Search K
Appearance
Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!
Other ways to support HackTricks:
- If you want to see your company advertised in HackTricks or download HackTricks in PDF Check the SUBSCRIPTION PLANS!
- Get the official PEASS & HackTricks swag
- Discover The PEASS Family, our collection of exclusive NFTs
- Join the ๐ฌ Discord group or the telegram group or follow us on Twitter ๐ฆ @carlospolopm.
- Share your hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.
Check the full details of this technique in https://gynvael.coldwind.pl/download.php?f=PHP_LFI_rfc1867_temporary_files.pdf
PHP File uploads โ
When a PHP engine receives a POST request containing files formatted according to RFC 1867, it generates temporary files to store the uploaded data. These files are crucial for file upload handling in PHP scripts. The move_uploaded_file function must be used to relocate these temporary files to a desired location if persistent storage beyond the script's execution is needed. Post-execution, PHP automatically deletes any remaining temporary files.
โน๏ธ
Security Alert: Attackers, aware of the temporary files' location, might exploit a Local File Inclusion vulnerability to execute code by accessing the file during upload.
The challenge for unauthorized access lies in predicting the temporary file's name, which is intentionally randomized.
Exploitation on Windows Systems โ
On Windows, PHP generates temporary file names using the GetTempFileName function, resulting in a pattern like <path>\<pre><uuuu>.TMP. Notably:
- The default path is typically
C:\Windows\Temp. - The prefix is usually "php".
- The
<uuuu>represents a unique hexadecimal value. Crucially, due to the function's limitation, only the lower 16 bits are used, allowing for a maximum of 65,535 unique names with constant path and prefix, making brute force feasible.
Moreover, the exploitation process is simplified on Windows systems. A peculiarity in the FindFirstFile function permits the use of wildcards in Local File Inclusion (LFI) paths. This enables crafting an include path like the following to locate the temporary file:
http://site/vuln.php?inc=c:\windows\temp\php<<In certain situations, a more specific mask (like php1<< or phpA<<) might be required. One can systematically try these masks to discover the uploaded temporary file.
Exploitation on GNU/Linux Systems โ
For GNU/Linux systems, the randomness in temporary file naming is robust, rendering the names neither predictable nor susceptible to brute force attacks. Further details can be found in the referenced documentation.
Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!
Other ways to support HackTricks:
- If you want to see your company advertised in HackTricks or download HackTricks in PDF Check the SUBSCRIPTION PLANS!
- Get the official PEASS & HackTricks swag
- Discover The PEASS Family, our collection of exclusive NFTs
- Join the ๐ฌ Discord group or the telegram group or follow us on Twitter ๐ฆ @carlospolopm.
- Share your hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.