In a pentest recently I was faced with an interesting problem, and I figured it may make for an interesting read. The company had only one public facing website, written in PHP and hosted on a hardened debian box. All scans and automated tools reported back nothing obviously exploitable. However there was a simple directory traversal bug in the websites php code. Using this bug I managed to gain shell access on the machine, and eventually root. The method in which I gained shell access was by far the most interesting approach I have had to come up with in a while. Recall that any php code in a file that is called by php will be executed. With this in mind I set forth in finding a place where I could dump php code into the system, and eventually browse to it using the directory traversal bug. All comments and other supplied inputs went directly into the database so I could not write to a file that way. However, what I notice was that the language value was being stored in my php session. Furthermore this session variable was not being properly filtered. So using webscarab I modified my language to a simple set of php instructions that would d/l and run netcat for me. I then used the directory traversal bug to view “/var/lib/php/sessions/” and execute the stored php code. From there I had a reverse shell on the machine and the rest was easy.