LFI2RCE via Nginx temp files

Tip

Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE) Jifunze na fanya mazoezi ya Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Support HackTricks

Usanidi wenye udhaifu

Example from bierbaumer.net ilionyesha kwamba hata one-liner ifuatayo inatosha wakati PHP inafanya kazi nyuma ya nginx reverse proxy ambayo huhifadhi mwili wa maombi kwenye diski:

<?php
$action = $_GET['action'] ?? 'read';
$path   = $_GET['file'] ?? 'index.php';
$action === 'read' ? readfile($path) : include $path;

The nginx side typically keeps default temp paths such as /var/lib/nginx/body and /var/lib/nginx/fastcgi. When a request body or upstream response is larger than the in-memory buffer (≈8 KB by default), nginx transparently writes the data to a temp file, keeps the file descriptor open, and only unlinks the file name. Any PHP include that follows symbolic links (like /proc/<pid>/fd/<fd>) can still execute the unlinked contents, giving you RCE through LFI.

Why nginx temp files are abusable

  • Request bodies that exceed the buffer threshold are flushed to client_body_temp_path (defaults to /tmp/nginx/client-body or /var/lib/nginx/body).
  • The file name is random, but the file descriptor remains reachable under /proc/<nginx_pid>/fd/<fd>. As long as the request body has not completed (or you keep the TCP stream hanging), nginx keeps the descriptor open even though the path entry is unlinked.
  • PHP’s include/require resolves those /proc/.../fd/... symlinks, so an attacker with LFI can hop through procfs to execute the buffered temp file even after nginx deletes it.

Classic exploitation workflow (recap)

  1. Enumerate worker PIDs. Fetch /proc/<pid>/cmdline over the LFI until you find strings like nginx: worker process. The number of workers rarely exceeds the CPU count, so you only have to scan the lower PID space.
  2. Force nginx to create the temp file. Send very large POST/PUT bodies (or proxied responses) so that nginx spills to /var/lib/nginx/body/XXXXXXXX. Make sure the backend never reads the entire body—e.g., keep-alive the upload thread so nginx keeps the descriptor open.
  3. Map descriptors to files. With the PID list, generate traversal chains such as /proc/<pidA>/cwd/proc/<pidB>/root/proc/<pidC>/fd/<fd> to bypass any realpath() normalization before PHP resolves the final /proc/<victim_pid>/fd/<interesting_fd> target. Brute-forcing file descriptors 10–45 is usually enough because nginx reuses that range for body temp files.
  4. Include for execution. When you hit the descriptor that still points to the buffered body, a single include or require call runs your payload—even though the original filename has already been unlinked. If you only need file read, switch to readfile() to exfiltrate the temporary contents instead of executing them.

Modern variations (2024–2025)

Ingress controllers and service meshes now routinely expose nginx instances with additional attack surface. CVE-2025-1974 (“IngressNightmare”) is a good example of how the classic temp-file trick evolves:

  • Attackers push a malicious shared object as a request body. Because the body is >8 KB, nginx buffers it to /tmp/nginx/client-body/cfg-<random>. By intentionally lying in the Content-Length header (e.g., claiming 1 MB and never sending the last chunk) the temp file remains pinned for ~60 seconds.
  • The vulnerable ingress-nginx template code allowed injecting directives into the generated nginx config. Combining that with the lingering temp file made it possible to brute-force /proc/<pid>/fd/<fd> links until the attacker discovered the buffered shared object.
  • Injecting ssl_engine /proc/<pid>/fd/<fd>; forced nginx to load the buffered .so. Constructors inside the shared object yielded immediate RCE inside the ingress controller pod, which in turn exposed Kubernetes secrets.

A trimmed-down reconnaissance snippet for this style of attack looks like:

Skana ya haraka ya procfs ```python #!/usr/bin/env python3 import os

def find_tempfds(pid_range=range(100, 4000), fd_range=range(10, 80)): for pid in pid_range: fd_dir = f“/proc/{pid}/fd“ if not os.path.isdir(fd_dir): continue for fd in fd_range: try: path = os.readlink(f“{fd_dir}/{fd}“) if “client-body” in path or “nginx” in path: yield pid, fd, path except OSError: continue

for pid, fd, path in find_tempfds(): print(f“use ?file=/proc/{pid}/fd/{fd} # {path}“)

</details>

Endesha kutoka primitive yoyote (command injection, template injection, n.k.) unayo tayari. Weka njia za `/proc/<pid>/fd/<fd>` ulizogundua nyuma katika parameter yako ya LFI ili kujumuisha payload iliyohifadhiwa kwenye buffer.

