Article PHP Vulnerabilities. №2
by OstapBender - Friday December 15, 2023 at 03:10 PM
#1
Continued Article PHP Vulnerabilities.
[Image: 1700658170679-png.72345]
If we look in the terminal now, we can see that we have a back connection open.
[Image: 1700658223392-png.72346]
Through Wrapper php:// for the input stream
Intercept the request in Burp Suite and send it to Repiter. We insert php://input into the vulnerable parameter and add the reverse shell from the previous example into the request body without any coding:
[Image: 1700658284278-png.72347]
We send a request and get a connection back.
[Image: 1700658327505-png.72348]
Through the logs.
Since we can read the system files, we can also read the logs of the web server running the site. First, we need to determine which web server is running on the target server. Let's use Nmap.
[Image: 1700658440404-png.72349]
We have nginx. One of the logs is located at the following path /var/log/nginx/access.log. Open it, and there...
[Image: 1700658965671-png.72350]
Yes, this is complete cruelty. How to figure this out without breaking your brain? Let's try. First, we intercept the request and send it to Repiter. In User-Agent, instead of what is written there, insert a one-line web shell <?php system($_GET[cmd]);?> and send the request.
[Image: 1700659037634-png.72351]
In the next step, add the &cmd= parameter and a command to the access.log file, for example, ls –la /
[Image: 1700659133375-png.72352]
And again we were able to run system commands.
Through a chain of PHP filters.
Well, the last option that we will consider today is the use of filter chains. In the vastness of GoogleNet I found a certain tool called php_filter_chain_generator, written in Python. It works like this: in the terminal we run the command: python3 php_filter_chain_generator.py --chain "<?php system('ls -la /');?>", which generates a chain of PHP filters.
[Image: 1700659256468-png.72353]
We just need to copy the entire output and paste it into the vulnerable parameter, and we will get the execution of the command that we specified in the input parameter of the system function.
[Image: 1700659295440-png.72354]
The option is certainly murky, but it has the right to life if the previous ones do not work. We'll probably stop there. I hope that some of what has been discussed will help you in solving practical problems.
Thank you all for your attention. See you again!
Reply


Possibly Related Threads…
Thread Author Replies Views Last Post
  Article: No. 2 Methods of obtaining a Reverse shell OstapBender 0 685 12-16-2023, 08:34 PM
Last Post: OstapBender
  Article: No. 1 Methods of obtaining a Reverse shell OstapBender 0 667 12-16-2023, 08:09 PM
Last Post: OstapBender
  Article: №3 Automating the exploitation of blind Time-based SQL injection using Burp OstapBender 0 655 12-16-2023, 07:04 PM
Last Post: OstapBender
  Article: №2 Automating the exploitation of blind Time-based SQL injection using Burp OstapBender 0 637 12-16-2023, 06:33 PM
Last Post: OstapBender
  Article: Automating the exploitation of blind Time-based SQL injection using Burp Sui OstapBender 0 621 12-16-2023, 06:09 PM
Last Post: OstapBender



 Users browsing this thread: 1 Guest(s)