This reverts commit 71795de168
.
4.8 KiB
Support HackTricks and get benefits!
Do you work in a cybersecurity company? Do you want to see your company advertised in HackTricks? or do you want to have access the latest version of the PEASS or download HackTricks in PDF? Check the SUBSCRIPTION PLANS!
Discover The PEASS Family, our collection of exclusive NFTs
Get the official PEASS & HackTricks swag
Join the 💬 Discord group or the telegram group or follow me on Twitter 🐦@carlospolopm.
Share your hacking tricks submitting PRs to the hacktricks github repo.
LFI2RCE Via temp file uploads
PHP File uploads
PHP engine, upon receiving a POST packet with RFC 1867 coded file(s), creates one or more temporary files which are used to store the uploaded files data. A PHP script handling file uploads is required to use the move_uploaded_file function to move the uploaded temporary file to a place of it's desire (if the script requires the file to exists after it terminates that is). When the script ends PHP engine removes all temporary files for files that were uploaded (if any are left after the script ends that is).
{% hint style="info" %} As the attacker will usually know where this temporary files are located, in case he found a Local File Inclusion, he might find to load the file being uploaded and get RCE. {% endhint %}
The main problem to access the file basically to guess its name (which will be "random").
Windows Exploitation
To generate the random name on Windows, PHP uses the GetTempFileName
function. Looking into documentation we can find the following explanation: The GetTempFileName function creates a temporary file name of the following form:
<path>\<pre><uuuu>.TMP
- The path is
upload_tmp_dir
which normally it'sC:\Windows\Temp
- The pre is usually: "php"
- The <uuuu> is a unique hex value. However:
- Only the lower 16 bits of the uUnique parameter are used. This limits GetTempFileName to a maximum of 65,535 unique file names if the lpPathName and lpPrefixStringparameters remain the same. It's possible to brute-force it.
As we saw, it's fairly easy to find the temporary file in Windows systems. And it's going to get easier because brute force is not needed here, thanks to a certain FindFirstFile quirk which allows using masks (<< as * and > as ?) in LFI paths on Windows. Thanks to this, one can form an include path like this:
http://site/vuln.php?inc=c:\windows\temp\php<<
(In some cases more specific mask might be necessary such as php1<<
or phpA<<
). You can Brute-Force more specific masks until you find your uploaded temporary file.
GNU/Linux Exploitation
The random value of the file name is good enough to not be neither predictable nor brute-forceable. For more info, check the references.
References
- https://gynvael.coldwind.pl/?id=376
- https://gynvael.coldwind.pl/download.php?f=PHP_LFI_rfc1867_temporary_files.pdf
Support HackTricks and get benefits!
Do you work in a cybersecurity company? Do you want to see your company advertised in HackTricks? or do you want to have access the latest version of the PEASS or download HackTricks in PDF? Check the SUBSCRIPTION PLANS!
Discover The PEASS Family, our collection of exclusive NFTs
Get the official PEASS & HackTricks swag
Join the 💬 Discord group or the telegram group or follow me on Twitter 🐦@carlospolopm.
Share your hacking tricks submitting PRs to the hacktricks github repo.