4.PHP-wrappers

Key Takeaways:

  • From LFI to RCE:

    • The section transitions from reading local files to executing commands.

    • Enumerating credentials and SSH keys is mentioned, but the focus is on direct RCE.

  • PHP Wrappers for RCE:

    • data://, input://, and expect:// wrappers are covered.

    • allow_url_include setting is crucial for data:// and input://.

  • Checking PHP Configurations:

    • Reading php.ini to check allow_url_include and expect status.

    • Using base64 encoding and decoding for php.ini content.

    • Using grep to find the needed configuration values.

  • data:// Wrapper:

    • Allows including external data, including PHP code.

    • Requires allow_url_include to be enabled.

    • Base64 encoding is used to pass PHP code.

    • Example: data://text/plain;base64,PD9waHAgc3lzdGVtKCRfR0VUWyJjbWQiXSk7ID8+Cg==

  • input:// Wrapper:

    • Includes external input from POST requests.

    • Requires allow_url_include to be enabled.

    • PHP code is passed as POST data.

    • Commands are passed as GET parameters.

    • Demonstrates how to use curl to send post data.

  • expect:// Wrapper:

    • Allows direct command execution.

    • Requires the expect extension to be installed and enabled.

    • Example: expect://id

    • Very simple syntax.

  • Further Exploitation:

    • Mention of phar:// and zip:// wrappers for file upload scenarios.

    • Reinforces that this is not the only way to gain RCE.

Additional Considerations:

  • allow_url_include Importance:

    • This setting is a major security risk when enabled.

    • It should be disabled in production environments.

  • expect Extension Security:

    • The expect extension can also be a security risk.

    • It should be used with caution.

  • Real-World Scenarios:

    • Attackers often combine these techniques with other vulnerabilities.

    • WAFs and other security measures can hinder these attacks.

  • Defense in Depth:

    • Proper input validation and sanitization are crucial.

    • Principle of least privilege should be followed.

    • Keep php updated.

  • Error Messages:

    • As with all web attacks, error messages can give an attacker valuable information. Proper error handling is very important.

  • Curl usage:

    • The examples provided, show very good usage of the curl command line tool. This is a very useful tool for web penetration testing.

Previous2.Remote Code ExecutionNext5.Remote-file-inclusion-rfi

Last updated