LFI2RCE przez pliki tymczasowe Nginx

Tip

Ucz się i ćwicz Hacking AWS:HackTricks Training AWS Red Team Expert (ARTE)
Ucz się i ćwicz Hacking GCP: HackTricks Training GCP Red Team Expert (GRTE) Ucz się i ćwicz Hacking Azure: HackTricks Training Azure Red Team Expert (AzRTE)

Wsparcie dla HackTricks

Podatna konfiguracja

Example from bierbaumer.net pokazał, że nawet następująca jednolinijkowa komenda jest wystarczająca, gdy PHP działa za nginx reverse proxy, które buforuje treść żądań na dysk:

<?php
$action = $_GET['action'] ?? 'read';
$path   = $_GET['file'] ?? 'index.php';
$action === 'read' ? readfile($path) : include $path;

The nginx side typically keeps default temp paths such as /var/lib/nginx/body and /var/lib/nginx/fastcgi. When a request body or upstream response is larger than the in-memory buffer (≈8 KB by default), nginx transparently writes the data to a temp file, keeps the file descriptor open, and only unlinks the file name. Any PHP include that follows symbolic links (like /proc/<pid>/fd/<fd>) can still execute the unlinked contents, giving you RCE through LFI.

Why nginx temp files are abusable

  • Request bodies that exceed the buffer threshold are flushed to client_body_temp_path (defaults to /tmp/nginx/client-body or /var/lib/nginx/body).
  • The file name is random, but the file descriptor remains reachable under /proc/<nginx_pid>/fd/<fd>. As long as the request body has not completed (or you keep the TCP stream hanging), nginx keeps the descriptor open even though the path entry is unlinked.
  • PHP’s include/require resolves those /proc/.../fd/... symlinks, so an attacker with LFI can hop through procfs to execute the buffered temp file even after nginx deletes it.

Classic exploitation workflow (recap)

  1. Enumerate worker PIDs. Fetch /proc/<pid>/cmdline over the LFI until you find strings like nginx: worker process. The number of workers rarely exceeds the CPU count, so you only have to scan the lower PID space.
  2. Force nginx to create the temp file. Send very large POST/PUT bodies (or proxied responses) so that nginx spills to /var/lib/nginx/body/XXXXXXXX. Make sure the backend never reads the entire body—e.g., keep-alive the upload thread so nginx keeps the descriptor open.
  3. Map descriptors to files. With the PID list, generate traversal chains such as /proc/<pidA>/cwd/proc/<pidB>/root/proc/<pidC>/fd/<fd> to bypass any realpath() normalization before PHP resolves the final /proc/<victim_pid>/fd/<interesting_fd> target. Brute-forcing file descriptors 10–45 is usually enough because nginx reuses that range for body temp files.
  4. Include for execution. When you hit the descriptor that still points to the buffered body, a single include or require call runs your payload—even though the original filename has already been unlinked. If you only need file read, switch to readfile() to exfiltrate the temporary contents instead of executing them.

Modern variations (2024–2025)

Ingress controllers and service meshes now routinely expose nginx instances with additional attack surface. CVE-2025-1974 (“IngressNightmare”) is a good example of how the classic temp-file trick evolves:

  • Attackers push a malicious shared object as a request body. Because the body is >8 KB, nginx buffers it to /tmp/nginx/client-body/cfg-<random>. By intentionally lying in the Content-Length header (e.g., claiming 1 MB and never sending the last chunk) the temp file remains pinned for ~60 seconds.
  • The vulnerable ingress-nginx template code allowed injecting directives into the generated nginx config. Combining that with the lingering temp file made it possible to brute-force /proc/<pid>/fd/<fd> links until the attacker discovered the buffered shared object.
  • Injecting ssl_engine /proc/<pid>/fd/<fd>; forced nginx to load the buffered .so. Constructors inside the shared object yielded immediate RCE inside the ingress controller pod, which in turn exposed Kubernetes secrets.

