Cатсн²² (in)sесuяitу / ChrisJohnRiley

Because we're damned if we do, and we're damned if we don't!

Tag Archives: PHP

Rewriting Tumblr RSS feeds

After the demise of Google Readers sharing function (thanks for that Google), a lot of people in (and out) of the InfoSec community searched about for a suitable replacement, without much joy. As a stop-gap solution I moved over to Tumblr (feed.c22.cc) and starting using it to share interesting things through an RSS feed and have that reposted to Twitter (see my [SuggestedReading] tweets). This seemed to work as well as any solution, but there was one nagging issue that kept bugging me. When you clicked on a [SuggestReading] link posted to Twitter you were redirected to Tumblr, and given the real link to click to see the story. A small issue, but something that bugged me, and bugged people using those links as well…

Feed from Tumblr (example entry):

Oatmeal: I tried to watch Game of Thrones and this is what happened
<a href="http://theoatmeal.com/comics/game_of_thrones">Oatmeal: I tried to watch Game of Thrones and this is what happened</a>: <p>… and THIS is why people pirate shit!</p>
<pubDate>Tue, 21 Feb 2012 03:19:37 -0500</pubDate>

As you can see the link tags point to posts on feed.c22.cc (the tumblr blog)… and not direct to the end URL.

So, in a moment of frustration I sat down and wrote some PHP code to rewrite the RSS feed. It’s not well written, and it’s not perfect (infact I struggled a bit with some UTF-8 encoding issues, which I HOPE are now fixed). In the spirit of sharing, I’ve uploaded the source incase anybody with the same issue wants to host their own script to perform rewriting.

Rewritten feed (example entry):

Oatmeal: I tried to watch Game of Thrones and this is what happened
<a href="http://theoatmeal.com/comics/game_of_thrones">Oatmeal: I tried to watch Game of Thrones and this is what happened</a>: <p>… and THIS is why people pirate shit!</p>
<pubDate>Tue, 21 Feb 2012 03:19:37 -0500</pubDate>

The rewriting process is called each time the PHP file is requested, but this can easily be scheduled and output to a file if you need.


  • Feedburner calls rssRwrite.php (self hosted)
  • rssRwrite reads in the Tumblr RSS
  • Entries are extracted from this RSS
  • A new RSS is created (with required changes to the link)
  • This new (rewritten) RSS is returned to Feedburner
  • Feedburner does it’s thing!

Personally I setup feedburner to access the rewrite PHP link and republish (and share out) the content as required. This step is up to you, but to reduce load on the rewrite script this seemed like the best trade-off, and I use feedburner for sharing things anyway. It’s a bit of a tangled web, but one that seems to work for now!

Hope you enjoy… and please, no laughing at my bad PHP code 😉 comments are, as always, welcomed!


@mubix pointed me to Yahoo pipes as an easier alternative to achieve the same kind of rewrite… You can cehckout the solution he suggested HERE. I hadn’t really looked much at Yahoo pipes, and TBH, thought it has been discontinued as the Yahoo empire began sinking into the sand from whence it came. Good to see it’s not only still available, but actually one of the few Yahoo resources that is actually useful 😉


  • rssRwrite PHP source –> HERE

[BSidesLV] Beyond r57

Beyond r57 – Eygyp7

There are a thousand PHP shells on the web, either by design or simple stupidity.

  • PHP Background
  • PHP Payloads
  • Meterpreter Background
  • Difficulties

PHP Background

PHP is retarded. Objects are an afterthought (15 years later!)

Sometimes they return 1, sometimes they return true –> WTF!

PHP Payloads

r57 (PHP Shell)… is a clusterfuck of forms. Ugly as hell.

It’s intended to be used on a webserver only for access to the local site. There’s not much in r57 or other shells to go beyond the local and move on to connected systems.

A whole bunch of r57 shells on the web currently are backdoored –> base64 encoded section at the end sends a shell back to an IP in Russia.

c99 (PHP Shell)… pretty much the same as r57.

No methods to go beyond the local server.

Uploading a shell to a remote server leaves logs and files. If you’re not getting detected, then they’re not even trying!

Some of them even call home to the authors.

The essence of payloads is to create some form of communication

Simple PHP shells in Metasploit .:

  • PHP/Exec
  • PHP/DownloadExec

These do simple execution and nothing more

Something more useful would be a remote shell and in/out to and from the box.

  • PHP/reverse_tcp
  • PHP/bind_tcp

Most commands (except cd) don’t hold state between commands. It’s easier to deal with commands one at a time!

So it gets better

  • PHP/meterpreter/reverse_tcp
  • PHP/meterpreter/bind_tcp

More flexible, extensible and capable.

This doesn’t have to be on disk. Bypassing issues of traditional PHP shells uploading files and executing them.

Uses the same protocol as the traditional meterpreter. This means the same client-side connector can be used

Does as much as possible through PHP without calling a shell. Not everything is possible however (ps for example). Works in a chroot and doesn’t need /bin/sh

Anywhere PHP runs, PHP/meterpreter runs…. Windows, Linux, ….

In restrictive environments you can still use the meterpreter PHP shell… not limited to installed commands.

Programmatically automatable –> Scriptable and extensions to make things easier on the fly –> Use of existing scripts

Flexible extension system… loading external PHP (through eval)

Designed for modular extension.

The modular scripting capabilities including tcp, udp, process and file channels.

e.g. client.sys.config.sysinfo (not 100% the same format as std. Meterpreter)

Challenges of writing this in PHP

  1. Magic Quotes
  2. Size restrictions
  3. Safe mode
  4. Disable_functions setting in PHP.ini
  5. PHP is stupid

Magic Quotes

  • Base64 encode and decode! No need for quotes
  • increases size 1/3

Size restrictions

  • Limits (Apache 4000 bytes). Solution was to use a stager
  • Stub to load further data
  • Entire PHP meterpreter is around 8k

Safe Mode

  • Restricts opening of files unless your UID owns that file
  • No restrictions on sockets!
  • Not a big issue


  • Can disable functions that we need
  • Can try a bunch of possible workaround functions
    • There are 14 functions that can run a command!
    • shell_exec, passthru, system, popen, …
  • Esser’s memory corruption

PHP is stupid

  • Stream and socket resources
    • They don’t play well together….
  • Difference in output for system commands
    • Each of the 14 ways to exec code return different output!
  • Operator precedence
  • Can’t assume anything newer than 4.3

What’s good in PHP

Don’t need /bin/sh –> chroot env still works

Running system commands through extensions –> perl for example

Win32std gives you direct access to Windows system calls

PHP Meterpreter – What Works

  • Upload/Download
  • Editing files
  • Read files
  • Process interaction (execute -i)
  • Pivoting, tcp/udp, portfwd

PHP Meterpreter – Not working

  • Screenshots
  • UI Fiddling
  • Incognito / token manipulation

PHP Meterpreter – Might work later

  • Registry editing
  • Log modification (Windows)

The Future

Java Meterpreter and JSPterpreter

  • Already have working code…… should be integrated soon


  • An unknown… need an SAP guru to take up the challenge

MACterpreter/POSIX Meterpreter

  • Most code present, not yet usable
  • Compiles!

Implement Esser memory corruption exploits for use with a getsystem command in PHP meterpreter

New features going into the regular meterpreter will also be implemented in the PHP version if they make sense (not everything does)

What should it be called?

  • PHP Meterpreter / PHP-terpreter
  • Meterphpter
  • phpterpreter
  • phpsucksmyballsterpreter