maride/hacktricks
1
0
Fork 0
mirror of https://github.com/HackTricks-wiki/hacktricks.git synced 2025-10-10 18:36:50 +00:00
Code Issues Packages Projects Releases Wiki Activity
hacktricks/src/pentesting-web/file-inclusion/via-php_session_upload_progress.md

2.8 KiB
Raw Blame History

LFI2RCE kupitia PHP_SESSION_UPLOAD_PROGRESS

{{#include ../../banners/hacktricks-training.md}}

Taarifa za Msingi

Ikiwa umepata Local File Inclusion hata kama huna kikao na session.auto_start iko Off. Ikiwa session.upload_progress.enabled iko On na unatoa PHP_SESSION_UPLOAD_PROGRESS katika data ya multipart POST, PHP itafanya iwezeshe kikao kwa ajili yako.

$ curl http://127.0.0.1/ -H 'Cookie: PHPSESSID=iamorange'
$ ls -a /var/lib/php/sessions/
. ..
$ curl http://127.0.0.1/ -H 'Cookie: PHPSESSID=iamorange' -d 'PHP_SESSION_UPLOAD_PROGRESS=blahblahblah'
$ ls -a /var/lib/php/sessions/
. ..
$ curl http://127.0.0.1/ -H 'Cookie: PHPSESSID=iamorange' -F 'PHP_SESSION_UPLOAD_PROGRESS=blahblahblah'  -F 'file=@/etc/passwd'
$ ls -a /var/lib/php/sessions/
. .. sess_iamorange

In the last example the session will contain the string blahblahblah

Kumbuka kwamba na PHP_SESSION_UPLOAD_PROGRESS unaweza kudhibiti data ndani ya kikao, hivyo ikiwa unajumuisha faili lako la kikao unaweza kujumuisha sehemu unayodhibiti (kama shellcode ya php kwa mfano).

Note

Ingawa mafunzo mengi kwenye Mtandao yanapendekeza kuweka session.upload_progress.cleanup kuwa Off kwa ajili ya kusanidi. Kuweka session.upload_progress.cleanup kwa default katika PHP bado ni On. Inamaanisha kwamba maendeleo yako ya upakiaji katika kikao yatakuwa safishwa haraka iwezekanavyo. Hivyo hii itakuwa Race Condition.

CTF

Katika CTF ya asili ambapo mbinu hii imejadiliwa, haikutosha kutumia Race Condition lakini yaliyoloadi yalihitaji kuanza pia na mfuatano @<?php.

Kwa sababu ya mipangilio ya default ya session.upload_progress.prefix, faili yetu ya SESSION itaanza na kiambishi kisichofurahisha upload_progress_ Kama: upload_progress_controlledcontentbyattacker

Hila ya kuondoa kiambishi cha mwanzo ilikuwa ni base64encode payload mara 3 na kisha kuifungua kupitia vichujio convert.base64-decode, hii ni kwa sababu wakati wa base64 decoding PHP itafuta wahusika wa ajabu, hivyo baada ya mara 3 tu payload iliyotumwa na mshambuliaji itabaki (na kisha mshambuliaji anaweza kudhibiti sehemu ya mwanzo).

Taarifa zaidi katika andiko la asili https://blog.orange.tw/2018/10/ na exploit ya mwisho https://github.com/orangetw/My-CTF-Web-Challenges/blob/master/hitcon-ctf-2018/one-line-php-challenge/exp_for_php.py
Andiko lingine katika https://spyclub.tech/2018/12/21/one-line-and-return-of-one-line-php-writeup/

{{#include ../../banners/hacktricks-training.md}}