LFI2RCE Via temp file uploads

​☁️ HackTricks Cloud ☁️ -🐦 Twitter 🐦 - 🎙️ Twitch 🎙️ - 🎥 Youtube 🎥​
Do you work in a cybersecurity company? Do you want to see your company advertised in HackTricks? or do you want to have access to the latest version of the PEASS or download HackTricks in PDF? Check the SUBSCRIPTION PLANS!
Discover The PEASS Family, our collection of exclusive NFTs​
Get the official PEASS & HackTricks swag​
Join the 💬 Discord group or the telegram group or follow me on Twitter 🐦​@carlospolopm.
Share your hacking tricks by submitting PRs to the hacktricks repo and hacktricks-cloud repo.
PHP File uploads
PHP engine, upon receiving a POST packet with RFC 1867 coded file(s), creates one or more temporary files which are used to store the uploaded files data. A PHP script handling file uploads is required to use the move_uploaded_file function to move the uploaded temporary file to a place of it's desire (if the script requires the file to exists after it terminates that is). When the script ends PHP engine removes all temporary files for files that were uploaded (if any are left after the script ends that is).
As the attacker will usually know where this temporary files are located, in case he found a Local File Inclusion, he might find to load the file being uploaded and get RCE.
The main problem to access the file basically to guess its name (which will be "random").
Windows Exploitation
To generate the random name on Windows, PHP uses the GetTempFileName function. Looking into documentation we can find the following explanation: The GetTempFileName function creates a temporary file name of the following form:
<path>\<pre><uuuu>.TMP
The path is upload_tmp_dir which normally it's C:\Windows\Temp
The pre is usually: "php"
The <uuuu> is a unique hex value. However:
Only the lower 16 bits of the uUnique parameter are used. This limits GetTempFileName to a maximum of 65,535 unique file names if the lpPathName and lpPrefixStringparameters remain the same. It's possible to brute-force it.
As we saw, it's fairly easy to find the temporary file in Windows systems. And it's going to get easier because brute force is not needed here, thanks to a certain FindFirstFile quirk which allows using masks (<< as * and > as ?) in LFI paths on Windows. Thanks to this, one can form an include path like this:
http://site/vuln.php?inc=c:\windows\temp\php<<
(In some cases more specific mask might be necessary such as php1<< or phpA<<). You can Brute-Force more specific masks until you find your uploaded temporary file.
GNU/Linux Exploitation
The random value of the file name is good enough to not be neither predictable nor brute-forceable. For more info, check the references.
References
​https://gynvael.coldwind.pl/?id=376​
​https://gynvael.coldwind.pl/download.php?f=PHP_LFI_rfc1867_temporary_files.pdf​
​☁️ HackTricks Cloud ☁️ -🐦 Twitter 🐦 - 🎙️ Twitch 🎙️ - 🎥 Youtube 🎥​
Do you work in a cybersecurity company? Do you want to see your company advertised in HackTricks? or do you want to have access to the latest version of the PEASS or download HackTricks in PDF? Check the SUBSCRIPTION PLANS!
Discover The PEASS Family, our collection of exclusive NFTs​
Get the official PEASS & HackTricks swag​
Join the 💬 Discord group or the telegram group or follow me on Twitter 🐦​@carlospolopm.
Share your hacking tricks by submitting PRs to the hacktricks repo and hacktricks-cloud repo.
LFI2RCE via phpinfo()
LFI2RCE via Eternal waiting
Last modified 5mo ago