# PHP Command Injection

Injecting commands to execute code on the server side via php.

* [Hacktricks](https://book.hackstricks.xyz/pentesting-web/file-upload)

* Blind injection
* Verbose injection

## Blind Injection
* Check via ping, open a `tcpdump` on ICMP to listen for packets
* Redirect to logfile and read
* Use `sleep` or `timeout` to check if ci is possible in general

### Detect Blind Command Injection
Try to save output to URI resource like `output.php`

## Functions
* Watch out for 
    * `eval()`
    * `exec()`
    * `passthru()`
    * `system()`