Mirrors/hacktricks
2
0
Fork 0
mirror of https://github.com/carlospolop/hacktricks synced 2024-11-23 13:13:41 +00:00
Code Issues Projects Releases Packages Wiki Activity
hacktricks/pentesting-web/file-inclusion/via-php_session_upload_progress.md
Translator workflow 54a7bb5de7 Translated to Swahili
2024-02-11 02:13:58 +00:00

62 lines
5.1 KiB
Markdown
Raw Blame History

# LFI2RCE kupitia PHP_SESSION_UPLOAD_PROGRESS
<details>
<summary><strong>Jifunze kuhusu kudukua AWS kutoka sifuri hadi shujaa na</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
Njia nyingine za kusaidia HackTricks:
* Ikiwa unataka kuona **kampuni yako ikionekana kwenye HackTricks** au **kupakua HackTricks kwa muundo wa PDF** Angalia [**MPANGO WA KUJIUNGA**](https://github.com/sponsors/carlospolop)!
* Pata [**swag rasmi ya PEASS & HackTricks**](https://peass.creator-spring.com)
* Gundua [**The PEASS Family**](https://opensea.io/collection/the-peass-family), mkusanyiko wetu wa [**NFTs**](https://opensea.io/collection/the-peass-family) ya kipekee
* **Jiunge na** 💬 [**Kikundi cha Discord**](https://discord.gg/hRep4RUj7f) au [**kikundi cha telegram**](https://t.me/peass) au **tufuate** kwenye **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.**
* **Shiriki mbinu zako za kudukua kwa kuwasilisha PRs kwenye** [**HackTricks**](https://github.com/carlospolop/hacktricks) na [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) repos za github.
</details>
## Taarifa Msingi
Ikiwa umepata **Uingizaji wa Faili wa eneo la ndani (LFI)** hata ikiwa **huna kikao** na `session.auto_start` ni `Off`. Ikiwa **`session.upload_progress.enabled`** ni **`On`** na unatoa **`PHP_SESSION_UPLOAD_PROGRESS`** katika data ya **POST ya sehemu nyingi**, PHP ita **kuwezesha kikao kwako**.
```bash
$ curl http://127.0.0.1/ -H 'Cookie: PHPSESSID=iamorange'
$ ls -a /var/lib/php/sessions/
. ..
$ curl http://127.0.0.1/ -H 'Cookie: PHPSESSID=iamorange' -d 'PHP_SESSION_UPLOAD_PROGRESS=blahblahblah'
$ ls -a /var/lib/php/sessions/
. ..
$ curl http://127.0.0.1/ -H 'Cookie: PHPSESSID=iamorange' -F 'PHP_SESSION_UPLOAD_PROGRESS=blahblahblah' -F 'file=@/etc/passwd'
$ ls -a /var/lib/php/sessions/
. .. sess_iamorange
In the last example the session will contain the string blahblahblah
```
Tafadhali kumbuka kuwa na **`PHP_SESSION_UPLOAD_PROGRESS`** unaweza **kudhibiti data ndani ya kikao**, kwa hivyo ikiwa unajumuisha faili yako ya kikao unaweza kujumuisha sehemu unayodhibiti (kama vile shellcode ya php).
{% hint style="info" %}
Ingawa mafunzo mengi kwenye mtandao yanapendekeza kuweka `session.upload_progress.cleanup` kuwa `Off` kwa madhumuni ya kurekebisha makosa. Mazingira ya chaguo-msingi ya `session.upload_progress.cleanup` katika PHP bado ni `On`. Hii inamaanisha kuwa maendeleo yako ya kupakia kwenye kikao yatafutwa haraka iwezekanavyo. Kwa hivyo hii itakuwa **Hali ya Mashindano**.
{% endhint %}
### CTF
Katika [**CTF asili**](https://blog.orange.tw/2018/10/) ambapo mbinu hii inazungumziwa, haikuwa ya kutosha kuchexploit Hali ya Mashindano lakini yaliyomo yaliyopakiwa pia yalihitaji kuanza na herufi `@<?php`.
Kutokana na mipangilio ya chaguo-msingi ya `session.upload_progress.prefix`, **faili yetu ya KIKAO itaanza na kipengee cha kuanza cha kuchosha** `upload_progress_` Kama vile: `upload_progress_controlledcontentbyattacker`
Hila ya **kuondoa kipengee cha kuanza** ilikuwa **kubadilisha msimbo wa malipo kuwa msimbo wa msingi wa 64 mara 3** na kisha kudekodea kupitia filters za `convert.base64-decode`, hii ni kwa sababu wakati wa **kudekodea msimbo wa msingi wa 64 PHP itaondoa herufi zisizo za kawaida**, kwa hivyo baada ya mara 3 **tu** malipo **yaliyotumwa** na mshambuliaji yatakuwa **yamebaki** (na kisha mshambuliaji anaweza kudhibiti sehemu ya kuanza).
Maelezo zaidi katika andiko asili [https://blog.orange.tw/2018/10/](https://blog.orange.tw/2018/10/) na shambulio la mwisho [https://github.com/orangetw/My-CTF-Web-Challenges/blob/master/hitcon-ctf-2018/one-line-php-challenge/exp\_for\_php.py](https://github.com/orangetw/My-CTF-Web-Challenges/blob/master/hitcon-ctf-2018/one-line-php-challenge/exp\_for\_php.py)\
Andiko lingine katika [https://spyclub.tech/2018/12/21/one-line-and-return-of-one-line-php-writeup/](https://spyclub.tech/2018/12/21/one-line-and-return-of-one-line-php-writeup/)
<details>
<summary><strong>Jifunze kuhusu kudukua AWS kutoka sifuri hadi shujaa na</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
Njia nyingine za kusaidia HackTricks:
* Ikiwa unataka kuona **kampuni yako ikitangazwa kwenye HackTricks** au **kupakua HackTricks kwa muundo wa PDF** Angalia [**MPANGO WA KUJIUNGA**](https://github.com/sponsors/carlospolop)!
* Pata [**swag rasmi wa PEASS & HackTricks**](https://peass.creator-spring.com)
* Gundua [**The PEASS Family**](https://opensea.io/collection/the-peass-family), mkusanyiko wetu wa [**NFTs**](https://opensea.io/collection/the-peass-family) za kipekee
* **Jiunge na** 💬 [**Kikundi cha Discord**](https://discord.gg/hRep4RUj7f) au **kikundi cha telegram**](https://t.me/peass) au **tufuate** kwenye **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.**
* **Shiriki mbinu zako za kudukua kwa kuwasilisha PR kwa** [**HackTricks**](https://github.com/carlospolop/hacktricks) na [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
</details>
Reference in a new issue View git blame Copy permalink