pwneglyph logo

Note

web php session upload-progress file-write lfi

Use PHP upload-progress to write attacker-influenced content into a predictable /tmp/sess_* file as a write primitive.

PHP Session File Primitive via Upload Progress

PHP upload progress stores attacker-influenced metadata in the session file while an upload is in flight. If cleanup is off or delayed, that file becomes a write primitive into /tmp/sess_*. The injected content doesn't have to be valid session syntax for the later sink — it only has to survive until the application reads or reflects it.

Why It Works

  • With session.upload_progress.enabled = On, the filename you supply is written into a predictable session file you control via PHPSESSID.

Vulnerable Pattern

  • session.upload_progress.enabled = On, upload routes accepting attacker filenames, and another endpoint that can read arbitrary or semi-arbitrary files.

Exploit Flow

  1. Set a known PHPSESSID so the session filename is predictable.
  2. Upload with a malicious filename payload (often HTML or JS) to get it written into the session file.
  3. Use a read endpoint, quote feature, or suffix bypass to fetch /tmp/sess_<id>.

Variations

  • If direct read is impossible, use log or reflection sinks that consume the session file indirectly.

Common Blockers

  • Upload-progress cleanup enabled, session path different from /tmp, or filename sanitization before progress serialization.

PoC Sketch

curl -b 'PHPSESSID=cnf' \
  -F 'PHP_SESSION_UPLOAD_PROGRESS=x' \
  -F 'file=@a.txt;filename=<img src=x onerror=console.log(document.cookie)>' \
  https://target/upload

Good Situations To Use It

  • session.upload_progress is enabled.
  • You control PHPSESSID and an upload filename.
  • A read/reflection sink can reach /tmp/sess_*.

Sources

  • fcsc2026/web/shellfish_say