Taarifa Msingi

Ikiwa umepata Unganisho wa Faili za Kienyeji (LFI) hata kama huna kikao na session.auto_start iko Off. Ikiwa session.upload_progress.enabled iko On na unatoa PHP_SESSION_UPLOAD_PROGRESS katika data ya POST ya sehemu nyingi, PHP ita kuwezesha kikao kwako.

$ curl http://127.0.0.1/ -H 'Cookie: PHPSESSID=iamorange'
$ ls -a /var/lib/php/sessions/
. ..
$ curl http://127.0.0.1/ -H 'Cookie: PHPSESSID=iamorange' -d 'PHP_SESSION_UPLOAD_PROGRESS=blahblahblah'
$ ls -a /var/lib/php/sessions/
. ..
$ curl http://127.0.0.1/ -H 'Cookie: PHPSESSID=iamorange' -F 'PHP_SESSION_UPLOAD_PROGRESS=blahblahblah'  -F 'file=@/etc/passwd'
$ ls -a /var/lib/php/sessions/
. .. sess_iamorange

In the last example the session will contain the string blahblahblah

Tafadhali kumbuka kwamba na PHP_SESSION_UPLOAD_PROGRESS unaweza kudhibiti data ndani ya kikao, hivyo ikiwa unajumuisha faili yako ya kikao unaweza kujumuisha sehemu unayoidhibiti (kama vile php shellcode).

CTF

Katika CTF ya asili ambapo mbinu hii ina maoni, haikutosha kuchexploitisha Hali ya Mashindano lakini yaliyomo yaliyopakiwa yalihitaji kuanza pia na mfuatano @<?php.

Kutokana na mipangilio ya msingi ya session.upload_progress.prefix, faili yetu ya KIKAO itaanza na kiambishi cha kuchosha upload_progress_ Kama vile: upload_progress_controlledcontentbyattacker

Ujanja wa kuondoa kiambishi cha awali ilikuwa kubadilisha msingi wa payload mara 3 na kisha kuidondoa kupitia vichujio vya convert.base64-decode, hii ni kwa sababu wakati wa kuidondoa msingi wa base64 PHP itaondoa wahusika wa ajabu, hivyo baada ya mara 3 pekee payload iliyotumwa na mshambuliaji ita baki (na kisha mshambuliaji anaweza kudhibiti sehemu ya awali).

Maelezo zaidi katika andiko la asili https://blog.orange.tw/2018/10/ na kudukua mwisho https://github.com/orangetw/My-CTF-Web-Challenges/blob/master/hitcon-ctf-2018/one-line-php-challenge/exp_for_php.py Andiko lingine katika https://spyclub.tech/2018/12/21/one-line-and-return-of-one-line-php-writeup/