4

I'm currently doing an online CTF and I have LFI an can read the source code of the upload function. In there I see the following line:

shell_exec('rm -rf ' . directory/ . '*.p*');

So anytime I upload a .php file, it gets deleted.

Is there a way to break out the code so the remove of *.p* file never happens or can I execute .php files without having the file extension being .php?

Nerotix
  • 191
  • 6
  • It's a stretch but try using `.php` as the filename. It definitely won't get deleted, but it may not execute either – Conor Mancone Jul 28 '20 at 00:28
  • 1
    Or play "stupid". The PHP files are only removed after the zip unzips and is deleted. Try making a PHP file "first" and then add 10,000 blank files. You only need the process to take a few seconds - while the zip unloads everything else your PHP file is sitting in the uploads directory and can be executed. Not sure if there is an easier way to make a slowly extracting zip file.... – Conor Mancone Jul 28 '20 at 00:35
  • Have you try .shtml extention ? – rhamaa Jul 31 '20 at 02:28

3 Answers3

5

Solution: upload the file as hidden, for example: .shell.php and call the file directly.

Nerotix
  • 191
  • 6
2

Try putting the PHP file in a subdirectory and then zip it with the sub directory, so that when the zip is unpacked it would end up somewhere like:

uploads/sub/file.php

This won't match the delete command. Presumably you will still be able to run the PHP file in a sub directory.

Conor Mancone
  • 29,899
  • 13
  • 91
  • 96
  • Thanks for the suggestion. However, no luck.. when I do that, the upload doens't seem to succeed. – Nerotix Jul 27 '20 at 23:34
  • I added some more info regarding the upload php file. – Nerotix Jul 27 '20 at 23:39
  • @Nerotix the `-j` flag on the unzip causes it to throw away the directory inside the zip file, so this doesn't work. – Conor Mancone Jul 28 '20 at 00:02
  • 1
    I figured it out with some help from a friend. The solution is the make the make the php file hidden, for example: .shell.php since it only checks the first period. Thanks for trying to help me out here. – Nerotix Jul 28 '20 at 08:59
0

It depends on what the web server is and the PHP config, but you might be able to use a .htaccess or .user.ini from my htshells project to bypass the rm command. https://github.com/wireghoul/htshells

Also, a quick side bar, LFI vulnerabilities execute PHP code, if it's reading code then it's a different class of vulnerability, such as arbitrary file read, directory traversal, etc. If it's an actual LFI, then you can just slip an exit at the end of your included code to halt execution before it reaches the rm.

wireghoul
  • 5,745
  • 2
  • 17
  • 26