Monday, March 21, 2011

PHP LFI to arbitratry code execution via rfc1867 file upload temporary files

Just another PHP LFI exploitation method

This article describes a method of taking advantage of a .php script Local File Inclusion vulnerability. It does not describe any vulnerability in the PHP engine itself, nor does it describe any new vulnerability class.

- this method works like a charm on Windows (http://site/?page=C:\Windows\Temp\php<<)
- trick with << in FindFirstFile ftw!
- this method works in some very specific cases on Linux-based OS'es (and doesn't work in other cases)
- GetTempFileName in WinAPI is surprisingly weak
- but mkstemp from GNU lib C is surprisingly strong

Download: PDF

No comments: