0 Members and 1 Guest are viewing this topic.
http://www.insomniasec.com/publications/LFI%20With%20PHPInfo%20Assistance.pdf
IntroductionDuring assessments it is still common to find LFI vulnerabilities when testing PHP applications. Depending on the server configuration it is often possible to convert these into code execution primitives through known techniques such as; /proc/self/environ /proc/self/fd/... /var/log/... /var/lib/php/session/ (PHP Sessions) /tmp/ (PHP Sessions) php://input wrapper php://filter wrapper data: wrapperThe research in this whitepaper is an extension of the published work by Gynvael Coldwind in the paper “PHP LFI to arbitratry code execution via rfc1867 file upload temporary files” http://www.exploit-db.com/download_pdf/17010/In that paper, the author documents information related to how the PHP file upload feature works. In particular he notes that if file_uploads = on is set in the PHP configuration file, then PHP will accept a file upload post to any PHP file. He also notes that the upload file will be stored in the tmp location, until the requested PHP page is fully processed. This is also included in the PHP documentation;http://www.php.net/manual/en/features.file-upload.post-method.phpThe file will be deleted from the temporary directory at the end of the request if it has not been moved away or renamed.In the paper, Gynvael Coldwind, includes a method of exploiting this behaviour on Windows systems through the use of the FindFirstFile quirk. This behaviour is documented in the paper;Oddities of PHP file access in Windows®. Cheat-sheet, 2011 (Vladimir Vorontsov, Arthur Gerkis)http://onsec.ru/onsec.whitepaper-02.eng.pdfAlthough unrelated to LFI research, the following paper is interesting reading material for PHP web application security researchers. It documents a behavioural issue with PHP scripts handling when invoked through the HEAD HTTP verb;HTTP HEAD method trick in php scripts (Adam Iwaniuk)https://students.mimuw.edu.pl/~ai292615/php_head_trick.pdfThe FindFirstFile quirk does not affect the PHP engine on GNU/Linux; however under certain conditions exploitation of the PHP file upload feature is still possible. This paper details one of these conditions, which becomes available when access to a script that outputs the results of a phpinfo() call, is available on the target server.
