The end of PHP LFI challenges (?)

This may be the moment you have all been waiting for. After years of suffering [1,2,3,4,5], hxp is proud — and relieved — to announce that there may finally be light at the end of the tunnel.

It took the CTF community a few iterations of LFI challenges with ever-increasing levels of absurdity, but it appears “Peak LFI” has, at last, been reached: The point where (even with various attacker-friendly features like file uploads, sessions, and temporary files turned off) a web server running only the single line of PHP

<?php include_once($_GET['file']);

is vulnerable to remote code execution.

Thank you and congratulations to pasten, Super Guesser and p4 for also discovering this issue and additionally demonstrating that it’s remotely exploitable in both the includer’s revenge and counter challenges. Also, thanks for the great discussions on IRC and especially the force (love - visible here) pasten applied to extract the flags from our servers.

TLDR: Nginx creates temporary files for buffering, procfs allows to include these files via tricks.

See https://bierbaumer.net/security/php-lfi-with-nginx-assistance/ for a longer explanation.

Mitigation

Don’t have local file inclusion vulnerabilities.

Am I vulnerable?

grep -qEr '(include|require).*\$' && echo PROBABLY

Emergency fix

find / -name *.php -delete; pkill -9 php; poweroff