Hello everyone .
Today , I come back to Root-Me Web server challenge . This time , the challenge at medium level . Let's get started ! The challenge give us a mechanism to upload file image (JPG only) from PC. I decide to test this function
So , after we upload an image , two params appear .
Because It's about LFI vuln , I try fuzzing param page :
DingDoong , the filter is activated . Forget it , let's focus on PHP Wrapper
A wrapper is additional code which tells the stream how to handle specific protocols/encodings. For example, the http wrapper knows how to translate a URL into an HTTP/1.0 request for a file on a remote server
Okay , in my opinion , this stuff will help us access to a file on a remote server under some ways (read , write , etc ..) . There are many wrappers , each of them serves a different purpose .
PHP Expect Wrapper
PHP expect:// allows execution of system commands, unfortunately the expect PHP module is
not enabled by default.
Example:
php?page=expect://ls
PHP php://filter
php://filter allows a pen tester to include local files and base64 encodes the output. Therefore,
any base64 output will need to be decoded to reveal the contents.
php?page=php://filter/convert.base64-encode/resource=/etc/passwd
LFI via /proc/self/environ
If it’s possible to include /proc/self/environ via a local file inclusion vulnerability, then introducing
source code via the User Agent header is a possible vector. Once code has been injected into the
User Agent header a local file inclusion vulnerability can be leveraged to execute
/proc/self/environ and reload the environment variables, executing your reverse shell.
Email a Reverse Shell
If the target machine relays mail either directly or via another machine on the network and stores mail
for the user www-data (or the apache user) on the system then it’s possible to email a reverse shell to the
target. If no MX records exist for the domain but SMTP is exposed it’s possible to connect to the target
mail server and send mail to the www-data / apache user. Mail is sent to the user running apache such as
www-data to ensure file system permissions will allow read access the file /var/spool/mail/www-data
containing the injected PHP reverse shell code.
And after spend my time googling , I found a way to combine everything in this chall :
File upload + LFI vulnerability + PHP Wrapper => Use zip:// wrapper !