It took the CTF community a few iterations of LFI challenges with ever-increasing levels of absurdity, but it appears “Peak LFI” has, at last, been reached: The point where (even with various attacker-friendly features like file uploads, sessions, and temporary files turned off) a web server running only the single line of PHP
is vulnerable to remote code execution.
Thank you and congratulations to pasten, Super Guesser and p4 for also discovering this issue and additionally demonstrating that it’s remotely exploitable in both the includer’s revenge and counter challenges. Also, thanks for the great discussions on IRC and especially the force (love - visible here) pasten applied to extract the flags from our servers.
TLDR: Nginx creates temporary files for buffering, procfs allows to include these files via tricks.
See https://bierbaumer.net/security/php-lfi-with-nginx-assistance/ for a longer explanation.
Don’t have local file inclusion vulnerabilities.
grep -qEr '(include|require).*\$' && echo PROBABLY
find / -name *.php -delete; pkill -9 php; poweroff