EvilZone
Hacking and Security => Tutorials => : noob September 06, 2011, 02:18:25 PM
-
http://www.insomniasec.com/publications/LFI%20With%20PHPInfo%20Assistance.pdf
intro page :
Introduction
During assessments it is still common to find LFI vulnerabilities when testing PHP applications. Depending
on the server configuration it is often possible to convert these into code execution primitives through known
techniques such as;
/proc/self/environ
/proc/self/fd/...
/var/log/...
/var/lib/php/session/ (PHP Sessions)
/tmp/ (PHP Sessions)
php://input wrapper
php://filter wrapper
data: wrapper
The research in this whitepaper is an extension of the published work by Gynvael Coldwind in the paper
“PHP LFI to arbitratry code execution via rfc1867 file upload temporary files”
http://www.exploit-db.com/download_pdf/17010/ (http://www.exploit-db.com/download_pdf/17010/)
In that paper, the author documents information related to how the PHP file upload feature works. In
particular he notes that if file_uploads = on is set in the PHP configuration file, then PHP will accept a file
upload post to any PHP file. He also notes that the upload file will be stored in the tmp location, until the
requested PHP page is fully processed.
This is also included in the PHP documentation;
http://www.php.net/manual/en/features.file-upload.post-method.php (http://www.php.net/manual/en/features.file-upload.post-method.php)
The file will be deleted from the temporary directory at the end of the request if it has not been
moved away or renamed.
In the paper, Gynvael Coldwind, includes a method of exploiting this behaviour on Windows systems through
the use of the FindFirstFile quirk. This behaviour is documented in the paper;
Oddities of PHP file access in Windows®. Cheat-sheet, 2011 (Vladimir Vorontsov, Arthur Gerkis)
http://onsec.ru/onsec.whitepaper-02.eng.pdf (http://onsec.ru/onsec.whitepaper-02.eng.pdf)
Although unrelated to LFI research, the following paper is interesting reading material for PHP web
application security researchers. It documents a behavioural issue with PHP scripts handling when invoked
through the HEAD HTTP verb;
HTTP HEAD method trick in php scripts (Adam Iwaniuk)
https://students.mimuw.edu.pl/~ai292615/php_head_trick.pdf (https://students.mimuw.edu.pl/~ai292615/php_head_trick.pdf)
The FindFirstFile quirk does not affect the PHP engine on GNU/Linux; however under certain conditions
exploitation of the PHP file upload feature is still possible. This paper details one of these conditions, which
becomes available when access to a script that outputs the results of a phpinfo() call, is available on the
target server.
-
Added the intro page, try adding it the next time.
It will give people more interests to read it, and you more respect for sharing ;)
-
sounds interesting though
dont know much about php and stuff,
but still its a way of learning exploiting in a new way :P