hacktricks/pentesting-web/file-inclusion/lfi2rce-via-temp-file-uploads.md

# LFI2RCE Via temp file uploads

### **PHP File uploads**

**PHP** engine, upon **receiving a POST packet** with RFC 1867 **coded file(s)**, **creates** one or more **temporary files** which are used to **store the uploaded files data**. A PHP script handling file uploads is required to use the move\_uploaded\_file function to move the uploaded temporary file to a place of it's desire (if the script requires the file to exists after it terminates that is). **When the script ends PHP engine removes all temporary files** for files that were uploaded (if any are left after the script ends that is).

{% hint style="info" %}
**As the attacker will usually know where this temporary files are located, in case he found a Local File Inclusion, he might find to load the file being uploaded and get RCE.**
{% endhint %}

The main problem to access the file basically to **guess its name (which will be "random")**.

### Windows Exploitation

To generate the r**andom name on Windows,** PHP uses the **`GetTempFileName`** function. Looking into documentation we can find the following explanation: The GetTempFileName function creates a temporary file name of the following form:

`<path>\<pre><uuuu>.TMP`

* The path is `upload_tmp_dir` which normally it's `C:\Windows\Temp`
* The pre is usually: "php"
* The \<uuuu> is a unique hex value. However:
  * Only the lower 16 bits of the uUnique parameter are used. This limits GetTempFileName to a maximum of 65,535 unique file names if the lpPathName and lpPrefixStringparameters remain the same. **It's possible to brute-force it.**

As we saw, it's fairly **easy** to **find** the **temporary file in Windows systems**. And it's going to get easier because brute force is not needed here, thanks to a certain FindFirstFile quirk which allows **using masks** (<< as \* and > as ?) in LFI paths on Windows. Thanks to this, one can form an **include path like this**:

```
http://site/vuln.php?inc=c:\windows\temp\php<<
```

(In some cases more specific mask might be necessary such as `php1<<` or `phpA<<`). You can Brute-Force more specific masks until you find your uploaded temporary file.

### GNU/Linux Exploitation

The random value of the file name is good enough to not be neither predictable nor brute-forceable. For more info, check the references.

### References

* [https://gynvael.coldwind.pl/?id=376](https://gynvael.coldwind.pl/?id=376)
* [https://gynvael.coldwind.pl/download.php?f=PHP\_LFI\_rfc1867\_temporary\_files.pdf](https://gynvael.coldwind.pl/download.php?f=PHP\_LFI\_rfc1867\_temporary\_files.pdf)
GitBook: [#3115] No subject 2022-04-21 00:07:27 +00:00			`# LFI2RCE Via temp file uploads`

			`### PHP File uploads`

			PHP engine, upon receiving a POST packet with RFC 1867 coded file(s), creates one or more temporary files which are used to store the uploaded files data. A PHP script handling file uploads is required to use the move\_uploaded\_file function to move the uploaded temporary file to a place of it's desire (if the script requires the file to exists after it terminates that is). When the script ends PHP engine removes all temporary files for files that were uploaded (if any are left after the script ends that is).

			`{% hint style="info" %}`
			`As the attacker will usually know where this temporary files are located, in case he found a Local File Inclusion, he might find to load the file being uploaded and get RCE.`
			`{% endhint %}`

			`The main problem to access the file basically to guess its name (which will be "random").`

			`### Windows Exploitation`

			To generate the random name on Windows, PHP uses the `GetTempFileName` function. Looking into documentation we can find the following explanation: The GetTempFileName function creates a temporary file name of the following form:

			`<path>\<pre><uuuu>.TMP`

			* The path is `upload_tmp_dir` which normally it's `C:\Windows\Temp`
			`* The pre is usually: "php"`
			`* The \<uuuu> is a unique hex value. However:`
			`* Only the lower 16 bits of the uUnique parameter are used. This limits GetTempFileName to a maximum of 65,535 unique file names if the lpPathName and lpPrefixStringparameters remain the same. It's possible to brute-force it.`

			`As we saw, it's fairly easy to find the temporary file in Windows systems. And it's going to get easier because brute force is not needed here, thanks to a certain FindFirstFile quirk which allows using masks (<< as \* and > as ?) in LFI paths on Windows. Thanks to this, one can form an include path like this:`

			```
			`http://site/vuln.php?inc=c:\windows\temp\php<<`
			```

			(In some cases more specific mask might be necessary such as `php1<<` or `phpA<<`). You can Brute-Force more specific masks until you find your uploaded temporary file.

			`### GNU/Linux Exploitation`

			`The random value of the file name is good enough to not be neither predictable nor brute-forceable. For more info, check the references.`

			`### References`

			`* [https://gynvael.coldwind.pl/?id=376](https://gynvael.coldwind.pl/?id=376)`
			`* [https://gynvael.coldwind.pl/download.php?f=PHP\_LFI\_rfc1867\_temporary\_files.pdf](https://gynvael.coldwind.pl/download.php?f=PHP\_LFI\_rfc1867\_temporary\_files.pdf)`