hacktricks/pentesting-web/file-inclusion/via-php_session_upload_progress.md

# LFI2RCE via PHP\_SESSION\_UPLOAD\_PROGRESS

{% hint style="success" %}
Leer & oefen AWS-hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Opleiding AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
Leer & oefen GCP-hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Opleiding GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)

<details>

<summary>Ondersteun HackTricks</summary>

* Controleer die [**inskrywingsplanne**](https://github.com/sponsors/carlospolop)!
* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **Deel hacking-truuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-opslag.

</details>
{% endhint %}

## Basiese Inligting

As jy 'n **Plaaslike Lêer Insluiting** gevind het selfs as jy **nie 'n sessie het** en `session.auto_start` is `Off`. As **`session.upload_progress.enabled`** is **`On`** en jy die **`PHP_SESSION_UPLOAD_PROGRESS`** in **multipart POST** data voorsien, sal PHP die sessie vir jou **aktiveer**.
```bash
$ curl http://127.0.0.1/ -H 'Cookie: PHPSESSID=iamorange'
$ ls -a /var/lib/php/sessions/
. ..
$ curl http://127.0.0.1/ -H 'Cookie: PHPSESSID=iamorange' -d 'PHP_SESSION_UPLOAD_PROGRESS=blahblahblah'
$ ls -a /var/lib/php/sessions/
. ..
$ curl http://127.0.0.1/ -H 'Cookie: PHPSESSID=iamorange' -F 'PHP_SESSION_UPLOAD_PROGRESS=blahblahblah'  -F 'file=@/etc/passwd'
$ ls -a /var/lib/php/sessions/
. .. sess_iamorange

In the last example the session will contain the string blahblahblah
```
Merk op dat met **`PHP_SESSION_UPLOAD_PROGRESS`** jy **data binne die sessie kan beheer**, so as jy jou sessie lêer insluit, kan jy 'n deel insluit wat jy beheer (byvoorbeeld 'n php shellcode).

{% hint style="info" %}
Alhoewel die meeste tutoriale op die internet aanbeveel om `session.upload_progress.cleanup` op `Off` te stel vir die doel van foutopsporing. Die verstekwaarde vir `session.upload_progress.cleanup` in PHP is steeds `On`. Dit beteken dat jou oplaai-vordering in die sessie so gou as moontlik skoongemaak sal word. Dit sal dus **Race Condition** wees.
{% endhint %}

### Die CTF

In die [**oorspronklike CTF**](https://blog.orange.tw/2018/10/) waar hierdie tegniek gekommentaar is, was dit nie genoeg om die Race Condition te benut nie, maar die inhoud wat gelaai moes word, moes ook begin met die string `@<?php`.

As gevolg van die verstekinstelling van `session.upload_progress.prefix`, sal ons **SESSIE-lêer begin met 'n irriterende voorvoegsel** `upload_progress_` Soos: `upload_progress_controlledcontentbyattacker`

Die truuk om **die aanvanklike voorvoegsel te verwyder** was om **die lading 3 keer te base64-enkode** en dit dan te dekodeer via `convert.base64-decode` filters, dit is omdat wanneer **base64 dekodeer PHP die vreemde karakters sal verwyder**, so na 3 keer sal slegs die **lading** **gestuur** deur die aanvaller **oorbly** (en dan kan die aanvaller die aanvanklike deel beheer).

Meer inligting in die oorspronklike skryfstuk [https://blog.orange.tw/2018/10/](https://blog.orange.tw/2018/10/) en finale uitbuiting [https://github.com/orangetw/My-CTF-Web-Challenges/blob/master/hitcon-ctf-2018/one-line-php-challenge/exp\_for\_php.py](https://github.com/orangetw/My-CTF-Web-Challenges/blob/master/hitcon-ctf-2018/one-line-php-challenge/exp\_for\_php.py)\
'n Ander skryfstuk in [https://spyclub.tech/2018/12/21/one-line-and-return-of-one-line-php-writeup/](https://spyclub.tech/2018/12/21/one-line-and-return-of-one-line-php-writeup/)

{% hint style="success" %}
Leer & oefen AWS Hack:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Opleiding AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
Leer & oefen GCP Hack: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Opleiding GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)

<details>

<summary>Ondersteun HackTricks</summary>

* Kontroleer die [**inskrywingsplanne**](https://github.com/sponsors/carlospolop)!
* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **Deel hacktruuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-opslag.

