LFI to RCE
Log Poisoning
LFI to RCE via Apache Log File Poisoning (PHP)
LFI to RCE via SSH Log File Poisoning (PHP)
LFI to RCE via SMTP Log File Poisoning (PHP)
Log Files
Proc Environ Injection
Our main target is to inject the /proc/self/environ
file from the HTTP Header: User-Agent
. This file hosts the initial environment of the Apache process. Thus, the environmental variable User-Agent
is likely to appear there.
Remote File Inclusion
In php this is disable by default because allow_url_include
is Off. It must be On for it to work, and in that case you could include a PHP file from your server and get RCE:
Copy
In the previous code, the final +.txt
was added because the attacker needed a string that ended in .txt
, so the string ends with it and after the b64 decode that part will return just junk and the real PHP code will be included (and therefore, executed).
Another example not using the php://
protocol would be:
Copy
Via Email
Send a mail to a internal account (user@localhost) containing your PHP payload like <?php echo system($_REQUEST["cmd"]); ?>
and try to include to the mail of the user with a path like /var/mail/<USERNAME>
or /var/spool/mail/<USERNAME>
Via /proc/*/fd/*
Upload a lot of shells (for example : 100)
Via /proc/self/environ
Like a log file, send the payload in the User-Agent, it will be reflected inside the /proc/self/environ file
Via upload
If you can upload a file, just inject the shell payload in it (e.g : <?php system($_GET['c']); ?>
).
In order to keep the file readable it is best to inject into the metadata of the pictures/doc/pdf
Via Zip fie upload
Upload a ZIP file containing a PHP shell compressed and access:
Via PHP sessions
Check if the website use PHP Session (PHPSESSID)
In PHP these sessions are stored into /var/lib/php5/sess\[PHPSESSID]_ files
Set the cookie to <?php system('cat /etc/passwd');?>
Use the LFI to include the PHP session file
Via ssh
If ssh is active check which user is being used (/proc/self/status & /etc/passwd) and try to access <HOME>/.ssh/id_rsa
Via vsftpd logs
The logs for the FTP server vsftpd are located at /var/log/vsftpd.log. In the scenario where a Local File Inclusion (LFI) vulnerability exists, and access to an exposed vsftpd server is possible, the following steps can be considered:
Inject a PHP payload into the username field during the login process.
Post injection, utilize the LFI to retrieve the server logs from /var/log/vsftpd.log.
Via php base64 filter (using base64)
Via php filters (no file needed)
Via segmentation fault
Upload a file that will be stored as temporary in /tmp
, then in the same request, trigger a segmentation fault, and then the temporary file won't be deleted and you can search for it.
Via Nginx temp file storage
If you found a Local File Inclusion and Nginx is running in front of PHP you might be able to obtain RCE with the following technique:
Via PHP_SESSION_UPLOAD_PROGRESS
If you found a Local File Inclusion even if you don't have a session and session.auto_start
is Off
. If you provide the PHP_SESSION_UPLOAD_PROGRESS
in multipart POST data, PHP will enable the session for you. You could abuse this to get RCE:
Via temp file uploads in Windows
If you found a Local File Inclusion and and the server is running in Windows you might get RCE:
Via pearcmd.php
+ URL args
pearcmd.php
+ URL argsThe following request create a file in /tmp/hello.php
with the content <?=phpinfo()?>
:
Via phpinfo() (file_uploads = on)
If you found a Local File Inclusion and a file exposing phpinfo() with file_uploads = on you can get RCE:
Via compress.zlib + PHP_STREAM_PREFER_STUDIO
+ Path Disclosure
PHP_STREAM_PREFER_STUDIO
+ Path DisclosureIf you found a Local File Inclusion and you can exfiltrate the path of the temp file BUT the server is checking if the file to be included has PHP marks, you can try to bypass that check with this Race Condition:
Via eternal waiting + bruteforce
If you can abuse the LFI to upload temporary files and make the server hang the PHP execution, you could then brute force filenames during hours to find the temporary file:
To Fatal Error
If you include any of the files /usr/bin/phar
, /usr/bin/phar7
, /usr/bin/phar.phar7
, /usr/bin/phar.phar
. (You need to include the same one 2 time to throw that error).
I don't know how is this useful but it might be. Even if you cause a PHP Fatal Error, PHP temporary files uploaded are deleted.
Last updated
Was this helpful?