PHP Shell Lab - Hsanokklis/2023-2024-Tech-journal GitHub Wiki

Preparation

Disable mod_security

  • /etc/httpd/conf.d
  • comment out the following in the mod_security.conf file:

image

  • systemctl restart httpd

Check to make sure its disabled

  • Type this into the URL and make sure it's no longer Forbidden
    • http://10.0.17.102/??<script>XSS Attack</script>

image

Install PHP (if you haven't already)

  • yum install php php-common php-cli php-curl
  • Test PHP
    • php-v
  • create a index.php file

image

  • test to see that it's working

image

PHP Shell

  • You should already know how to receive GET parameters with PHP from input filtering lab.
  • In PHP, system() function will run system commands within the ( ) e.g

image

image

  • Try executing cat /etc/passwd
    • Once you send the request the %20 will disappear from the URL

image

image

In URL %20 means space

https://www.w3schools.com/tags/ref_urlencode.ASP#:~:text=URL%20encoding%20replaces%20unsafe%20ASCII,(%2B)%20sign%20or%20with%20%20.

trying with hostname

image

trying with ls

image

PHP Shell by Sending the Function as Parameter

Scanning tools may look for php files with common functions like system() and exec(). However, it is possible to use GET and POST parameters to send the php functions as well as the system commands.

Create a web shell that only has the letters GET in the script.

image

The output in the browser will be the same as the before, except we are making system a variable instead of using the command, so we have to specify the system variable will in fact be system in the URL.

image

Hints:

  • Collect both the php function (e.g. system) and the system command (e.g. /etc/passwd) as two different GET parameters. In other words. The function name 'system' will be passed as a parameter.
  • Use "&" to join multiple GET parameters (http://www.test.com/test.php?firstname=cyber&lastname=duck)
⚠️ **GitHub.com Fallback** ⚠️