maride/hacktricks
1
0
Fork 0
mirror of https://github.com/HackTricks-wiki/hacktricks.git synced 2025-10-10 18:36:50 +00:00
Code Issues Packages Projects Releases Wiki Activity
hacktricks/src/pentesting-web/file-inclusion/via-php_session_upload_progress.md

38 lines
2.8 KiB
Markdown
Raw Blame History

# LFI2RCE kupitia PHP_SESSION_UPLOAD_PROGRESS
{{#include ../../banners/hacktricks-training.md}}
## Taarifa za Msingi
Ikiwa umepata **Local File Inclusion** hata kama **huna kikao** na `session.auto_start` iko `Off`. Ikiwa **`session.upload_progress.enabled`** iko **`On`** na unatoa **`PHP_SESSION_UPLOAD_PROGRESS`** katika **data ya multipart POST**, PHP itafanya **iwezeshe kikao kwa ajili yako**.
```bash
$ curl http://127.0.0.1/ -H 'Cookie: PHPSESSID=iamorange'
$ ls -a /var/lib/php/sessions/
. ..
$ curl http://127.0.0.1/ -H 'Cookie: PHPSESSID=iamorange' -d 'PHP_SESSION_UPLOAD_PROGRESS=blahblahblah'
$ ls -a /var/lib/php/sessions/
. ..
$ curl http://127.0.0.1/ -H 'Cookie: PHPSESSID=iamorange' -F 'PHP_SESSION_UPLOAD_PROGRESS=blahblahblah' -F 'file=@/etc/passwd'
$ ls -a /var/lib/php/sessions/
. .. sess_iamorange
In the last example the session will contain the string blahblahblah
```
Kumbuka kwamba na **`PHP_SESSION_UPLOAD_PROGRESS`** unaweza **kudhibiti data ndani ya kikao**, hivyo ikiwa unajumuisha faili lako la kikao unaweza kujumuisha sehemu unayodhibiti (kama shellcode ya php kwa mfano).
> [!NOTE]
> Ingawa mafunzo mengi kwenye Mtandao yanapendekeza kuweka `session.upload_progress.cleanup` kuwa `Off` kwa ajili ya kusanidi. Kuweka `session.upload_progress.cleanup` kwa default katika PHP bado ni `On`. Inamaanisha kwamba maendeleo yako ya upakiaji katika kikao yatakuwa safishwa haraka iwezekanavyo. Hivyo hii itakuwa **Race Condition**.
### CTF
Katika [**CTF ya asili**](https://blog.orange.tw/2018/10/) ambapo mbinu hii imejadiliwa, haikutosha kutumia Race Condition lakini yaliyoloadi yalihitaji kuanza pia na mfuatano `@<?php`.
Kwa sababu ya mipangilio ya default ya `session.upload_progress.prefix`, faili yetu ya **SESSION itaanza na kiambishi kisichofurahisha** `upload_progress_` Kama: `upload_progress_controlledcontentbyattacker`
Hila ya **kuondoa kiambishi cha mwanzo** ilikuwa ni **base64encode payload mara 3** na kisha kuifungua kupitia vichujio `convert.base64-decode`, hii ni kwa sababu wakati wa **base64 decoding PHP itafuta wahusika wa ajabu**, hivyo baada ya mara 3 **tu** **payload** **iliyotumwa** na mshambuliaji itabaki **(na kisha mshambuliaji anaweza kudhibiti sehemu ya mwanzo)**.
Taarifa zaidi katika andiko la asili [https://blog.orange.tw/2018/10/](https://blog.orange.tw/2018/10/) na exploit ya mwisho [https://github.com/orangetw/My-CTF-Web-Challenges/blob/master/hitcon-ctf-2018/one-line-php-challenge/exp_for_php.py](https://github.com/orangetw/My-CTF-Web-Challenges/blob/master/hitcon-ctf-2018/one-line-php-challenge/exp_for_php.py)\
Andiko lingine katika [https://spyclub.tech/2018/12/21/one-line-and-return-of-one-line-php-writeup/](https://spyclub.tech/2018/12/21/one-line-and-return-of-one-line-php-writeup/)
{{#include ../../banners/hacktricks-training.md}}
Reference in New Issue View Git Blame Copy Permalink