First off, newer hacker here, have a decent amount of experience at this point but there’s just so many topics to cover so there’s definitely a lot of holes. I recently stumbled on this problem, and I’m having trouble understanding why it doesn’t work.
So I was on a page that read back user input, easy to see there was xss with <script>alert(0)</script>, but obviously not super helpful. I noticed the page was a .php page however, so I thought maybe if I instead used the tags and injected some php code, I could maybe get it to execute the code for me. I figured I’d try just a simple payload first, with
<?php echo "<pre>" . shell_exec($_GET["cmd"]) . "</pre>"; ?>
I’ll admit to not fully understanding the payload, but I’ve used it before to execute shell commands. The php code went into the page without being filtered or anything, I could see it when I hit view source, but when I tried to append ?cmd=whoami, it didn’t execute anything. Maybe it executes locally instead of server-side, like how I understand javascript xss works? I’m sure there’s some obvious reason why this doesn’t work, but would appreciate pointers!