LFI2RCE via PHP_SESSION_UPLOAD_PROGRESS
Last updated
Last updated
Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE) Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
यदि आपने Local File Inclusion पाया है, भले ही आपके पास session न हो और session.auto_start
Off
हो। यदि session.upload_progress.enabled
On
है और आप PHP_SESSION_UPLOAD_PROGRESS
को multipart POST डेटा में प्रदान करते हैं, तो PHP आपके लिए session को सक्षम करेगा।
Note that with PHP_SESSION_UPLOAD_PROGRESS
you can control data inside the session, so if you includes your session file you can include a part you control (a php shellcode for example).
हालांकि इंटरनेट पर अधिकांश ट्यूटोरियल आपको session.upload_progress.cleanup
को डिबगिंग उद्देश्य के लिए Off
पर सेट करने की सिफारिश करते हैं। PHP में डिफ़ॉल्ट session.upload_progress.cleanup
अभी भी On
है। इसका मतलब है कि आपके अपलोड प्रगति को सत्र में जल्द से जल्द साफ़ किया जाएगा। तो यह Race Condition होगा।
In the original CTF where this technique is commented, it wasn't enough to exploit the Race Condition but the content loaded needed to start also with the string @<?php
.
Due to the default setting of session.upload_progress.prefix
, our SESSION file will start with a annoying prefix upload_progress_
Such as: upload_progress_controlledcontentbyattacker
The trick to remove the initial prefix was to base64encode the payload 3 times and then decode it via convert.base64-decode
filters, this is because when base64 decoding PHP will remove the weird characters, so after 3 times only the payload sent by the attacker will remain (and then the attacker can control the initial part).
More information in the original writeup https://blog.orange.tw/2018/10/ and final exploit https://github.com/orangetw/My-CTF-Web-Challenges/blob/master/hitcon-ctf-2018/one-line-php-challenge/exp_for_php.py Another writeup in https://spyclub.tech/2018/12/21/one-line-and-return-of-one-line-php-writeup/
Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE) Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)