5 Ways to chain lfi 2 rce with default configurations in php
Al Salamu Alikum all,
Today i will explain how to chain lfi 2 rce with the default configuration in php using these methods:
- Php filter chain
- php image upload
- Php sessions
- Phpinfo race condition
- php lolbins
Summary about lfi:
LFI stands for (Local File Inclusion) which is a bug happens when the developer passes an input that user can control into “include()” php function.
what is “include()” php function used for ?
It’s used to include another php code that stored in a file to be executed in our page.
So, this function takes a filename and executes the php code inside it in our page !
Some developers thoughts that the file extension must be “.php” or at least started with “<?php” to be executed. but the truth that we can put any garbage data at the begininng of the file and at the end of it and the server will search for `<?php #code_here?>` and execute the code between the php start and end tags whatever the another file content was !
First Method : php filter chains
php filters help us to dealing with files and encode/decode or translate it’s content.
Around the world, there are nearly 7000 spoken languages.
In order to allow most people on Earth to benefit from the internet
and to communicate with each other, many printable characters
have to be enabled. We all know our basic ASCII encoding table, but
it is far too small to speak in Japanese, or even in Greek which contains
characters such as 'λ', 'ν', 'π'. Thus, to be able to print characters
from other languages, or even emojis, ☺, many encoding tables were
created to convert or even translit characters from one
language to another when possible.
//embedded from https://www.synacktiv.com/publications/php-filters-chain-what-is-it-and-how-to-use-it.htmlHow can we use this to chain lfi to rce ?
Since we can use more than filter to process the file so, the idea rely on create a temp file using php://temp
and then use iconv filter to construct our payload;
we can automate this process using this exploit
POC :
Second Method : Php image upload
As i mentioned before we can include any file and code between php start and end tags will be executed and the server will ignore the rest file content.
But what if the developer checking if it’s a non-corrupted img ?
So, we can basiclly inject our code into image meta data like this :
exiftool -Comment="<?php system('id');die();?>" exp.jpg
//i used die to clear the grabage data from the img so, we can get our output easilyPOC:
Third Method : Using php sessions
Php sessions used by developers to store some variables realted to the current session.
Example :
When the user logged in the developer will get his neccessary data from the db like : username, email and balance …etc and then store it in the session so, he can access it easily when ever he want.
the php session stored in browser as an cookie called : PHPSESSID and holds the php session id . so, the developer can access it from any page he want within the same site
Since we can include files only how we can include php sessions ?
Actually php sessions stored it’s variables as a file in the system. this file location may changes from php version to another but there are two common places !
- /tmp/session_{id} // in old php versions
- /var/lib/php/sessions/sess_{id} //in current php versions
i made this simple php script to just assign a session variable called username with the value that we can control and the normal lfi bug
<?php
session_start();
$_SESSION["username"]=@$_GET['username'];
include(@$_GET['file']);
?>after we put ?username=ghazy we can find our seesion file
we can see our input is saved into a system file !
so, we can just put a php code inside it and include it since we know the path and the session id (from the cookie)
POC
Forth Method : Using phpinfo ( race condition )
Phpinfo : is a file returns info about the php configuration and the system that running it. widely used by developers for debugging.
How we can use it with lfi to acheive rce ?
First we must know what when we upload any file in php it’s saved to random_name that started with php under /tmp folder
like: /tmp/phponOtcA
and then this file will be deleted after the execution of php page that we uploaded to is done.
So, if we had this tmp file name we can easily pass it to include function to include it.
How we can leak the tmp file name ?
If we uploaded the file to phpinfo we can leak the tmp name
so, our exploit will relay on race condition by uploading our php file to phpinfo and leak the tmp_name and then pass it into the lfi param
my script : https://github.com/abdoghazy2015/CTF-Write-Ups/blob/main/RandomScripts/phpinfo_race.py
POC:
Fifth Method : Using a php lolbins
there are some php files that comes with phpitself can be included and help to inject php code
one of these files and the most famous one is pearcmd.php that comes with php docker images.
we can exploit it by these steps :
- write our code into configuration file
?style=../../../../usr/local/lib/php/pearcmd.php&+-c+/tmp/foo.php+-d+man_dir=<?echo(system(\$_GET\['a'\]));?>+-s+"- include it
