search

Arrexel / phpbash

A semi-interactive PHP shell compressed into a single file.
Apache License 2.0
868 stars 195 forks source link

Bug when dealing with path names #19

Closed 20esaua closed 6 years ago

20esaua commented 6 years ago

https://github.com/Arrexel/phpbash/blob/master/phpbash.php#L12

Shouldn't this be:

function endsWith($haystack, $needle) {
    return strlen($needle) === 0 || (substr($haystack, -strlen($needle)) === $needle);
}

if(!endsWith($path, '/')) {
    $path .= '/';
}

?

Right now the code is:

if($path != '/') {
    $path .= '/';
}

If the path is /etc, it does not equal /, so it won't append the /. But if someone uploads a file, say screenshot.png, the final path it generates will be /etcscreenshot.png because /etc (the original path) did not end in /. However, if you simply check if the path ends in / (and if not, add a / after the path), it will always generate /etc/screenshot.png (which is what you want).

TerminalFi commented 6 years ago

No that is not correct.

$path is set only to the current working directory. which is received when sending a command via the pwd command. it is then properly set with

currentDir = parsedResponse[2].replace(new RegExp("/", "g"), "/");

Look further down at the getShellInfo() command.

tommyyama2020 commented 6 years ago

sorry for an amateur question. this will work in kali linux?

Arrexel commented 6 years ago

@tommyyama2020 this is meant to be placed on any php-enabled webserver, it does not run on your system. In a pentest, it is used mainly after gaining some kind of file upload or RCE on the target, as you need to be able to place the file on the server in some way. It is then accessed via web browser.