the sendMailPath field, arbitrary OS commands could be executed on the server. Execution was first confirmed through timing-based blind injection using sleep commands, then verified via an out-of-band webhook callback showing the server making outbound requests. The vulnerability was ultimately exploited to read and exfiltrate the contents of the /flag.txt file from the server.
This is an AI-generated summary. ShortSingh links to the original source for the complete article.
Discussion (0)
Log in to join the discussion and vote.
Log in