From 28425b37a321f0bfda3d46b263c6d9dd794deffa Mon Sep 17 00:00:00 2001 From: Swissky <12152583+swisskyrepo@users.noreply.github.com> Date: Sun, 19 Jun 2022 22:48:46 +0200 Subject: [PATCH] LFI to RCE via upload (FindFirstFile) --- File Inclusion/README.md | 13 ++++++++++++- SQL Injection/OracleSQL Injection.md | 3 ++- 2 files changed, 14 insertions(+), 2 deletions(-) diff --git a/File Inclusion/README.md b/File Inclusion/README.md index 0e6c0b5..a3c70f8 100644 --- a/File Inclusion/README.md +++ b/File Inclusion/README.md @@ -25,6 +25,7 @@ * [LFI to RCE via /proc/self/environ](#lfi-to-rce-via-procselfenviron) * [LFI to RCE via upload](#lfi-to-rce-via-upload) * [LFI to RCE via upload (race)](#lfi-to-rce-via-upload-race) +* [LFI to RCE via upload (FindFirstFile)](#lfi-to-rce-via-upload-findfirstfile) * [LFI to RCE via phpinfo()](#lfi-to-rce-via-phpinfo) * [LFI to RCE via controlled log file](#lfi-to-rce-via-controlled-log-file) * [LFI to RCE via PHP sessions](#lfi-to-rce-via-php-sessions) @@ -272,6 +273,15 @@ for fname in itertools.combinations(string.ascii_letters + string.digits, 6): print('[x] Something went wrong, please try again') ``` +## LFI to RCE via upload (FindFirstFile) + +:warning: Only works on Windows + +`FindFirstFile` allows using masks (`<<` as `*` and `>` as `?`) in LFI paths on Windows. + +* Upload a file, it should be stored in the temp folder `C:\Windows\Temp\`. +* Include it using `http://site/vuln.php?inc=c:\windows\temp\php<<` + ## LFI to RCE via phpinfo() @@ -433,4 +443,5 @@ If SSH is active check which user is being used `/proc/self/status` and `/etc/pa * [It's-A-PHP-Unserialization-Vulnerability-Jim-But-Not-As-We-Know-It, Sam Thomas](https://github.com/s-n-t/presentations/blob/master/us-18-Thomas-It's-A-PHP-Unserialization-Vulnerability-Jim-But-Not-As-We-Know-It.pdf) * [CVV #1: Local File Inclusion - @SI9INT - Jun 20, 2018](https://medium.com/bugbountywriteup/cvv-1-local-file-inclusion-ebc48e0e479a) * [Exploiting Remote File Inclusion (RFI) in PHP application and bypassing remote URL inclusion restriction](http://www.mannulinux.org/2019/05/exploiting-rfi-in-php-bypass-remote-url-inclusion-restriction.html?m=1) -* [PHP LFI with Nginx Assistance](https://bierbaumer.net/security/php-lfi-with-nginx-assistance/) \ No newline at end of file +* [PHP LFI with Nginx Assistance](https://bierbaumer.net/security/php-lfi-with-nginx-assistance/) +* [PHP LFI to arbitratry code execution via rfc1867 file upload temporary files (EN) - gynvael.coldwind - 2011-03-18](https://gynvael.coldwind.pl/?id=376) diff --git a/SQL Injection/OracleSQL Injection.md b/SQL Injection/OracleSQL Injection.md index 39535ed..c0e3844 100644 --- a/SQL Injection/OracleSQL Injection.md +++ b/SQL Injection/OracleSQL Injection.md @@ -110,4 +110,5 @@ SELECT PwnUtilFunc('ping -c 4 localhost') FROM dual; ## References -* [Heavily taken inspired by - NetSpi SQL Wiki](https://sqlwiki.netspi.com/injectionTypes/errorBased/#oracle) +* [NetSpi - SQL Wiki](https://sqlwiki.netspi.com/injectionTypes/errorBased/#oracle) +* [ASDC12 - New and Improved Hacking Oracle From Web](https://owasp.org/www-pdf-archive/ASDC12-New_and_Improved_Hacking_Oracle_From_Web.pdf) \ No newline at end of file