LFI2RCE Via temp file uploads

PHP File uploads

PHP engine, upon receiving a POST packet with RFC 1867 coded file(s), creates one or more temporary files which are used to store the uploaded files data. A PHP script handling file uploads is required to use the move_uploaded_file function to move the uploaded temporary file to a place of it's desire (if the script requires the file to exists after it terminates that is). When the script ends PHP engine removes all temporary files for files that were uploaded (if any are left after the script ends that is).
As the attacker will usually know where this temporary files are located, in case he found a Local File Inclusion, he might find to load the file being uploaded and get RCE.
The main problem to access the file basically to guess its name (which will be "random").

Windows Exploitation

To generate the random name on Windows, PHP uses the GetTempFileName function. Looking into documentation we can find the following explanation: The GetTempFileName function creates a temporary file name of the following form:
  • The path is upload_tmp_dir which normally it's C:\Windows\Temp
  • The pre is usually: "php"
  • The <uuuu> is a unique hex value. However:
    • Only the lower 16 bits of the uUnique parameter are used. This limits GetTempFileName to a maximum of 65,535 unique file names if the lpPathName and lpPrefixStringparameters remain the same. It's possible to brute-force it.
As we saw, it's fairly easy to find the temporary file in Windows systems. And it's going to get easier because brute force is not needed here, thanks to a certain FindFirstFile quirk which allows using masks (<< as * and > as ?) in LFI paths on Windows. Thanks to this, one can form an include path like this:
(In some cases more specific mask might be necessary such as php1<< or phpA<<). You can Brute-Force more specific masks until you find your uploaded temporary file.

GNU/Linux Exploitation

The random value of the file name is good enough to not be neither predictable nor brute-forceable. For more info, check the references.