I'm trying to learn more about PHP eval() exploitation and I came across this scenario:
<?php
$test = array();
$test[0] = "command0 ";
$test[1] = $_GET["cmd1"];
$test[2] = "command2 ";
$test[3] = "command3 ";
$params = "";
for ($i = 0; $i < count($test); $i++) {
$params .= "\$test[$i]";
}
echo $params;
echo "<br>";
$cmd = "echo \"" . $params . "\";";
echo $cmd;
echo "<br>";
eval($cmd);
?>
I've tried to inject several combinations of double-quotes and backslashes into the $_GET parameter but have had no luck breaking out of the $cmd string.
Beyond the XSS bug, is this code snippet vulnerable? Can this be abused for PHP code injection?