</details>
{% endhint %}
GitBook: [#3679] No subject 2022-12-14 00:23:57 +00:00			`# LFI2RCE via PHP\_SESSION\_UPLOAD\_PROGRESS`
Ad hacktricks sponsoring 2022-04-28 16:01:33 +00:00
Translated ['1911-pentesting-fox.md', '6881-udp-pentesting-bittorrent.md 2024-07-18 18:31:10 +00:00			`{% hint style="success" %}`
			`Leer & oefen AWS-hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[HackTricks Opleiding AWS Red Team Expert (ARTE)](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\`
			`Leer & oefen GCP-hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[HackTricks Opleiding GCP Red Team Expert (GRTE)<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)`
Ad hacktricks sponsoring 2022-04-28 16:01:33 +00:00
Translated ['1911-pentesting-fox.md', '6881-udp-pentesting-bittorrent.md 2024-07-18 18:31:10 +00:00			`<details>`
Ad hacktricks sponsoring 2022-04-28 16:01:33 +00:00
Translated ['1911-pentesting-fox.md', '6881-udp-pentesting-bittorrent.md 2024-07-18 18:31:10 +00:00			`<summary>Ondersteun HackTricks</summary>`
a 2024-02-03 16:02:14 +00:00
Translated ['1911-pentesting-fox.md', '6881-udp-pentesting-bittorrent.md 2024-07-18 18:31:10 +00:00			`* Controleer die [inskrywingsplanne](https://github.com/sponsors/carlospolop)!`
			`* Sluit aan by die 💬 [Discord-groep](https://discord.gg/hRep4RUj7f) of die [telegram-groep](https://t.me/peass) of volg ons op Twitter 🐦 [@hacktricks\_live](https://twitter.com/hacktricks\_live).`
			`* Deel hacking-truuks deur PR's in te dien by die [HackTricks](https://github.com/carlospolop/hacktricks) en [HackTricks Cloud](https://github.com/carlospolop/hacktricks-cloud) github-opslag.`
Ad hacktricks sponsoring 2022-04-28 16:01:33 +00:00
			`</details>`
Translated ['1911-pentesting-fox.md', '6881-udp-pentesting-bittorrent.md 2024-07-18 18:31:10 +00:00			`{% endhint %}`
a 2024-02-05 20:00:40 +00:00
Translated to Afrikaans 2024-02-11 02:07:06 +00:00			`## Basiese Inligting`
GitBook: [#3115] No subject 2022-04-21 00:07:27 +00:00
Translated ['1911-pentesting-fox.md', '6881-udp-pentesting-bittorrent.md 2024-07-18 18:31:10 +00:00			As jy 'n Plaaslike Lêer Insluiting gevind het selfs as jy nie 'n sessie het en `session.auto_start` is `Off`. As `session.upload_progress.enabled` is `On` en jy die `PHP_SESSION_UPLOAD_PROGRESS` in multipart POST data voorsien, sal PHP die sessie vir jou aktiveer.
GitBook: [#3115] No subject 2022-04-21 00:07:27 +00:00			```bash
			`$ curl http://127.0.0.1/ -H 'Cookie: PHPSESSID=iamorange'`
			`$ ls -a /var/lib/php/sessions/`
			`. ..`
			`$ curl http://127.0.0.1/ -H 'Cookie: PHPSESSID=iamorange' -d 'PHP_SESSION_UPLOAD_PROGRESS=blahblahblah'`
			`$ ls -a /var/lib/php/sessions/`
			`. ..`
			`$ curl http://127.0.0.1/ -H 'Cookie: PHPSESSID=iamorange' -F 'PHP_SESSION_UPLOAD_PROGRESS=blahblahblah' -F 'file=@/etc/passwd'`
			`$ ls -a /var/lib/php/sessions/`
			`. .. sess_iamorange`