A trimmed-down reconnaissance snippet for this style of attack looks like:

Szybki skaner procfs ```python #!/usr/bin/env python3 import os

def find_tempfds(pid_range=range(100, 4000), fd_range=range(10, 80)): for pid in pid_range: fd_dir = f“/proc/{pid}/fd“ if not os.path.isdir(fd_dir): continue for fd in fd_range: try: path = os.readlink(f“{fd_dir}/{fd}“) if “client-body” in path or “nginx” in path: yield pid, fd, path except OSError: continue

for pid, fd, path in find_tempfds(): print(f“use ?file=/proc/{pid}/fd/{fd} # {path}“)

</details>

Uruchom to z dowolnego primitive (command injection, template injection, etc.), który już posiadasz. Wprowadź odkryte ścieżki `/proc/<pid>/fd/<fd>` z powrotem do parametru LFI, aby dołączyć buforowany ładunek.

## Praktyczne wskazówki

* Gdy nginx wyłącza buforowanie (`proxy_request_buffering off`, `client_body_buffer_size` tuned high, or `proxy_max_temp_file_size 0`), technika staje się znacznie trudniejsza — więc zawsze sprawdzaj pliki konfiguracyjne i nagłówki odpowiedzi, aby upewnić się, czy buforowanie jest nadal włączone.
* Zawieszające się uploady są głośne, ale skuteczne. Użyj wielu procesów, aby zalewać workerów, tak by przynajmniej jeden plik tymczasowy pozostał wystarczająco długo, by Twoje LFI brute force mogło go wykryć.
* W Kubernetes lub innych orchestratorach granice uprawnień mogą wyglądać inaczej, ale primitive jest ten sam: znajdź sposób na wrzucenie bajtów do buforów nginx, a następnie przejdź po `/proc` z dowolnego miejsca, z którego możesz wykonywać odczyty systemu plików.

## Laboratoria

- [https://bierbaumer.net/security/php-lfi-with-nginx-assistance/php-lfi-with-nginx-assistance.tar.xz](https://bierbaumer.net/security/php-lfi-with-nginx-assistance/php-lfi-with-nginx-assistance.tar.xz)
- [https://2021.ctf.link/internal/challenge/ed0208cd-f91a-4260-912f-97733e8990fd/](https://2021.ctf.link/internal/challenge/ed0208cd-f91a-4260-912f-97733e8990fd/)
- [https://2021.ctf.link/internal/challenge/a67e2921-e09a-4bfa-8e7e-11c51ac5ee32/](https://2021.ctf.link/internal/challenge/a67e2921-e09a-4bfa-8e7e-11c51ac5ee32/)

## Referencje

- [https://bierbaumer.net/security/php-lfi-with-nginx-assistance/](https://bierbaumer.net/security/php-lfi-with-nginx-assistance/)
- [https://www.opswat.com/blog/ingressnightmare-cve-2025-1974-remote-code-execution-vulnerability-remediation](https://www.opswat.com/blog/ingressnightmare-cve-2025-1974-remote-code-execution-vulnerability-remediation)

> [!TIP]
> Ucz się i ćwicz Hacking AWS:<img src="../../../../../images/arte.png" alt="" style="width:auto;height:24px;vertical-align:middle;">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../../../images/arte.png" alt="" style="width:auto;height:24px;vertical-align:middle;">\
> Ucz się i ćwicz Hacking GCP: <img src="../../../../../images/grte.png" alt="" style="width:auto;height:24px;vertical-align:middle;">[**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte)<img src="../../../../../images/grte.png" alt="" style="width:auto;height:24px;vertical-align:middle;">
> Ucz się i ćwicz Hacking Azure: <img src="../../../../../images/azrte.png" alt="" style="width:auto;height:24px;vertical-align:middle;">[**HackTricks Training Azure Red Team Expert (AzRTE)**](https://training.hacktricks.xyz/courses/azrte)<img src="../../../../../images/azrte.png" alt="" style="width:auto;height:24px;vertical-align:middle;">
>
> <details>
>
> <summary>Wsparcie dla HackTricks</summary>
>
> - Sprawdź [**plany subskrypcyjne**](https://github.com/sponsors/carlospolop)!
> - **Dołącz do** 💬 [**grupy Discord**](https://discord.gg/hRep4RUj7f) lub [**grupy telegramowej**](https://t.me/peass) lub **śledź** nas na **Twitterze** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.**
> - **Dziel się trikami hackingowymi, przesyłając PR-y do** [**HackTricks**](https://github.com/carlospolop/hacktricks) i [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) repozytoriów na githubie.
>
> </details>