OpenSkillIndex← back to search

Hacktricks-skills lfi2rce-eternal-waiting

Exploit Local File Inclusion (LFI) vulnerabilities to achieve Remote Code Execution (RCE) using the Eternal Waiting technique. Use this skill when you have an LFI vulnerability, can upload files to the target, and need to escalate to code execution by brute-forcing PHP temporary upload files while keeping the LFI request alive. Trigger this for any LFI-to-RCE escalation scenario, PHP file upload exploitation, or when you need to bypass file inclusion restrictions to achieve remote code execution.

install
source · Clone the upstream repo
git clone https://github.com/abelrguezr/hacktricks-skills
manifest: skills/pentesting-web/file-inclusion/lfi2rce-via-eternal-waiting/SKILL.MD
source content

LFI2RCE via Eternal Waiting

[!WARNING] AUTHORIZED USE ONLY This skill is for authorized security testing, penetration testing engagements, and educational purposes only. Always obtain written permission before testing any system. Unauthorized access is illegal.

Overview

The Eternal Waiting technique escalates Local File Inclusion (LFI) vulnerabilities to Remote Code Execution (RCE) by:

  1. Uploading malicious files to create temporary PHP files in 
    /tmp
  2. Keeping the LFI request alive indefinitely (eternal wait)
  3. Brute-forcing the temporary file names while the LFI is active
  4. Achieving RCE when the uploaded file is successfully included

Prerequisites

  • LFI vulnerability: You must control a relative path in an include statement
  • File upload capability: Ability to upload files to the target
  • PHP backend: Target must be running PHP
  • Relative path control: You don't need absolute path control

How It Works

PHP Temporary File Behavior

When PHP receives an uploaded file (even unexpectedly), it creates a temporary file in 

/tmp
with a name pattern:

php[a-zA-Z0-9]{6}

Total possible filenames: 62⁶ = 56,800,235,584 combinations

If digits are not used: 36⁶ = 19,770,609,664 combinations

The Eternal Wait Mechanism

To keep the LFI request alive indefinitely, include:

/sys/kernel/security/apparmor/revision

Note: This file is not available in Docker containers.

Test it locally:

php -a
include("/sys/kernel/security/apparmor/revision");

Attack Methodology

Step 1: Generate Temporary Files

Use multiple concurrent connections to upload files and generate temporary files:

# Each connection can upload max 20 files (php.ini: max_file_uploads = 20)
# Apache default: 150 concurrent connections
# Total temp files: 149 connections × 20 files = 2,980 files

Step 2: Keep LFI Request Alive

Use the last connection to include the apparmor revision file, creating an eternal wait:

GET /vulnerable.php?include=/sys/kernel/security/apparmor/revision

Step 3: Brute-Force Temporary Files

While the LFI is waiting, brute-force the temporary file names:

GET /vulnerable.php?include=../../tmp/phpABC123

Step 4: Achieve RCE

When a temporary file is successfully included, execute your payload.

Server Configuration Considerations

Apache2

ParameterDefaultMaxImpact
Concurrent connections1508,000More connections = more temp files
PHP process timeoutInfinite-Longer wait = more brute-force time

Calculation example (10 req/s brute-force speed):

  • 149 connections × 20 files = 2,980 temp files
  • Time to brute-force: 56,800,235,584 / 2,980 / 10 / 3600 ≈ 530 hours
  • 50% chance in: 265 hours

PHP-FPM

PHP-FPM has a 

request_terminate_timeout
parameter in 
/etc/php/<version>/fpm/pool.d/www.conf
:

  • Default: Infinite (if not set)
  • Common: 30 seconds (if uncommented)

When timeout is reached, PHP process is killed but temporary files are NOT deleted.

Advantage: Can generate thousands of files without DoS:

100 connections × 20 files / 30 seconds = 66.67 files/second
10,000 files in: 150 seconds
100,000 files in: 25 minutes

Nginx

  • Default: 512 parallel connections
  • Configurable: Can be increased

Optimization Strategies

Reduce Brute-Force Time

  1. Increase concurrent connections: More connections = more temp files
  2. Use PHP-FPM timeout: Generate files without consuming all connections
  3. Increase brute-force speed: Faster requests = quicker discovery

Time Calculations

Temp FilesBrute-Force SpeedTime (Full)Time (50% Chance)
2,98010 req/s530h265h
79,98010 req/s19.7h10h
10,000300 req/s5.25h2.63h
100,000300 req/s0.525h0.263h

Implementation Scripts

Generate Temporary Files

See 

scripts/generate_temp_files.sh
for automated file generation.

Brute-Force Temporary Files

See 

scripts/bruteforce_lfi.sh
for automated brute-forcing.

Limitations

  1. File naming: 56+ billion possible combinations
  2. Upload limit: Max 20 files per request by default
  3. Connection limit: Server max concurrent connections
  4. Timeout: PHP request timeout may kill the process
  5. Docker: Apparmor revision file not available in containers
  6. DoS risk: May impact other clients on the server

Detection & Mitigation

Detection

  • Monitor for unusual file upload patterns
  • Watch for high concurrent connection counts
  • Check for requests to 
    /sys/kernel/security/apparmor/revision
  • Monitor 
    /tmp
    for unexpected PHP files

Mitigation

  • Disable file uploads if not needed
  • Set 
    max_file_uploads
    to 1
  • Use 
    open_basedir
    restriction
  • Implement proper input validation
  • Use PHP-FPM with reasonable timeouts
  • Monitor and limit concurrent connections

Example Scenarios

Scenario 1: Basic LFI to RCE

Given:

  • LFI at 
    /app.php?file=../../etc/passwd
  • File upload at 
    /upload.php

Attack:

  1. Upload 20 files with webshell payload
  2. Keep LFI alive with apparmor include
  3. Brute-force temp file names
  4. Achieve RCE

Scenario 2: PHP-FPM Optimization

Given:

  • PHP-FPM with 30s timeout
  • 100 available connections

Attack:

  1. Use 100 connections to upload files
  2. Wait for timeout to generate 6,667 files
  3. Brute-force at 300 req/s
  4. Achieve RCE in ~5 hours (50% chance in 2.5h)

References