LFI2RCE kupitia PHP_SESSION_UPLOAD_PROGRESS

Reading time: 3 minutes

Taarifa za Msingi

Ikiwa umepata Local File Inclusion hata kama huna kikao na session.auto_start iko Off. Ikiwa session.upload_progress.enabled iko On na unatoa PHP_SESSION_UPLOAD_PROGRESS katika data ya multipart POST, PHP itafanya iwezeshe kikao kwa ajili yako.

$ curl http://127.0.0.1/ -H 'Cookie: PHPSESSID=iamorange'
$ ls -a /var/lib/php/sessions/
. ..
$ curl http://127.0.0.1/ -H 'Cookie: PHPSESSID=iamorange' -d 'PHP_SESSION_UPLOAD_PROGRESS=blahblahblah'
$ ls -a /var/lib/php/sessions/
. ..
$ curl http://127.0.0.1/ -H 'Cookie: PHPSESSID=iamorange' -F 'PHP_SESSION_UPLOAD_PROGRESS=blahblahblah'  -F 'file=@/etc/passwd'
$ ls -a /var/lib/php/sessions/
. .. sess_iamorange

In the last example the session will contain the string blahblahblah

Kumbuka kwamba na PHP_SESSION_UPLOAD_PROGRESS unaweza kudhibiti data ndani ya kikao, hivyo ikiwa unajumuisha faili lako la kikao unaweza kujumuisha sehemu unayodhibiti (kama shellcode ya php kwa mfano).

CTF

Katika CTF ya asili ambapo mbinu hii imejadiliwa, haikutosha kutumia Race Condition lakini yaliyoloadi yalihitaji kuanza pia na mfuatano @<?php.

Kwa sababu ya mipangilio ya default ya session.upload_progress.prefix, faili yetu ya SESSION itaanza na kiambishi kisichofurahisha upload_progress_ Kama: upload_progress_controlledcontentbyattacker

Hila ya kuondoa kiambishi cha mwanzo ilikuwa ni base64encode payload mara 3 na kisha kuifungua kupitia vichujio convert.base64-decode, hii ni kwa sababu wakati wa base64 decoding PHP itafuta wahusika wa ajabu, hivyo baada ya mara 3 tu payload iliyotumwa na mshambuliaji itabaki (na kisha mshambuliaji anaweza kudhibiti sehemu ya mwanzo).

Taarifa zaidi katika andiko la asili https://blog.orange.tw/2018/10/ na exploit ya mwisho https://github.com/orangetw/My-CTF-Web-Challenges/blob/master/hitcon-ctf-2018/one-line-php-challenge/exp_for_php.py
Andiko lingine katika https://spyclub.tech/2018/12/21/one-line-and-return-of-one-line-php-writeup/