LFI -> RCE (by Log File Tainting)

Each users request leaves track on server side:

  • storing media-files - file upload
    • images
    • video (e.g. ffmpeg vulns, etc.)
  • log records (/apache/logs, /var/log/apache2, /proc/self/environ, etc.)
  • pseudo-protocols (data://, php://, expect://, etc.)
  • tmp files

    phpinfo () - files passed through http are stored by php into tmp files, tmp file-name can be guessed using information from phpinfo and using LFI it must be executed (some expoit scripts examples)

    tmp files lives until php-script will end its execution (actually cleanup will start before sending last chunk of data), ways to hold tmp file:

    • Content-Length must be falsy to hang php-script execution
    • network connection can be slowed down (e.g. small network/proxy packets, etc.) and HTTP_Z http header must be big to increase amount of data after _FILES variable in phpinfo output
    • load of script recursively including itself (php will die without cleaning tmp files)
  • other places, where web-application stores data (e.g. sessions, e-mails, etc.)

Example of log file tainting with ruby: Rails Dynamic Render to RCE (CVE-2016-0752)


PHP at the Core: A Hacker’s Guide

Auto-typeconversion problems:

  • php magic hashes - hashes that starts with 0e and can be autoconverted by PHP to float variable, while using == instead of ===

PHP wrappers and filters:


Ports with DMA (Direct Memory Access): FireWire, ExpressCard, Thunderbolt, PCI, PCI Express, …

TMP - Trusted Platform Module

Just phrases

Static analysis:

  • AST - abstract syntax tree
  • data flow graph
  • control flow graph
  • abstract interpretation (set of multiple program states (variable values))
  • taint analysis

Dynamic analysis:

  • data to be analysed:

    • program variables
    • syscalls
    • API calls
    • environment change
    • instrumentation