@leihyunzhang said:
I don’t think this is a correct explanation. When we put something in address bar and press go, a GET request is sent. The server then handles it and returns the answer. It’s not a command execution per se.
I agree with this clarification.
It may, e.g., be a REST address without any corresponding files for it. What I expect is that what is under uploads folder is just downloaded without considering what type it is.
“Downloaded” is a simplifcation. It is pre-processed, where the server takes the PHP bits and evaluates them, adding the output to the data returned as part of the HTTP response packets.
But it seems that the server runs it if it is a php file. I assume that it is a mis-configuration of the server.
Yeah I agree with @LMAY75 here. It would be unusual for a server to not process a PHP file before returning data, if it has been configured to process PHP.
PHP, JSP, SSI (normally SHTML), ASP and a few other extensions are processed (or pre-processed) on the server before any data is returned to the client (browser, curl, wget, powershell, whatever).
Files which use client-side execution (javascript etc) act slightly differently.
If you request a PHP page and view source on the response, you are almost never going to see the actual PHP code. If you request a page with embedded JS, you can see the embeds and view the JS itself.
Where it gets a bit muddy is if the server-side code contains a misconfiguration. Then you can have situations where the remote server code is triggering executable code on the filesystem. This getting a bit away from the original question.
At a basic level, curl is just a way of interacting with a server - there are many you can pick from.