## Vidokezo vya vitendo

* Wakati nginx inazima buffering (`proxy_request_buffering off`, `client_body_buffer_size` tuned high, au `proxy_max_temp_file_size 0`), mbinu inakuwa ngumu zaidi—kwa hivyo kila wakati orodhesha faili za usanidi na vichwa vya majibu ili kuthibitisha kama buffering bado imewezeshwa.
* Hanging uploads ni za kelele lakini zenye ufanisi. Tumia michakato mingi kuzusha workers ili angalau temp file moja ibaki kwa muda mrefu vya kutosha kwa brute force ya LFI yako kuikamata.
* Katika Kubernetes au orchestrators nyingine, mipaka ya ruhusa inaweza kuonekana tofauti, lakini mbinu ya msingi ni ile ile: pata njia ya kuandika bytes ndani ya nginx buffers, kisha tembea `/proc` kutoka mahali popote unapoweza kutoa usomaji wa filesystem.

## Maabara

- [https://bierbaumer.net/security/php-lfi-with-nginx-assistance/php-lfi-with-nginx-assistance.tar.xz](https://bierbaumer.net/security/php-lfi-with-nginx-assistance/php-lfi-with-nginx-assistance.tar.xz)
- [https://2021.ctf.link/internal/challenge/ed0208cd-f91a-4260-912f-97733e8990fd/](https://2021.ctf.link/internal/challenge/ed0208cd-f91a-4260-912f-97733e8990fd/)
- [https://2021.ctf.link/internal/challenge/a67e2921-e09a-4bfa-8e7e-11c51ac5ee32/](https://2021.ctf.link/internal/challenge/a67e2921-e09a-4bfa-8e7e-11c51ac5ee32/)

## Marejeo

- [https://bierbaumer.net/security/php-lfi-with-nginx-assistance/](https://bierbaumer.net/security/php-lfi-with-nginx-assistance/)
- [https://www.opswat.com/blog/ingressnightmare-cve-2025-1974-remote-code-execution-vulnerability-remediation](https://www.opswat.com/blog/ingressnightmare-cve-2025-1974-remote-code-execution-vulnerability-remediation)

> [!TIP]
> Jifunze na fanya mazoezi ya AWS Hacking:<img src="../../../../../images/arte.png" alt="" style="width:auto;height:24px;vertical-align:middle;">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../../../images/arte.png" alt="" style="width:auto;height:24px;vertical-align:middle;">\
> Jifunze na fanya mazoezi ya GCP Hacking: <img src="../../../../../images/grte.png" alt="" style="width:auto;height:24px;vertical-align:middle;">[**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte)<img src="../../../../../images/grte.png" alt="" style="width:auto;height:24px;vertical-align:middle;">
> Jifunze na fanya mazoezi ya Azure Hacking: <img src="../../../../../images/azrte.png" alt="" style="width:auto;height:24px;vertical-align:middle;">[**HackTricks Training Azure Red Team Expert (AzRTE)**](https://training.hacktricks.xyz/courses/azrte)<img src="../../../../../images/azrte.png" alt="" style="width:auto;height:24px;vertical-align:middle;">
>
> <details>
>
> <summary>Support HackTricks</summary>
>
> - Angalia [**mpango wa usajili**](https://github.com/sponsors/carlospolop)!
> - **Jiunge na** 💬 [**kikundi cha Discord**](https://discord.gg/hRep4RUj7f) au [**kikundi cha telegram**](https://t.me/peass) au **tufuatilie** kwenye **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.**
> - **Shiriki mbinu za hacking kwa kuwasilisha PRs kwa** [**HackTricks**](https://github.com/carlospolop/hacktricks) na [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) repos za github.
>
> </details>