Hello stackoverflow community,
I am trying to send a request from Burp Suite:
{"html":"<?php
$to = "[email protected]";
$subject = "Subject";
$txt = "PHP is installed";
$result = mail($to,$subject,$txt);
?>","author":"","location":""}
I need to modify the "html" tag to contain some PHP, but the PHP is not read (neither are any of the other tags) because of the double quotes in the code (I think) so I tried HTML encoding it but then it wouldn't execute, it just showed up as plain text of the code.
I have been trying all day to figure this out and couldn't find anything.
So in conclusion: is there any alternative to quotes I can use? (I tried HEREDOC) or is there a way to execute HTML encoded PHP without quotes?
You could make this work, but I wouldn't recommend doing it that way.
If you remove the PHP tags and pass through the code you want to run as a string you're going to end up having to run it through eval(), which is dangerous because it means anyone with access to the first script can potentially execute whatever code they like on your server. Any PHP script with an 'eval()' in it needs to be pretty locked down.
Reference:
http://php.net/manual/en/function.eval.php
You're better off just passing the URL of the script you want it to execute, or something along those lines :)