			`In the last example the session will contain the string blahblahblah`
			```
Translated ['1911-pentesting-fox.md', '6881-udp-pentesting-bittorrent.md 2024-07-18 18:31:10 +00:00			Merk op dat met `PHP_SESSION_UPLOAD_PROGRESS` jy data binne die sessie kan beheer, so as jy jou sessie lêer insluit, kan jy 'n deel insluit wat jy beheer (byvoorbeeld 'n php shellcode).
GitBook: [#3115] No subject 2022-04-21 00:07:27 +00:00
			`{% hint style="info" %}`
Translated ['1911-pentesting-fox.md', '6881-udp-pentesting-bittorrent.md 2024-07-18 18:31:10 +00:00			Alhoewel die meeste tutoriale op die internet aanbeveel om `session.upload_progress.cleanup` op `Off` te stel vir die doel van foutopsporing. Die verstekwaarde vir `session.upload_progress.cleanup` in PHP is steeds `On`. Dit beteken dat jou oplaai-vordering in die sessie so gou as moontlik skoongemaak sal word. Dit sal dus Race Condition wees.
GitBook: [#3115] No subject 2022-04-21 00:07:27 +00:00			`{% endhint %}`

Translated to Afrikaans 2024-02-11 02:07:06 +00:00			`### Die CTF`
GitBook: [#3115] No subject 2022-04-21 00:07:27 +00:00
Translated ['1911-pentesting-fox.md', '6881-udp-pentesting-bittorrent.md 2024-07-18 18:31:10 +00:00			In die [oorspronklike CTF](https://blog.orange.tw/2018/10/) waar hierdie tegniek gekommentaar is, was dit nie genoeg om die Race Condition te benut nie, maar die inhoud wat gelaai moes word, moes ook begin met die string `@<?php`.
GitBook: [#3115] No subject 2022-04-21 00:07:27 +00:00
Translated ['1911-pentesting-fox.md', '6881-udp-pentesting-bittorrent.md 2024-07-18 18:31:10 +00:00			As gevolg van die verstekinstelling van `session.upload_progress.prefix`, sal ons SESSIE-lêer begin met 'n irriterende voorvoegsel `upload_progress_` Soos: `upload_progress_controlledcontentbyattacker`
GitBook: [#3115] No subject 2022-04-21 00:07:27 +00:00
Translated ['1911-pentesting-fox.md', '6881-udp-pentesting-bittorrent.md 2024-07-18 18:31:10 +00:00			Die truuk om die aanvanklike voorvoegsel te verwyder was om die lading 3 keer te base64-enkode en dit dan te dekodeer via `convert.base64-decode` filters, dit is omdat wanneer base64 dekodeer PHP die vreemde karakters sal verwyder, so na 3 keer sal slegs die lading gestuur deur die aanvaller oorbly (en dan kan die aanvaller die aanvanklike deel beheer).
GitBook: [#3115] No subject 2022-04-21 00:07:27 +00:00
Translated ['1911-pentesting-fox.md', '6881-udp-pentesting-bittorrent.md 2024-07-18 18:31:10 +00:00			`Meer inligting in die oorspronklike skryfstuk [https://blog.orange.tw/2018/10/](https://blog.orange.tw/2018/10/) en finale uitbuiting [https://github.com/orangetw/My-CTF-Web-Challenges/blob/master/hitcon-ctf-2018/one-line-php-challenge/exp\_for\_php.py](https://github.com/orangetw/My-CTF-Web-Challenges/blob/master/hitcon-ctf-2018/one-line-php-challenge/exp\_for\_php.py)\`
			`'n Ander skryfstuk in [https://spyclub.tech/2018/12/21/one-line-and-return-of-one-line-php-writeup/](https://spyclub.tech/2018/12/21/one-line-and-return-of-one-line-php-writeup/)`
Ad hacktricks sponsoring 2022-04-28 16:01:33 +00:00
Translated ['1911-pentesting-fox.md', '6881-udp-pentesting-bittorrent.md 2024-07-18 18:31:10 +00:00			`{% hint style="success" %}`
			`Leer & oefen AWS Hack:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[HackTricks Opleiding AWS Red Team Expert (ARTE)](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\`
			`Leer & oefen GCP Hack: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[HackTricks Opleiding GCP Red Team Expert (GRTE)<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)`
Ad hacktricks sponsoring 2022-04-28 16:01:33 +00:00
Translated ['1911-pentesting-fox.md', '6881-udp-pentesting-bittorrent.md 2024-07-18 18:31:10 +00:00			`<details>`
Ad hacktricks sponsoring 2022-04-28 16:01:33 +00:00
Translated ['1911-pentesting-fox.md', '6881-udp-pentesting-bittorrent.md 2024-07-18 18:31:10 +00:00			`<summary>Ondersteun HackTricks</summary>`
a 2024-02-03 16:02:14 +00:00
Translated ['1911-pentesting-fox.md', '6881-udp-pentesting-bittorrent.md 2024-07-18 18:31:10 +00:00			`* Kontroleer die [inskrywingsplanne](https://github.com/sponsors/carlospolop)!`
			`* Sluit aan by die 💬 [Discord-groep](https://discord.gg/hRep4RUj7f) of die [telegram-groep](https://t.me/peass) of volg ons op Twitter 🐦 [@hacktricks\_live](https://twitter.com/hacktricks\_live).`
			`* Deel hacktruuks deur PR's in te dien by die [HackTricks](https://github.com/carlospolop/hacktricks) en [HackTricks Cloud](https://github.com/carlospolop/hacktricks-cloud) github-opslag.`
Ad hacktricks sponsoring 2022-04-28 16:01:33 +00:00
Translated to Afrikaans 2024-02-11 02:07:06 +00:00			`</details>`
Translated ['1911-pentesting-fox.md', '6881-udp-pentesting-bittorrent.md 2024-07-18 18:31:10 +00:00			`{% endhint %}`