LFI2RCE via Nginx temp files

Tip

AWS हैकिंग सीखें और अभ्यास करें:HackTricks Training AWS Red Team Expert (ARTE)
GCP हैकिंग सीखें और अभ्यास करें: HackTricks Training GCP Red Team Expert (GRTE) Azure हैकिंग सीखें और अभ्यास करें: HackTricks Training Azure Red Team Expert (AzRTE)

HackTricks का समर्थन करें

असुरक्षित कॉन्फ़िगरेशन

Example from bierbaumer.net ने दिखाया कि जब PHP एक nginx reverse proxy के पीछे चलता है जो request bodies को disk पर buffer करता है, तब निम्नलिखित one-liner भी पर्याप्त है:

<?php
$action = $_GET['action'] ?? 'read';
$path   = $_GET['file'] ?? 'index.php';
$action === 'read' ? readfile($path) : include $path;

The nginx side typically keeps default temp paths such as /var/lib/nginx/body and /var/lib/nginx/fastcgi. When a request body or upstream response is larger than the in-memory buffer (≈8 KB by default), nginx transparently writes the data to a temp file, keeps the file descriptor open, and only unlinks the file name. Any PHP include that follows symbolic links (like /proc/<pid>/fd/<fd>) can still execute the unlinked contents, giving you RCE through LFI.

क्यों nginx temp files का दुरुपयोग किया जा सकता है

  • Request bodies that exceed the buffer threshold are flushed to client_body_temp_path (defaults to /tmp/nginx/client-body or /var/lib/nginx/body).
  • The file name is random, but the file descriptor remains reachable under /proc/<nginx_pid>/fd/<fd>. As long as the request body has not completed (or you keep the TCP stream hanging), nginx keeps the descriptor open even though the path entry is unlinked.
  • PHP’s include/require resolves those /proc/.../fd/... symlinks, so an attacker with LFI can hop through procfs to execute the buffered temp file even after nginx deletes it.

Classic exploitation workflow (recap)

  1. Enumerate worker PIDs. Fetch /proc/<pid>/cmdline over the LFI until you find strings like nginx: worker process. The number of workers rarely exceeds the CPU count, so you only have to scan the lower PID space.
  2. Force nginx to create the temp file. Send very large POST/PUT bodies (or proxied responses) so that nginx spills to /var/lib/nginx/body/XXXXXXXX. Make sure the backend never reads the entire body—e.g., keep-alive the upload thread so nginx keeps the descriptor open.
  3. Map descriptors to files. With the PID list, generate traversal chains such as /proc/<pidA>/cwd/proc/<pidB>/root/proc/<pidC>/fd/<fd> to bypass any realpath() normalization before PHP resolves the final /proc/<victim_pid>/fd/<interesting_fd> target. Brute-forcing file descriptors 10–45 is usually enough because nginx reuses that range for body temp files.
  4. Include for execution. When you hit the descriptor that still points to the buffered body, a single include or require call runs your payload—even though the original filename has already been unlinked. If you only need file read, switch to readfile() to exfiltrate the temporary contents instead of executing them.

Modern variations (2024–2025)

Ingress controllers and service meshes now routinely expose nginx instances with additional attack surface. CVE-2025-1974 (“IngressNightmare”) is a good example of how the classic temp-file trick evolves:

  • Attackers push a malicious shared object as a request body. Because the body is >8 KB, nginx buffers it to /tmp/nginx/client-body/cfg-<random>. By intentionally lying in the Content-Length header (e.g., claiming 1 MB and never sending the last chunk) the temp file remains pinned for ~60 seconds.
  • The vulnerable ingress-nginx template code allowed injecting directives into the generated nginx config. Combining that with the lingering temp file made it possible to brute-force /proc/<pid>/fd/<fd> links until the attacker discovered the buffered shared object.
  • Injecting ssl_engine /proc/<pid>/fd/<fd>; forced nginx to load the buffered .so. Constructors inside the shared object yielded immediate RCE inside the ingress controller pod, which in turn exposed Kubernetes secrets.

