Skip to content

Lfi2rce via temp file uploads

[AD REMOVED]

Check the full details of this technique in https://gynvael.coldwind.pl/download.php?f=PHP_LFI_rfc1867_temporary_files.pdf

PHP File uploads

When a PHP engine receives a POST request containing files formatted according to RFC 1867, it generates temporary files to store the uploaded data. These files are crucial for file upload handling in PHP scripts. The move_uploaded_file function must be used to relocate these temporary files to a desired location if persistent storage beyond the script's execution is needed. Post-execution, PHP automatically deletes any remaining temporary files.

[!NOTE] Security Alert: Attackers, aware of the temporary files' location, might exploit a Local File Inclusion vulnerability to execute code by accessing the file during upload.

The challenge for unauthorized access lies in predicting the temporary file's name, which is intentionally randomized.

Exploitation on Windows Systems

On Windows, PHP generates temporary file names using the GetTempFileName function, resulting in a pattern like <path>\<pre><uuuu>.TMP. Notably:

  • The default path is typically C:\Windows\Temp.
  • The prefix is usually "php".
  • The <uuuu> represents a unique hexadecimal value. Crucially, due to the function's limitation, only the lower 16 bits are used, allowing for a maximum of 65,535 unique names with constant path and prefix, making brute force feasible.

Moreover, the exploitation process is simplified on Windows systems. A peculiarity in the FindFirstFile function permits the use of wildcards in Local File Inclusion (LFI) paths. This enables crafting an include path like the following to locate the temporary file:

http://site/vuln.php?inc=c:\windows\temp\php<<

In certain situations, a more specific mask (like php1<< or phpA<<) might be required. One can systematically try these masks to discover the uploaded temporary file.

Exploitation on GNU/Linux Systems

For GNU/Linux systems, the randomness in temporary file naming is robust, rendering the names neither predictable nor susceptible to brute force attacks. Further details can be found in the referenced documentation.

[AD REMOVED]