LFI2RCE Via temp file uploads
Last updated
Last updated
Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE) Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Check the full details of this technique in https://gynvael.coldwind.pl/download.php?f=PHP_LFI_rfc1867_temporary_files.pdf
When a PHP engine receives a POST request containing files formatted according to RFC 1867, it generates temporary files to store the uploaded data. These files are crucial for file upload handling in PHP scripts. The move_uploaded_file
function must be used to relocate these temporary files to a desired location if persistent storage beyond the script's execution is needed. Post-execution, PHP automatically deletes any remaining temporary files.
Security Alert: Attackers, aware of the temporary files' location, might exploit a Local File Inclusion vulnerability to execute code by accessing the file during upload.
The challenge for unauthorized access lies in predicting the temporary file's name, which is intentionally randomized.
Exploitation on Windows Systems
On Windows, PHP generates temporary file names using the GetTempFileName
function, resulting in a pattern like <path>\<pre><uuuu>.TMP
. Notably:
The default path is typically C:\Windows\Temp
.
The prefix is usually "php".
The <uuuu>
represents a unique hexadecimal value. Crucially, due to the function's limitation, only the lower 16 bits are used, allowing for a maximum of 65,535 unique names with constant path and prefix, making brute force feasible.
Moreover, the exploitation process is simplified on Windows systems. A peculiarity in the FindFirstFile
function permits the use of wildcards in Local File Inclusion (LFI) paths. This enables crafting an include path like the following to locate the temporary file:
In certain situations, a more specific mask (like php1<<
or phpA<<
) might be required. One can systematically try these masks to discover the uploaded temporary file.
Exploitation on GNU/Linux Systems
For GNU/Linux systems, the randomness in temporary file naming is robust, rendering the names neither predictable nor susceptible to brute force attacks. Further details can be found in the referenced documentation.
Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE) Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)