hacktricks/pentesting-web/file-inclusion/lfi2rce-via-temp-file-uploads.md

67 lines
4.4 KiB
Markdown
Raw Normal View History

2022-04-28 16:01:33 +00:00
<details>
2024-01-10 10:21:44 +00:00
<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
2022-04-28 16:01:33 +00:00
2024-01-10 10:21:44 +00:00
Other ways to support HackTricks:
2022-04-28 16:01:33 +00:00
2024-01-10 10:21:44 +00:00
* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
2024-02-09 07:14:36 +00:00
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
2024-01-10 10:21:44 +00:00
* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
2022-04-28 16:01:33 +00:00
</details>
2024-02-05 20:00:40 +00:00
**Check the full details of this technique in [https://gynvael.coldwind.pl/download.php?f=PHP\_LFI\_rfc1867\_temporary\_files.pdf](https://gynvael.coldwind.pl/download.php?f=PHP\_LFI\_rfc1867\_temporary\_files.pdf)**
2022-05-01 12:41:36 +00:00
## **PHP File uploads**
2022-04-21 00:07:27 +00:00
2024-02-05 20:00:40 +00:00
When a **PHP** engine receives a **POST request** containing files formatted according to RFC 1867, it generates temporary files to store the uploaded data. These files are crucial for file upload handling in PHP scripts. The `move_uploaded_file` function must be used to relocate these temporary files to a desired location if persistent storage beyond the script's execution is needed. Post-execution, PHP automatically deletes any remaining temporary files.
2022-04-21 00:07:27 +00:00
{% hint style="info" %}
2024-02-05 20:00:40 +00:00
**Security Alert: Attackers, aware of the temporary files' location, might exploit a Local File Inclusion vulnerability to execute code by accessing the file during upload.**
2022-04-21 00:07:27 +00:00
{% endhint %}
2024-02-05 20:00:40 +00:00
The challenge for unauthorized access lies in predicting the temporary file's name, which is intentionally randomized.
2022-04-21 00:07:27 +00:00
2024-02-05 20:00:40 +00:00
#### Exploitation on Windows Systems
2022-04-21 00:07:27 +00:00
2024-02-05 20:00:40 +00:00
On Windows, PHP generates temporary file names using the `GetTempFileName` function, resulting in a pattern like `<path>\<pre><uuuu>.TMP`. Notably:
2022-04-21 00:07:27 +00:00
2024-02-05 20:00:40 +00:00
- The default path is typically `C:\Windows\Temp`.
- The prefix is usually "php".
- The `<uuuu>` represents a unique hexadecimal value. Crucially, due to the function's limitation, only the lower 16 bits are used, allowing for a maximum of 65,535 unique names with constant path and prefix, making brute force feasible.
2022-04-21 00:07:27 +00:00
2024-02-05 20:00:40 +00:00
Moreover, the exploitation process is simplified on Windows systems. A peculiarity in the `FindFirstFile` function permits the use of wildcards in Local File Inclusion (LFI) paths. This enables crafting an include path like the following to locate the temporary file:
2022-04-21 00:07:27 +00:00
```
http://site/vuln.php?inc=c:\windows\temp\php<<
```
2024-02-05 20:00:40 +00:00
In certain situations, a more specific mask (like `php1<<` or `phpA<<`) might be required. One can systematically try these masks to discover the uploaded temporary file.
2022-04-21 00:07:27 +00:00
2024-02-05 20:00:40 +00:00
#### Exploitation on GNU/Linux Systems
2022-04-21 00:07:27 +00:00
2024-02-05 20:00:40 +00:00
For GNU/Linux systems, the randomness in temporary file naming is robust, rendering the names neither predictable nor susceptible to brute force attacks. Further details can be found in the referenced documentation.
2022-04-28 16:01:33 +00:00
<details>
2024-01-10 10:21:44 +00:00
<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
2022-04-28 16:01:33 +00:00
2024-01-10 10:21:44 +00:00
Other ways to support HackTricks:
2022-04-28 16:01:33 +00:00
2024-01-10 10:21:44 +00:00
* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
2024-02-09 07:14:36 +00:00
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
2024-01-10 10:21:44 +00:00
* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
2022-04-28 16:01:33 +00:00
</details>