A trimmed-down reconnaissance snippet for this style of attack looks like:

त्वरित procfs स्कैनर ```python #!/usr/bin/env python3 import os

def find_tempfds(pid_range=range(100, 4000), fd_range=range(10, 80)): for pid in pid_range: fd_dir = f“/proc/{pid}/fd“ if not os.path.isdir(fd_dir): continue for fd in fd_range: try: path = os.readlink(f“{fd_dir}/{fd}“) if “client-body” in path or “nginx” in path: yield pid, fd, path except OSError: continue

for pid, fd, path in find_tempfds(): print(f“use ?file=/proc/{pid}/fd/{fd} # {path}“)

</details>

इसे किसी भी primitive (command injection, template injection, आदि) से चलाइए जो आपके पास पहले से मौजूद हो। खोजे गए `/proc/<pid>/fd/<fd>` paths को अपनी LFI पैरामीटर में फ़ीड करें ताकि buffered payload शामिल हो जाए।

## व्यावहारिक सुझाव

* जब nginx buffering अक्षम कर देता है (`proxy_request_buffering off`, `client_body_buffer_size` tuned high, or `proxy_max_temp_file_size 0`), तो यह तकनीक बहुत कठिन हो जाती है — इसलिए हमेशा config फ़ाइलों और response headers को सूचीबद्ध करके जाँच करें कि buffering अभी भी सक्षम है या नहीं।
* Hanging uploads शोर करते हैं लेकिन प्रभावी होते हैं। workers को flood करने के लिए कई processes का उपयोग करें ताकि कम से कम एक temp file पर्याप्त समय तक बना रहे और आपकी LFI brute force उसे पकड़ सके।
* Kubernetes या अन्य orchestrators में privilege boundaries अलग दिख सकती हैं, लेकिन primitive वही है: nginx buffers में bytes डालने का तरीका ढूँढें, फिर `/proc` में उस जगह तक चले जहाँ से आप file system reads चला सकते हैं।

## लैब्स

- [https://bierbaumer.net/security/php-lfi-with-nginx-assistance/php-lfi-with-nginx-assistance.tar.xz](https://bierbaumer.net/security/php-lfi-with-nginx-assistance/php-lfi-with-nginx-assistance.tar.xz)
- [https://2021.ctf.link/internal/challenge/ed0208cd-f91a-4260-912f-97733e8990fd/](https://2021.ctf.link/internal/challenge/ed0208cd-f91a-4260-912f-97733e8990fd/)
- [https://2021.ctf.link/internal/challenge/a67e2921-e09a-4bfa-8e7e-11c51ac5ee32/](https://2021.ctf.link/internal/challenge/a67e2921-e09a-4bfa-8e7e-11c51ac5ee32/)

## संदर्भ

- [https://bierbaumer.net/security/php-lfi-with-nginx-assistance/](https://bierbaumer.net/security/php-lfi-with-nginx-assistance/)
- [https://www.opswat.com/blog/ingressnightmare-cve-2025-1974-remote-code-execution-vulnerability-remediation](https://www.opswat.com/blog/ingressnightmare-cve-2025-1974-remote-code-execution-vulnerability-remediation)

> [!TIP]
> AWS हैकिंग सीखें और अभ्यास करें:<img src="../../../../../images/arte.png" alt="" style="width:auto;height:24px;vertical-align:middle;">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../../../images/arte.png" alt="" style="width:auto;height:24px;vertical-align:middle;">\
> GCP हैकिंग सीखें और अभ्यास करें: <img src="../../../../../images/grte.png" alt="" style="width:auto;height:24px;vertical-align:middle;">[**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte)<img src="../../../../../images/grte.png" alt="" style="width:auto;height:24px;vertical-align:middle;">
> Azure हैकिंग सीखें और अभ्यास करें: <img src="../../../../../images/azrte.png" alt="" style="width:auto;height:24px;vertical-align:middle;">[**HackTricks Training Azure Red Team Expert (AzRTE)**](https://training.hacktricks.xyz/courses/azrte)<img src="../../../../../images/azrte.png" alt="" style="width:auto;height:24px;vertical-align:middle;">
>
> <details>
>
> <summary>HackTricks का समर्थन करें</summary>
>
> - [**सदस्यता योजनाओं**](https://github.com/sponsors/carlospolop) की जांच करें!
> - **हमारे** 💬 [**Discord समूह**](https://discord.gg/hRep4RUj7f) या [**टेलीग्राम समूह**](https://t.me/peass) में शामिल हों या **हमें** **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)** पर फॉलो करें।**
> - **हैकिंग ट्रिक्स साझा करें और** [**HackTricks**](https://github.com/carlospolop/hacktricks) और [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) गिटहब रिपोजिटरी में PRs सबमिट करें।
>
> </details>