Thứ Tư, 24 tháng 6, 2020

[Root-Me] Local File Inclusion - Wrappers write up!



Hello everyone .
Today , I come back to Root-Me Web server challenge . This time , the challenge at medium level . Let's get started ! 

 

The challenge give us a mechanism to upload file image (JPG only) from PC. I decide to test this function 


 

So , after we upload an image , two params appear . 

Because It's about LFI vuln , I try fuzzing param page :


DingDoong , the filter is activated . Forget it , let's focus on PHP Wrapper 

wrapper is additional code which tells the stream how to handle specific protocols/encodings. For example, the http wrapper knows how to translate a URL into an HTTP/1.0 request for a file on a remote server
Okay ,  in my opinion , this stuff will help us access to a file on a remote server under some ways (read , write , etc ..) . There are many wrappers , each of them serves a different purpose .


PHP Expect Wrapper 
PHP expect:// allows execution of system commands, unfortunately the expect PHP module is not enabled by default. Example:
php?page=expect://ls 
PHP php://filter 
php://filter allows a pen tester to include local files and base64 encodes the output. Therefore, any base64 output will need to be decoded to reveal the contents.
php?page=php://filter/convert.base64-encode/resource=/etc/passwd 
LFI via /proc/self/environ 
If it’s possible to include /proc/self/environ via a local file inclusion vulnerability, then introducing source code via the User Agent header is a possible vector. Once code has been injected into the User Agent header a local file inclusion vulnerability can be leveraged to execute /proc/self/environ and reload the environment variables, executing your reverse shell.

Email a Reverse Shell 
If the target machine relays mail either directly or via another machine on the network and stores mail for the user www-data (or the apache user) on the system then it’s possible to email a reverse shell to the target. If no MX records exist for the domain but SMTP is exposed it’s possible to connect to the target mail server and send mail to the www-data / apache user. Mail is sent to the user running apache such as www-data to ensure file system permissions will allow read access the file /var/spool/mail/www-data containing the injected PHP reverse shell code.

And after spend my time googling , I found a way to combine everything in this chall :

File upload + LFI vulnerability + PHP Wrapper => Use zip:// wrapper !