coelner/hacktricks
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
e20b774315
hacktricks/pentesting-web/file-inclusion/lfi2rce-via-temp-file-uploads.md
carlospolop 4c796b9bb3 Revert "Ad hacktricks sponsoring" 
This reverts commit c2c270feef.
2022-04-28 16:41:46 +01:00

40 lines
2.5 KiB
Markdown
Raw Blame History

# LFI2RCE Via temp file uploads
### **PHP File uploads**
**PHP** engine, upon **receiving a POST packet** with RFC 1867 **coded file(s)**, **creates** one or more **temporary files** which are used to **store the uploaded files data**. A PHP script handling file uploads is required to use the move\_uploaded\_file function to move the uploaded temporary file to a place of it's desire (if the script requires the file to exists after it terminates that is). **When the script ends PHP engine removes all temporary files** for files that were uploaded (if any are left after the script ends that is).
{% hint style="info" %}
**As the attacker will usually know where this temporary files are located, in case he found a Local File Inclusion, he might find to load the file being uploaded and get RCE.**
{% endhint %}
The main problem to access the file basically to **guess its name (which will be "random")**.
### Windows Exploitation
To generate the r**andom name on Windows,** PHP uses the **`GetTempFileName`** function. Looking into documentation we can find the following explanation: The GetTempFileName function creates a temporary file name of the following form:
`<path>\<pre><uuuu>.TMP`
* The path is `upload_tmp_dir` which normally it's `C:\Windows\Temp`
* The pre is usually: "php"
* The \<uuuu> is a unique hex value. However:
* Only the lower 16 bits of the uUnique parameter are used. This limits GetTempFileName to a maximum of 65,535 unique file names if the lpPathName and lpPrefixStringparameters remain the same. **It's possible to brute-force it.**
As we saw, it's fairly **easy** to **find** the **temporary file in Windows systems**. And it's going to get easier because brute force is not needed here, thanks to a certain FindFirstFile quirk which allows **using masks** (<< as \* and > as ?) in LFI paths on Windows. Thanks to this, one can form an **include path like this**:
```
http://site/vuln.php?inc=c:\windows\temp\php<<
```
(In some cases more specific mask might be necessary such as `php1<<` or `phpA<<`). You can Brute-Force more specific masks until you find your uploaded temporary file.
### GNU/Linux Exploitation
The random value of the file name is good enough to not be neither predictable nor brute-forceable. For more info, check the references.
### References
* [https://gynvael.coldwind.pl/?id=376](https://gynvael.coldwind.pl/?id=376)
* [https://gynvael.coldwind.pl/download.php?f=PHP\_LFI\_rfc1867\_temporary\_files.pdf](https://gynvael.coldwind.pl/download.php?f=PHP\_LFI\_rfc1867\_temporary\_files.pdf)
Reference in New Issue View Git Blame Copy Permalink