I found a html form with only one input field, where the text entered is used as argument (or rather as the last part) of a ping on the server.
When submitting the form, the following command is executed:
/ bin / ping -c 3 INPUT_TEXT
It feels horribly dangerous [read: interesting] so I started playing with it to see if I could inject code.
There are however some restrictions (controlled by PHP). The server will not accept any entry containing characters other than those expected for a ping:
No blanks, no 'no', no special characters.
Handling the publication request itself does not solve the problem.
Is there a way to incorporate something of interest into a shell command using only these available characters?