In march I've published some research related to Just another PHP LFI exploitation method that used the fact that the PHP engine stores (on disk) uploaded files (rfc1867) for a short period of time, even if scripts don't really expect them. The bottom line was that it's easy to exploit it on Windows, but on *nix it wasn't really possible unless some php script leaks certain information (temporary file name). Well, Brett Moore in his paper "LFI with phpinfo() assistance" pointed out that phpinfo() is the thing you want to look for on *nix.
Link to paper: LFI with phpinfo() assistance by Brett Moore
In short: If you find phpinfo() somewhere, upload a file to it since it dumps the received variables (and that would include temporary file name that's stored in $_FILES). Now, all you need is a piece of code that will exploit a race condition between upload+fetching the name in phpinfo() script and LFI present in another script (and Brett presents an exemplary exploit in his paper, with some additional ideas how to win the race).
From my pentesting experience: phpinfo() tends to be lying around on PHP-based websites, commonly in files like test.php, info.php, php.php or phpinfo.php, etc. So, if you can find a phpinfo() script, this method is usable and the upload method becomes exploitable on *nix (if you can win the race that is).
Good work Brett :)
Sections
- lang: |
- RSS: |
- About me
- Tools
- → YT YouTube (EN)
- → D Discord
- → M Mastodon
- → T Twitter
- → GH GitHub
Links / Blogs
- → dragonsector.pl
- → vexillium.org
- Security/Hacking:
- Reverse Eng./Low-Level:
- Programming/Code:
Posts
- Debug Log: Internet doesn't work (it was the PSU),
- FAQ: The tragedy of low-level exploitation,
- Solving Hx8 Teaser 2 highlight videos!,
- Gynvael on SECURITYbreak podcast,
- Paged Out! #4 is out,
- I won't be able to attend CONFidence'24 after all :(,
- xz/liblzma: Bash-stage Obfuscation Explained,
- Two of my bookmarklets: image extraction and simple TTS,
- Paged Out! #3 is out,
- My howto script,
- → see all posts on main page
// copyright © Gynvael Coldwind
// design & art by Xa
// logo font (birdman regular) by utopiafonts / Dale Harris
/* the author and owner of this blog hereby allows anyone to test the security of this blog (on HTTP level only, the server is not mine, so let's leave it alone ;>), and try to break in (including successful breaks) without any consequences of any kind (DoS attacks are an exception here) ... I'll add that I planted in some places funny photos of some kittens, there are 7 of them right now, so have fun looking for them ;> let me know if You find them all, I'll add some congratz message or sth ;> */
Vulns found in blog:
* XSS (pers, user-inter) by ged_
* XSS (non-pers) by Anno & Tracerout
* XSS (pers) by Anno & Tracerout
* Blind SQLI by Sławomir Błażek
* XSS (pers) by Sławomir Błażek
// design & art by Xa
// logo font (birdman regular) by utopiafonts / Dale Harris
/* the author and owner of this blog hereby allows anyone to test the security of this blog (on HTTP level only, the server is not mine, so let's leave it alone ;>), and try to break in (including successful breaks) without any consequences of any kind (DoS attacks are an exception here) ... I'll add that I planted in some places funny photos of some kittens, there are 7 of them right now, so have fun looking for them ;> let me know if You find them all, I'll add some congratz message or sth ;> */
Vulns found in blog:
* XSS (pers, user-inter) by ged_
* XSS (non-pers) by Anno & Tracerout
* XSS (pers) by Anno & Tracerout
* Blind SQLI by Sławomir Błażek
* XSS (pers) by Sławomir Błażek
Add a comment: