0x22bb
/
hacktricks
mirror of https://github.com/carlospolop/hacktricks.git
1
2
Fork 0
Code Releases Activity

GitBook: [#3687] No subject

This commit is contained in:
CPol 2022-12-20 09:42:41 +00:00 committed by gitbook-bot
parent 93c096e08f
commit 5af811376d
No known key found for this signature in database
GPG Key ID: 07D2180C7B12D0FF
2 changed files with 13 additions and 13 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
SUMMARY.md
View File

@ -498,7 +498,7 @@
* [LFI2RCE via Segmentation Fault](pentesting-web/file-inclusion/lfi2rce-via-segmentation-fault.md)
* [LFI2RCE via phpinfo()](pentesting-web/file-inclusion/lfi2rce-via-phpinfo.md)
* [LFI2RCE Via temp file uploads](pentesting-web/file-inclusion/lfi2rce-via-temp-file-uploads.md)
* [LFI2RCE via Eternal Waiting](pentesting-web/file-inclusion/lfi2rce-via-eternal-waiting.md)
* [LFI2RCE via Eternal waiting](pentesting-web/file-inclusion/lfi2rce-via-eternal-waiting.md)
* [LFI2RCE Via compress.zlib + PHP\_STREAM\_PREFER\_STUDIO + Path Disclosure](pentesting-web/file-inclusion/lfi2rce-via-compress.zlib-+-php\_stream\_prefer\_studio-+-path-disclosure.md)
* [File Upload](pentesting-web/file-upload/README.md)
* [PDF Upload - XXE and CORS bypass](pentesting-web/file-upload/pdf-upload-xxe-and-cors-bypass.md)

24
pentesting-web/file-inclusion/lfi2rce-via-eternal-waiting.md
View File

@ -1,4 +1,4 @@
# LFI2RCE via Eternal Waiting
# LFI2RCE via Eternal waiting
<details>
@ -14,7 +14,7 @@
## Basic Information
By default when a file is uploaded to PHP (even if it isn't expecting it), it will generate a temporary file in `/tmp` with a name such as **`php[a-zA-Z0-9]{6}`**, although I have been some docker images where the generated files don't contain digits.
By default when a file is uploaded to PHP (even if it isn't expecting it), it will generate a temporary file in `/tmp` with a name such as **`php[a-zA-Z0-9]{6}`**, although I have seen some docker images where the generated files don't contain digits.
In a local file inclusion, **if you manage to include that uploaded file, you will get RCE**.
@ -34,7 +34,7 @@ This technique is **very similar to the last one but without needed to find a ze
### Eternal wait technique
In this technique **we only need to control a relative path** (no need for PHP protocols). If we manage to upload files and make the **LFI never end**, we will have "enough time" to **brute-force uploaded files** and **find** any of the ones uploaded.
In this technique **we only need to control a relative path**. If we manage to upload files and make the **LFI never end**, we will have "enough time" to **brute-force uploaded files** and **find** any of the ones uploaded.
**Pros of this technique**:
@ -49,11 +49,11 @@ The **main problems** of this technique are:
* The **insane** amount of potential file names: **56800235584**
* If the server **isn't using digits** the total potential amount is: **19770609664**
* By default **only 20 files** can be uploaded in a **single request**.
* The **max number of workers** of the used server.
* This limit with the previous one can make this attack last too much
* **Timeout for a PHP request**. Ideally this should be eternal, if not, this will also be a pain
* The **max number of parallel workers** of the used server.
* This limit with the previous ones can make this attack last too much
* **Timeout for a PHP request**. Ideally this should be eternal or should kill the PHP process without deleting the temp uploaded files, if not, this will also be a pain
So, how can you **make a PHP include never end**? Just by including the file **`/sys/kernel/security/apparmor/revision`** (**not available in Docker containers** unfortunatelly...).
So, how can you **make a PHP include never end**? Just by including the file **`/sys/kernel/security/apparmor/revision`** (**not available in Docker containers** unfortunately...).
Try it just calling:
@ -77,19 +77,19 @@ Let's do some maths:
* (without digits) 19770609664 / 2980 / 10 / 3600 \~= 185h (50% chance in 93h)
{% hint style="warning" %}
Note that in the previous example we are **completing DoSing other clients**!
Note that in the previous example we are **completely DoSing other clients**!
{% endhint %}
If the Apache server is improved and we could abuse **4000 connections** (half way to the max number). We could create `3999*20 = 79980` **files** and the **number** would be **reduced** to around **19.7h** or **6.9h** (10h, 3.5h 50% chance).
## PHP-FMP
If instead of using the regular php mod for apache to run PHP scripts the web page is using **PHP-FMP** (this improves the response of the web page, so it's "normal" to find it), there is something else that can be done to improve the technique.
If instead of using the regular php mod for apache to run PHP scripts the **web page is using** **PHP-FMP** (this improves the efficiency of the web page, so it's common to find it), there is something else that can be done to improve the technique.
PHP-FMP allow to **configure** the **parameter** **`request_terminate_timeout`** in `/etc/php/<php-version>/fpm/pool.d/www.conf`.\
This parameter indicates **when** should a **request to PHP terminate** (infinite by default, but 30s if the param is uncommented). When a request is being processed by PHP the indicated number of seconds, it's **killed**. This means, that if the request was uploading temporary files, because the **php processing was stopped**, those **files aren't going to be deleted**. Therefore, if you can make a request last that time, you can **generate thousands of temporary files** that won't be deleted, which will **speed up the process of finding them** and reduces the probability of a DoS to the platform by consuming all connections.
PHP-FMP allow to **configure** the **parameter** **`request_terminate_timeout`** in **`/etc/php/<php-version>/fpm/pool.d/www.conf`**.\
This parameter indicates the maximum amount of seconds **when** **request to PHP must terminate** (infinite by default, but **30s if the param is uncommented**). When a request is being processed by PHP the indicated number of seconds, it's **killed**. This means, that if the request was uploading temporary files, because the **php processing was stopped**, those **files aren't going to be deleted**. Therefore, if you can make a request last that time, you can **generate thousands of temporary files** that won't be deleted, which will **speed up the process of finding them** and reduces the probability of a DoS to the platform by consuming all connections.
So, to **avoid DoS** lets suppose that an **attacker will be using only 100 connections** at them same time and php max processing time by **php-fmp** is 30s. Therefore, the number of temp files that can be generated by second is `100*20/30 = 66.67`.
So, to **avoid DoS** lets suppose that an **attacker will be using only 100 connections** at the same time and php max processing time by **php-fmp** (`request_terminate_timeout`**)** is **30s**. Therefore, the number of **temp files** that can be generated **by second** is `100*20/30 = 66.67`.
Then, to generate **10000 files** an attacker would need: **`10000/66.67 = 150s`** (to generate **100000 files** the time would be **25min**).